MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37b5363f6fd3b54a4498c1c585affd25f5a719ec552e91f4e1243ed344fd4575. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XFilesStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 37b5363f6fd3b54a4498c1c585affd25f5a719ec552e91f4e1243ed344fd4575
SHA3-384 hash: 7bd06e92f5623dba096787d24326e6dc9f92f8487668b39ecf3756b6ec034113340603baa969a701faf78929237ba920
SHA1 hash: 4c4e724aad72aabe47078676727fd9a87028a896
MD5 hash: 4747e01a4d59ab86ad2d66a0325c9fc8
humanhash: six-colorado-river-october
File name:4747e01a4d59ab86ad2d66a0325c9fc8.exe
Download: download sample
Signature XFilesStealer
Create hunting rule
File size:144'896 bytes
First seen:2022-06-13 07:01:56 UTC
Last seen:2022-06-13 07:59:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 1536:Rib1iSiBV+wDHkZ1S6qTGEJ+yInYbM1vGwkUzyqBeZ1kAFL+eoPXMauCFE1/lBKL:ob1j+bdgQ6UPRk21+
Threatray 1'571 similar samples on MalwareBazaar
TLSH T197E392C688C95224CD695F30E1766D76886BBFAEBCBCB6CD5898B04173B35C6443D02B
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 133168d4b8c47031 (1 x XFilesStealer)
Reporter abuse_ch
Tags:exe XFilesStealer


Avatar
abuse_ch
Payload URL:
http://nkai.xyz/loader/uploads/gpi_Cqeqmqwr.png

Intelligence

File Origin
# of uploads :
2
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4747e01a4d59ab86ad2d66a0325c9fc8.exe
Verdict:
No threats detected
Analysis date:
2022-06-14 00:18:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/541398e4-0375-47d2-aa23-c54d8962bebf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/279226/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Seraph.ac.29072.17378.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/62a6e10d73b91c38f689a603/reports/8f89367e-63b2-4bdf-bb21-b3a8f0c4156f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/05a65c7e-5fbe-4771-9d3b-5fd8b2b75974
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1012280
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/37b5363f6fd3b54a4498c1c585affd25f5a719ec552e91f4e1243ed344fd4575/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-06-13 06:59:08 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
10
AV detection:
14 of 26 (53.85%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=g62tmp3p2o2uureyyhcyll75ex22ogpmkuxjd5hbeq7ngrh5iv2q._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
024cb5cb433bfd8e1b5e55016311bd477800b58b662fbaea35af605669c61fa4
XFilesStealer
10e99d11d9ed11e37500314f9f524479b3e8968f7beea0b2566624050399adc9
XFilesStealer
26d1b14da4e5e82608707edbf63898980ab785fa4449980fc226b791debb7c42
XFilesStealer
3cc00430404164c201c89470c9e8c1d7cafdbecc8b32a17fab2db324bd26766a
XFilesStealer
5709889cc5a51103dc51728d8d21d9ec6c22ff269e74c7a674d3a160ed0bf2cc
XFilesStealer
93662b291b5761666387300a091facaf06d89cb6417c713ae09e9696b5bb34b2
XFilesStealer
c25d169ffffb762f002d4f6bfe9fda71abfbc60baec3f1d3d813b81a84af0c26
XFilesStealer
e9526e4a2f2aeea4a7e29d1406e1121e969d3afde857188a5dbe5dc145f3245d
XFilesStealer
+ 1'561 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220613-htsvqsedar/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Unpacked files
SH256 hash:
37b5363f6fd3b54a4498c1c585affd25f5a719ec552e91f4e1243ed344fd4575
MD5 hash:
4747e01a4d59ab86ad2d66a0325c9fc8
SHA1 hash:
4c4e724aad72aabe47078676727fd9a87028a896
Link:
https://www.unpac.me/results/6b3a0052-1379-4f11-bbb7-445dc3f924ed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/37b5363f6fd3b54a4498c1c585affd25f5a719ec552e91f4e1243ed344fd4575

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XFilesStealer

Executable exe 37b5363f6fd3b54a4498c1c585affd25f5a719ec552e91f4e1243ed344fd4575

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2233009/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/279226/

Comments