MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 768e07081c36c61c7ca4cc6c996c99e128adb6d137ad5c4f15f14edd17e492ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XFilesStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 768e07081c36c61c7ca4cc6c996c99e128adb6d137ad5c4f15f14edd17e492ca
SHA3-384 hash: d47531b9a6e5710623fb6bf76f7c0db7184ae37b4a6bbbe0ee954def1b4ebf3c3b46d782049ed58ae4c5f758c12cdd22
SHA1 hash: ac1dcdd9ecf85e0fa25d4fb791a12ca9e4149b43
MD5 hash: fed6e1758c8efb76b92d92cbd9388ba9
humanhash: april-william-johnny-tennis
File name:Order #5108 New Romana General Trading New Qo182013 Port 301734801 3811.exe
Download: download sample
Signature XFilesStealer
Create hunting rule
File size:790'528 bytes
First seen:2022-07-27 09:21:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:mv1SSL2ueQL+zFE4ma21xNzMPwPrhXMwXG0zOEpmVQ/5om4D7wQC:mv1S0Fgun1UwTBMEGWpve77C
Threatray 2'766 similar samples on MalwareBazaar
TLSH T190F4F171DE115D09C8CA6A74F23D88788F032C86D420A951348EBB3BBAFA7E75453F56
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 7e66e6f6f6fed6c4 (1 x XFilesStealer)
Reporter lowmal3
Tags:exe XFilesStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
qwe.exe
Verdict:
No threats detected
Analysis date:
2022-07-27 11:59:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/85bc47ca-da57-41a6-845d-072bdcbf3662

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/294573/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62e10438cfc305167690b18b/reports/b232dfe7-6b94-469f-a33d-f000d0eb0f27/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f2193ad7-db76-4af3-b128-0b07c5654f80
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1041713
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Performs DNS queries to domains with low reputation
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/768e07081c36c61c7ca4cc6c996c99e128adb6d137ad5c4f15f14edd17e492ca/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-07-27 09:22:07 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
13
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o2haoca4g3dby7fezrwjs3ez4euk3nwrg6wvytyv6fhn2f7eslfa._file
Verdict:
malicious
Similar samples:
15e2f966937440c34a383f8a2df6fa8b380fbc858b7560e3129f563296e17fbb
XFilesStealer
1830470750bacb8b958d0293253d4e02b405fbf381266816d2bc93f92f6aa416
XFilesStealer
3d5194f12c6b21b79d636f65e29f308aad0bfdd1cd7e00c54cb8488b1867ff9f
XFilesStealer
3e85b31ff1780031f94570fc9801b6a886564a4caa2acc360d2c65f29b22dbb5
XFilesStealer
566525c61d64c378c99f59da573aa7712061bad58bbda3fb6b58842184e88f3a
XFilesStealer
5a94c5fee27b53c98286774dddf29892ee25e6326e1db3e22db264766af39889
XFilesStealer
6887d3d4d5baa135418c2305915c56b448960d03c427f6c63c430465ddaa6547
XFilesStealer
b12ed3f10bbc4e4ade3f53856b19c7ab878eb023389a8b6c4c3c495a0ea97f86
XFilesStealer
cbab4cfcbca79f53ed3faf1ea4fc48270b44c50529a96698c3b5ab250e438454
XFilesStealer
+ 2'756 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection persistence
Link:
https://tria.ge/reports/220727-lbw18acdcr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Unpacked files
SH256 hash:
768e07081c36c61c7ca4cc6c996c99e128adb6d137ad5c4f15f14edd17e492ca
MD5 hash:
fed6e1758c8efb76b92d92cbd9388ba9
SHA1 hash:
ac1dcdd9ecf85e0fa25d4fb791a12ca9e4149b43
Link:
https://www.unpac.me/results/36cb87be-99a8-4654-8c87-60bfe1fc8ee0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/768e07081c36/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XFilesStealer

Executable exe 768e07081c36c61c7ca4cc6c996c99e128adb6d137ad5c4f15f14edd17e492ca

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/294573/

Comments