MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74fcc86067e7881064261379466dd8431c32358aa1ffac63d263ea81312cff0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XFilesStealer

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	74fcc86067e7881064261379466dd8431c32358aa1ffac63d263ea81312cff0b
SHA3-384 hash:	5ec228df811f5268e40186dfaa01beb1c10a3a7e3ef6f527000258d6d2e9b81864ab8515db0e6a24e6f2de4141c1327d
SHA1 hash:	761fe0b6ee4720dc1d23bb76c28502a460f69c6d
MD5 hash:	2d4a9667829db19e01418505f8b6456f
humanhash:	east-neptune-ack-diet
File name:	2d4a9667829db19e01418505f8b6456f
Download:	download sample
Signature	XFilesStealer Create hunting rule
File size:	27'339'264 bytes
First seen:	2022-07-23 04:01:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	393216:JN0ZDz8/t+8JPYAoyUZlKt9Stjsiy8N3ycDQlB5v3DkJwPetW1aMWkrgi9OY6x/Z:JiRA/tZPyyO8ic8NlDQfetW1au9uxh
Threatray	181 similar samples on MalwareBazaar
TLSH	T157573351288A9FA3F0D260729BE26F753FCA589F766963686810059DFD33D18F13B348
TrID	63.5% (.EXE) Win64 Executable (generic) (10523/12/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	70c4cad696d6f871 (1 x zgRAT, 1 x XFilesStealer, 1 x CoinMiner)
Reporter	openctibr
Tags:	exe OpenCTI.BR Sandboxed XFilesStealer

Intelligence

File Origin

# of uploads :

# of downloads :

320

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Creating a file in the %AppData% subdirectories

Creating a file

Using the Windows Management Instrumentation requests

Query of malicious DNS domain

Sending an HTTP GET request to an infection source

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62db72c60e298a94f3f12f25/reports/ec514a92-8f7e-4212-8686-386ee723248b/overview

Result

Verdict:

MALICIOUS

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1039613

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Creates an undocumented autostart registry key

Encrypted powershell cmdline option found

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

ByteCode-MSIL.Downloader.Seraph

Status:

Malicious

First seen:

2022-07-22 08:33:53 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

16 of 26 (61.54%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ot6mqydh46ebazbgcn4um3oyimodenmkuh72yy6smpvicmjm74fq._file

Verdict:

malicious

XFilesStealer

150d21ebf144edea3f56e4a527d2e80458807e0f354d5c9e9b268aded72a2ce0

XFilesStealer

1b9c9b834da58ea5a48a29ecb1fa94be9745a48484417ff2caf6ed70f1a50cbd

XFilesStealer

1e555c2e46ef544275b0a6e1568bc51ec55bb875d6eb939f517d4d21fcf37449

XFilesStealer

2c8f1f62d57e6d36c840fc24c6366d5ddc4f5084c0ba6abfa8a5db059c7cce3b

XFilesStealer

56592952894bf0d4b991d0bac813dab7d21517c5c0c79cce2faf8a50383cc3bf

XFilesStealer

aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48

XFilesStealer

b7bf04a5d5d14c38358fb28f8e2453bf45926684769ad6a79a4bf110d8587af5

XFilesStealer

db35c1b2866001a5054d699b34dd9b6f8cf6aa8e7d3050facd237fb2633aad65

XFilesStealer

f234a3861371763fb293ba38d6a5cc82b0af13ce03ba676d3a229c9f30fbd85d

XFilesStealer

+ 171 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/220723-elsm8acbaq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.72

Link:

https://yomi.yoroi.company/submissions/74fcc86067e7881064261379466dd8431c32358aa1ffac63d263ea81312cff0b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XFilesStealer

exe 74fcc86067e7881064261379466dd8431c32358aa1ffac63d263ea81312cff0b

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2237324/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample