MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88ee94120df5b82ab33c90066f12ea1729e00a99a7f5c794b4c75f4b04e1a55d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XFilesStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88ee94120df5b82ab33c90066f12ea1729e00a99a7f5c794b4c75f4b04e1a55d
SHA3-384 hash: c7a6f4b46b4a0bcd6284854c4a4971115930ce2c884db2d7b43a22161240b76256f8545f1ca2cc4450d0ab2345ce3fc5
SHA1 hash: 4c250b36b989f8db219e7dd2414aa351bfdb9e3b
MD5 hash: a51cfd750a3b0d1e0cff5fbf66cbfff2
humanhash: mike-network-hawaii-lion
File name:a51cfd750a3b0d1e0cff5fbf66cbfff2.exe
Download: download sample
Signature XFilesStealer
Create hunting rule
File size:136'704 bytes
First seen:2022-06-13 07:03:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:g/1/hbVGL9IPDwsdPCLxmeLV0HLk8bgAp+hcx21NFBRgwS5wcReUe/saW4NECeeo:gNZbVZ9BuWYKpgj1HcixN1RtO
TLSH T1F8D3292BB74A19D7C1644638C4A3C3740262EE621970CD0B3FEC3E9FBD2A3452957A6D
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 71ccccb3b3cccc71 (3 x XFilesStealer, 2 x Metasploit)
Reporter abuse_ch
Tags:exe XFilesStealer


Avatar
abuse_ch
Payload URLs:
http://198.251.86.46/checkit2_Kvumzbvo.jpg
http://198.251.86.46/Plugin_1.plg

Intelligence

File Origin
# of uploads :
1
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a51cfd750a3b0d1e0cff5fbf66cbfff2.exe
Verdict:
No threats detected
Analysis date:
2022-06-14 00:15:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bf5902c4-447a-4f0a-aa59-f9147f4aa528

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/279227/
Detection(s):
Win.Malware.Msilzilla-9951127-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Launching a process
Sending a custom TCP request
Сreating synchronization primitives
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook
Link:
https://www.filescan.io/uploads/62a6e1694d1ff31e31bb59f4/reports/88890c80-05d4-414b-bdd4-f2023eb1e619/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6ca59e41-e807-4fdf-84ab-b3bd7879028b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1012279
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 644773 Sample: hWjl0L86KY.exe Startdate: 13/06/2022 Architecture: WINDOWS Score: 76 21 Multi AV Scanner detection for domain / URL 2->21 23 Antivirus detection for URL or domain 2->23 25 Antivirus / Scanner detection for submitted sample 2->25 27 2 other signatures 2->27 7 hWjl0L86KY.exe 14 2 2->7         started        process3 dnsIp4 19 198.251.86.46, 80 PONYNETUS United States 7->19 10 WerFault.exe 20 9 7->10         started        13 powershell.exe 17 7->13         started        process5 file6 17 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 10->17 dropped 15 conhost.exe 13->15         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88ee94120df5b82ab33c90066f12ea1729e00a99a7f5c794b4c75f4b04e1a55d/
Threat name:
ByteCode-MSIL.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2022-06-13 07:04:08 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
19
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rdxjieqn6w4cvmz4sadg6exkc4u6acuzu724pffuy5puwbhbuvoq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220613-hvx6vaedbp/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
88ee94120df5b82ab33c90066f12ea1729e00a99a7f5c794b4c75f4b04e1a55d
MD5 hash:
a51cfd750a3b0d1e0cff5fbf66cbfff2
SHA1 hash:
4c250b36b989f8db219e7dd2414aa351bfdb9e3b
Link:
https://www.unpac.me/results/c946db01-6ae5-4d42-8735-9915ea3fda78/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/88ee94120df5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88ee94120df5b82ab33c90066f12ea1729e00a99a7f5c794b4c75f4b04e1a55d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XFilesStealer

Executable exe 88ee94120df5b82ab33c90066f12ea1729e00a99a7f5c794b4c75f4b04e1a55d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2203952/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2204693/
Cape
Cape
https://www.capesandbox.com/analysis/279227/

Comments