MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43ee5af4735f3d6648af01c0d51c0710a772a94d51529603c3050e68fd6dae23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XFilesStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43ee5af4735f3d6648af01c0d51c0710a772a94d51529603c3050e68fd6dae23
SHA3-384 hash: 0a2b94f2d792b5cd43b1a3ba006d5caca46c28dfaa7e712a91680fe2866039714513e3814dc2d25ea88493f5da578bb9
SHA1 hash: a7be9c501b4fde847f95584cd3219a3c780a8f85
MD5 hash: e1065e97ba77a3feab4eb8dcd1bcf03e
humanhash: lactose-wisconsin-oregon-rugby
File name:e1065e97ba77a3feab4eb8dcd1bcf03e.exe
Download: download sample
Signature XFilesStealer
Create hunting rule
File size:137'728 bytes
First seen:2022-06-11 12:37:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 768:1CP5/4GL9IPDwtdPCLxmeLV0HLk8bgAp+hcx21NFBRGwSZwcReUe/sAW4NEjeeeo:1u5/4Z8BuWYKpgjnDciTNkRtp
Threatray 1'865 similar samples on MalwareBazaar
TLSH T198D3192BA74A19D7C1A44638C4A7C3790262EE631970C90B3FEC3E5FBD3A3442957A5D
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 71ccccb3b3cccc71 (3 x XFilesStealer, 2 x Metasploit)
Reporter abuse_ch
Tags:exe XFilesStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
341
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e1065e97ba77a3feab4eb8dcd1bcf03e.exe
Verdict:
No threats detected
Analysis date:
2022-06-11 12:40:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/46f64d12-c890-4fee-9d49-22b791ba851f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/278910/
Detection(s):
Win.Malware.Msilzilla-9951127-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Forced system process termination
Sending an HTTP GET request
Creating a window
Running batch commands
Creating a file in the %AppData% subdirectories
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/62a48caea454cbb2f2f28a7c/reports/5e37b5d9-f739-4d8e-a027-bb50d62b7442/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f5572fa-d23f-4410-9a90-33b9da31ee8a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1011331
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 643825 Sample: WlsVJAaBjZ.exe Startdate: 11/06/2022 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic 2->34 36 Multi AV Scanner detection for domain / URL 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 6 other signatures 2->40 7 WlsVJAaBjZ.exe 14 7 2->7         started        process3 dnsIp4 30 198.251.86.46, 49761, 80 PONYNETUS United States 7->30 26 C:\Users\user\AppData\Roaming\...\cloud.exe, PE32+ 7->26 dropped 28 C:\Users\user\AppData\...\WlsVJAaBjZ.exe.log, ASCII 7->28 dropped 42 Creates an undocumented autostart registry key 7->42 44 Writes to foreign memory regions 7->44 46 Modifies the context of a thread in another process (thread injection) 7->46 48 2 other signatures 7->48 12 InstallUtil.exe 2 7->12         started        16 cmd.exe 1 7->16         started        18 powershell.exe 25 7->18         started        file5 signatures6 process7 dnsIp8 32 185.157.161.245, 8080 OBE-EUROPEObenetworkEuropeSE Sweden 12->32 50 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->50 52 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->52 20 conhost.exe 16->20         started        22 timeout.exe 1 16->22         started        24 conhost.exe 18->24         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43ee5af4735f3d6648af01c0d51c0710a772a94d51529603c3050e68fd6dae23/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-06-11 03:30:40 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
19
AV detection:
9 of 40 (22.50%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ipxfv5dtl46wmsfpahankhahcctxfkknkfjjma6dauhgr7lnvyrq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
0e22f42c7121ad7bd94850929efe4e42fe7cc13808f5404a3a864b56bcfcb49f
XFilesStealer
15e2f966937440c34a383f8a2df6fa8b380fbc858b7560e3129f563296e17fbb
XFilesStealer
33ad97412d0ea51dd14c970ea67a92b237b28de04add5ecc3f64f9696fb3ed1c
XFilesStealer
770baec4d4ea7b2b87c117cf09c9b5b3263e827b8d449b35a35a9e03aac6d362
XFilesStealer
81f87505081c9fae48db9fc5098b1799c95b92ce2f0094fc69885a176651775b
XFilesStealer
989d751b53b8c3d3d57111fe727904298f8723cab3b656db6da4bacfd9a2ed18
XFilesStealer
9ec8fb4ace7504bd52aedc9f4ff87af83e90b6db1a4642eedde78ff612e1e25f
XFilesStealer
aacb32e6d8717a1aa7836996f0b6388bffba81978d0d4753cc69c0c56d9beb47
XFilesStealer
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731
XFilesStealer
+ 1'855 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220611-pt2k7safc3/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
43ee5af4735f3d6648af01c0d51c0710a772a94d51529603c3050e68fd6dae23
MD5 hash:
e1065e97ba77a3feab4eb8dcd1bcf03e
SHA1 hash:
a7be9c501b4fde847f95584cd3219a3c780a8f85
Link:
https://www.unpac.me/results/11db3d8c-ed9b-42f8-96d9-51ae81eb89e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43ee5af4735f3d6648af01c0d51c0710a772a94d51529603c3050e68fd6dae23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XFilesStealer

Executable exe 43ee5af4735f3d6648af01c0d51c0710a772a94d51529603c3050e68fd6dae23

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2204693/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2203952/
Cape
Cape
https://www.capesandbox.com/analysis/278910/

Comments