MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 506aa9e26a8962c561e5486356913ee40e53e5ea2434363e4b5827c126b0ce6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XFilesStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 506aa9e26a8962c561e5486356913ee40e53e5ea2434363e4b5827c126b0ce6c
SHA3-384 hash: c674f7856f1549a197ece31f7384fcf763bc0c5fdb6fd687396e76f1ba20ae1aa3669a504998a011e73b7c01ef54599f
SHA1 hash: 0a0a0b86ec7374efdbe2fc01254c962fa9c2243c
MD5 hash: 7944f1f915ea06c164cd7f94633f4b7a
humanhash: double-potato-florida-september
File name:PO#MP2218_potvrd 220623052GZU_170914140GZU-001_CDR V4 z3.exe
Download: download sample
Signature XFilesStealer
Create hunting rule
File size:717'312 bytes
First seen:2022-07-26 16:15:59 UTC
Last seen:2022-07-26 17:03:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:7kCyvdcmdFTjrcZYy/cdsoE4XkwxCcG9jGDWmRMJ9ZqMfa+0Y1k+PQR9w:7kf6mzriYy/cd7E6kidG9j4WmRnn+0Yr
Threatray 210 similar samples on MalwareBazaar
TLSH T1C6E4130BC8B40AF5C77061F7A6217592E3237201FE329278E7B93895E5F71794D462B2
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon d0c8c8c8ece4d2c8 (1 x XFilesStealer)
Reporter AndreGironda
Tags:CryptoWallets exe XFilesStealer


Avatar
AndreGironda
MITRE T1566.001
Date: 25 Jul 2022 09:30-10:00 +0200
Received: from hvuxqgwo.hotdealsdigest.com (185.246.220.207)
From: MR. BEN- LIEN MAU LAM<purchase@hotdealsdigest.com>
Subject: Order#VMH#20181st
Message-ID: <20220725095851.9BF705DAEB62C209@hotdealsdigest.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0012_0DF69354.B04C1FD7"
Return-Path: purchase@hotdealsdigest.com
Attachment Name: VMH#20181.pdf
PDF SHA256: d1250e0fabac80419576c0ba507fdabc36a55b81252830a9bb8279f76a402613
Stage URL: hXXps://lorritroughton[.]com/AdobePdfViewer/neworder.lzh
Rarfile SHA256: 98e97d3da7fe6ba03c5951864cb7012e96320189d7a176b508ba2ea594a9523d
Uncompressed Executable Name: PO#MP2218_potvrd 220623052GZU_170914140GZU-001_CDR V4 z3.exe
Executable SHA266: 506aa9e26a8962c561e5486356913ee40e53e5ea2434363e4b5827c126b0ce6c
Unpacked Executable SHA256: 6d8250885b38619aef68f7ed7d7be6b862cf96e6c0c1e112a4d587aee2157155

