MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 717b0a5c0ceaaa9a92fb83fd64126d996451fb8394372b75d414e8817af88c4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XFilesStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 717b0a5c0ceaaa9a92fb83fd64126d996451fb8394372b75d414e8817af88c4b
SHA3-384 hash: 93a1b168e184113b9bd804df1e821e716a9d32961af92d68364ad9d47a79cadbe7eab566841f4e0f554ad33226757c57
SHA1 hash: 57cd28b06572e3025a496591ef98859b1165fd51
MD5 hash: b56eff45fc6863c00cf799c4a4846dfb
humanhash: mike-muppet-pizza-vermont
File name:b56eff45fc6863c00cf799c4a4846dfb
Download: download sample
Signature XFilesStealer
Create hunting rule
File size:578'560 bytes
First seen:2022-06-11 13:37:43 UTC
Last seen:2022-07-15 03:14:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:sfYrPAGJdCbQxl04l5ajUngXBktEofkiJzwV30VDwGGq:sBGJIQrlxjEEkizw2f
Threatray 34 similar samples on MalwareBazaar
TLSH T1A9C47C283A9C9C06D1CE43B8D88350B145A3FC13695EE78BB5D9BF5B3A3139DC90664E
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon f0cc8e5596b2b2e0 (1 x XFilesStealer)
Reporter zbetcheckin
Tags:exe XFilesStealer

Intelligence

File Origin
# of uploads :
4
# of downloads :
310
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b56eff45fc6863c00cf799c4a4846dfb
Verdict:
No threats detected
Analysis date:
2022-06-11 13:48:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7b0fb408-3cc0-479b-8f85-17fe58332c7e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/278920/
Detection(s):
SecuriteInfo.com.Malware.AI.3928851432.17934.10872.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62a49af78763ffd4adb3b436/reports/06184a53-7a35-4f38-b99a-21bad7496cf2/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/97b31163-10d6-48e6-a31d-1f6225124475
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1011362
Signature
Detected VMProtect packer
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 643858 Sample: S33cq0SUU2 Startdate: 11/06/2022 Architecture: WINDOWS Score: 56 17 Multi AV Scanner detection for submitted file 2->17 19 Detected VMProtect packer 2->19 21 Machine Learning detection for sample 2->21 6 S33cq0SUU2.exe 3 2->6         started        process3 dnsIp4 15 192.168.2.1 unknown unknown 6->15 9 powershell.exe 22 6->9         started        11 powershell.exe 23 6->11         started        13 conhost.exe 6->13         started        process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/717b0a5c0ceaaa9a92fb83fd64126d996451fb8394372b75d414e8817af88c4b/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=of5quxam5kvjvex3qp6wietntfsfd64dsq3sw5ouctuic6xyrrfq._file
Verdict:
unknown
Similar samples:
1a9f295b36345c3dda2d55321ec7584c20573c7aa9dc3825b332fdcdf2f94305
XFilesStealer
281ca3e54eb8ab778b6675e367989a8672d16d4593a6e50f94044ee0f98e209b
XFilesStealer
8d0839a6710bb4300081bc7502826a403c693a90349c2af945ab464c372a8184
XFilesStealer
95d7eca3a8e15537e6d6205da5441735897e21f39e6f0958338226e75a6961c8
XFilesStealer
d447b892b3a86c24049ef7d69b92bf8ae770eb661fe8b02b168ef86f95339068
XFilesStealer
e6e790f409e5451fc14ffd3da64747f49b17ba9b32b2b3effbba9a6597c88bfb
XFilesStealer
+ 24 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
vmprotect
Link:
https://tria.ge/reports/220611-qxcxpabaa6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
VMProtect packed file
Unpacked files
SH256 hash:
717b0a5c0ceaaa9a92fb83fd64126d996451fb8394372b75d414e8817af88c4b
MD5 hash:
b56eff45fc6863c00cf799c4a4846dfb
SHA1 hash:
57cd28b06572e3025a496591ef98859b1165fd51
Link:
https://www.unpac.me/results/d7423b15-a1c0-4d10-9128-241fa9681026/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/717b0a5c0ceaaa9a92fb83fd64126d996451fb8394372b75d414e8817af88c4b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XFilesStealer

Executable exe 717b0a5c0ceaaa9a92fb83fd64126d996451fb8394372b75d414e8817af88c4b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2234183/
Cape
Cape
https://www.capesandbox.com/analysis/278920/

Comments


Avatar
zbet commented on 2022-06-11 13:37:54 UTC

url : hxxp://devgamingfr.com/tool2/ACD/ApexLegit.exe