MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84593214cf03bcbf99902c1d49f90969723e0690b36c5b01866c481b7ec04aca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XFilesStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84593214cf03bcbf99902c1d49f90969723e0690b36c5b01866c481b7ec04aca
SHA3-384 hash: fe676fa7cd59f21407f5d075dd6188bd8f8410e4d6986d11aed90aab90a0961bfbb873152fb723770d34614840c44a0f
SHA1 hash: ba5f19d6940f2e9a83700ac399259082f7377198
MD5 hash: 33c6ce7ddcd80dafa84ceea07941db87
humanhash: don-uranus-hotel-may
File name:33c6ce7ddcd80dafa84ceea07941db87
Download: download sample
Signature XFilesStealer
Create hunting rule
File size:339'456 bytes
First seen:2022-07-04 20:14:25 UTC
Last seen:2022-07-14 06:13:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:Hdc3u37Tk7/X8039vj78ca+sThCDnbidVQ+c6KyQW4zbv7x:H9c4hybh+tKyQWUvx
Threatray 123 similar samples on MalwareBazaar
TLSH T1B974390A3644DB12D6A825B6C0EF552003F4AEC76373E3AA7F8933ED05527E75C4A58E
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:exe XFilesStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39917530.28394.23193.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/62c34a4b783441cda1057363/reports/43b4f767-18ab-4657-af3c-a3b86b1ceecb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/896658fa-7d36-417c-ab44-829efc317190
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1024430
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84593214cf03bcbf99902c1d49f90969723e0690b36c5b01866c481b7ec04aca/
Threat name:
Win64.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2022-07-01 04:46:00 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
2
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qrmtefgpao6l7gmqfqout6ijnfzd4buqwnwfwamgnrebw7wajlfa._file
Verdict:
malicious
Similar samples:
149e45d691c1504ee820a8e8473be7d2eeb6eb840cb372052b2187b7dd4d34d2
XFilesStealer
1af23919d3e943f51b279e81dd75b9005ed22e550817e5e76eef825864e600d3
XFilesStealer
6f7f2ea8d98aa55fdeacc91fdbe55edd4ad238ee0cbc55b98058411e6f9568ea
XFilesStealer
75bc87dafaa424cba64308b349fc324d263e2a3e267c59962a79da9005caafb4
XFilesStealer
a95dc0b5b3f5c4346729e1e45c7d5d69736b273e9b5ef4187326c973d463d55c
XFilesStealer
b8d830e69afacfd57973b41a3a9f85aa7026ca93b829098b1d82b718c4df3761
XFilesStealer
c4d429efd24ae3380efb7e78fb6939ba858836bad9ebebf5cb92e399202eddad
XFilesStealer
f9911b3afb169b55efa561019120d2a33ba6b1485fe70e16a70833725b6a3242
XFilesStealer
+ 113 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220704-y1keyaahgp/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
84593214cf03bcbf99902c1d49f90969723e0690b36c5b01866c481b7ec04aca
MD5 hash:
33c6ce7ddcd80dafa84ceea07941db87
SHA1 hash:
ba5f19d6940f2e9a83700ac399259082f7377198
Link:
https://www.unpac.me/results/ea062b52-fb94-4305-b1d7-0bc8aed1d91e/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XFilesStealer

Executable exe 84593214cf03bcbf99902c1d49f90969723e0690b36c5b01866c481b7ec04aca

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2253929/

Comments


Avatar
zbet commented on 2022-07-04 20:14:27 UTC

url : hxxp://srv36079100.ultasrv.com/qRYTi.exe