Intelligence

File Origin
# of uploads :
2
# of downloads :
560
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/294417/
Detection(s):
SecuriteInfo.com.Variant.Tedy.174526.23253.26925.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62e013d97dd0cb902f016215/reports/5ad845d9-1471-488e-bbc3-7b212d39af52/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2981cb36-831e-4174-94c5-fc4bb7dedc0b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1041200
Signature
.NET source code contains potential unpacker
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 673689 Sample: PO#MP2218_potvrd 220623052G... Startdate: 26/07/2022 Architecture: WINDOWS Score: 92 46 youtube-ui.l.google.com 2->46 48 www.youtube.com 2->48 50 22 other IPs or domains 2->50 68 Malicious sample detected (through community Yara rule) 2->68 70 .NET source code contains potential unpacker 2->70 72 Machine Learning detection for sample 2->72 74 6 other signatures 2->74 8 PO#MP2218_potvrd 220623052GZU_170914140GZU-001_CDR V4 z3.exe 1 4 2->8         started        12 firefox.exe 73 2->12         started        15 chrome.exe 17 222 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 40 C:\Users\user\AppData\Local\PhotoStudio.exe, PE32+ 8->40 dropped 42 C:\Users\...\PhotoStudio.exe:Zone.Identifier, ASCII 8->42 dropped 44 PO#MP2218_potvrd 2...1_CDR V4 z3.exe.log, ASCII 8->44 dropped 76 Encrypted powershell cmdline option found 8->76 78 Writes to foreign memory regions 8->78 80 Modifies the context of a thread in another process (thread injection) 8->80 82 Injects a PE file into a foreign processes 8->82 19 powershell.exe 8->19         started        21 InstallUtil.exe 8->21         started        58 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 50752, 50760, 53736 GOOGLEUS United States 12->58 60 prod.balrog.prod.cloudops.mozgcp.net 35.244.181.201, 443, 50744 GOOGLEUS United States 12->60 66 8 other IPs or domains 12->66 23 firefox.exe 1 12->23         started        25 firefox.exe 12->25         started        36 3 other processes 12->36 62 192.168.2.1 unknown unknown 15->62 64 239.255.255.250 unknown Reserved 15->64 27 chrome.exe 30 15->27         started        30 firefox.exe 11 17->30         started        32 conhost.exe 17->32         started        34 PO#MP2218_potvrd 220623052GZU_170914140GZU-001_CDR V4 z3.exe 17->34         started        file6 signatures7 process8 dnsIp9 38 conhost.exe 19->38         started        52 accounts.google.com 142.250.185.109, 443, 49559, 49772 GOOGLEUS United States 27->52 54 www3.l.google.com 142.250.185.142, 443, 57471, 58898 GOOGLEUS United States 27->54 56 13 other IPs or domains 27->56 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/506aa9e26a8962c561e5486356913ee40e53e5ea2434363e4b5827c126b0ce6c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-26 16:16:09 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kbvktytkrfrmkypfjbrvnej64qhfhzpkeq2dmpsllat4cjvqzzwa._file
Verdict:
malicious
Similar samples:
1f4eaf985e503e9aeade9362fbf02edd1d6cec43b7c7df88cbff1420c017518e
XFilesStealer
3e85b31ff1780031f94570fc9801b6a886564a4caa2acc360d2c65f29b22dbb5
XFilesStealer
5e78de363db16f3e7028d31d70a50189e41333b371c707f86cd6a6249d58988b
XFilesStealer
7a62836c8967ef6d3c737f9aba146eb7ef5d08cacc564faaa2699efac7561b97
XFilesStealer
b12c23f3cf0937291c634f1505ca5123dc08363dcc0f766ac029b1238cade11d
XFilesStealer
b7bf04a5d5d14c38358fb28f8e2453bf45926684769ad6a79a4bf110d8587af5
XFilesStealer
c7f59a7678b39f9e6623e0b473f2420c8ba52a924ca70ab2ce849268c289c85a
XFilesStealer
c91e3f6a5e0b9dffb8ab95355c93ffa6110bd0104273e33f7da18f5f02a86075
XFilesStealer
db35c1b2866001a5054d699b34dd9b6f8cf6aa8e7d3050facd237fb2633aad65
XFilesStealer
f234a3861371763fb293ba38d6a5cc82b0af13ce03ba676d3a229c9f30fbd85d
XFilesStealer
+ 200 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection persistence
Link:
https://tria.ge/reports/220726-tqslcaefe6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Unpacked files
SH256 hash:
506aa9e26a8962c561e5486356913ee40e53e5ea2434363e4b5827c126b0ce6c
MD5 hash:
7944f1f915ea06c164cd7f94633f4b7a
SHA1 hash:
0a0a0b86ec7374efdbe2fc01254c962fa9c2243c
Link:
https://www.unpac.me/results/5a4621f4-bfd9-4627-a8d5-adbb8dbaaade/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/506aa9e26a89/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly

File information

The table below shows additional information about this malware sample such as delivery method and external references.

XFilesStealer

Executable exe 506aa9e26a8962c561e5486356913ee40e53e5ea2434363e4b5827c126b0ce6c

(this sample)

XFilesStealer

Executable exe 6d8250885b38619aef68f7ed7d7be6b862cf96e6c0c1e112a4d587aee2157155

  
Dropping
SHA256 6d8250885b38619aef68f7ed7d7be6b862cf96e6c0c1e112a4d587aee2157155
Cape
Cape
https://www.capesandbox.com/analysis/294417/
  
Dropping
MD5 b268634676f1cf50e5a38053ca23577b

Comments