MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d8250885b38619aef68f7ed7d7be6b862cf96e6c0c1e112a4d587aee2157155. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XFilesStealer


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d8250885b38619aef68f7ed7d7be6b862cf96e6c0c1e112a4d587aee2157155
SHA3-384 hash: c7631d0930fe6d62428279058b2bcd73d553f398b20632ad1af627f1bf7437ac8aa4ec668901232af304dff50ef1e6f2
SHA1 hash: 41befeee0ce1b1cc868dbc3657bed6c834099f04
MD5 hash: b268634676f1cf50e5a38053ca23577b
humanhash: pip-sierra-dakota-minnesota
File name:Rnfgfje.exe
Download: download sample
Signature XFilesStealer
Create hunting rule
File size:120'832 bytes
First seen:2022-07-26 16:15:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 1536:qLTJcjaVWOqbT4cb7FWbKAENnCuKT3erw+uBUX+hHgp:iFcjambTn7cjWnETOrw+u2X+
TLSH T15DC34A4677D98B63C7849576C0D3511403F9E1EBABB2E70A7E8413762E833E19E11BCA
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter AndreGironda
Tags:CryptoWallets exe XFilesStealer


Avatar
AndreGironda
MITRE T1566.001
Date: 25 Jul 2022 09:30-10:00 +0200
Received: from hvuxqgwo.hotdealsdigest.com (185.246.220.207)
From: MR. BEN- LIEN MAU LAM<purchase@hotdealsdigest.com>
Subject: Order#VMH#20181st
Message-ID: <20220725095851.9BF705DAEB62C209@hotdealsdigest.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0012_0DF69354.B04C1FD7"
Return-Path: purchase@hotdealsdigest.com
Attachment Name: VMH#20181.pdf
PDF SHA256: d1250e0fabac80419576c0ba507fdabc36a55b81252830a9bb8279f76a402613
Stage URL: hXXps://lorritroughton[.]com/AdobePdfViewer/neworder.lzh
Rarfile SHA256: 98e97d3da7fe6ba03c5951864cb7012e96320189d7a176b508ba2ea594a9523d
Uncompressed Executable Name: PO#MP2218_potvrd 220623052GZU_170914140GZU-001_CDR V4 z3.exe
Executable SHA266: 506aa9e26a8962c561e5486356913ee40e53e5ea2434363e4b5827c126b0ce6c
Unpacked Executable SHA256: 6d8250885b38619aef68f7ed7d7be6b862cf96e6c0c1e112a4d587aee2157155

Intelligence

File Origin
# of uploads :
1
# of downloads :
527
Origin country :
n/a
Vendor Threat Intelligence
Detection:
zgRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/294416/
Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay
Link:
https://www.filescan.io/uploads/62e013d7414e84a7fa0db017/reports/21f15c37-3b92-49cd-87d2-7d8dc08fc277/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9435b01b-dc7b-4182-807d-62f60b239857
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1041243
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d8250885b38619aef68f7ed7d7be6b862cf96e6c0c1e112a4d587aee2157155/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nwbfbcc3hbqzv33i67wx267gxbrm7fxgyda6ceve2wd25yqvofkq._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220726-tqslcaefe5/
Unpacked files
SH256 hash:
6d8250885b38619aef68f7ed7d7be6b862cf96e6c0c1e112a4d587aee2157155
MD5 hash:
b268634676f1cf50e5a38053ca23577b
SHA1 hash:
41befeee0ce1b1cc868dbc3657bed6c834099f04
Link:
https://www.unpac.me/results/6d3fe7be-0214-4e2e-8545-32c5b6b7731f/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla
Create hunting rule
Author:Harish Kumar P
Description:Yara Rule to Detect AgentTesla
Rule name:MALWARE_Win_zgRAT
Create hunting rule
Author:ditekSHen
Description:Detects zgRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

XFilesStealer

Executable exe 506aa9e26a8962c561e5486356913ee40e53e5ea2434363e4b5827c126b0ce6c

XFilesStealer

Executable exe 6d8250885b38619aef68f7ed7d7be6b862cf96e6c0c1e112a4d587aee2157155

(this sample)

  
Dropped by
SHA256 506aa9e26a8962c561e5486356913ee40e53e5ea2434363e4b5827c126b0ce6c
Cape
Cape
https://www.capesandbox.com/analysis/294416/
  
Dropped by
MD5 7944f1f915ea06c164cd7f94633f4b7a

Comments