MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c69decc448626e1aa6652d4a6e86899649eefd30190ff83d93f0daf36630e376. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XFilesStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments 1

SHA256 hash:	c69decc448626e1aa6652d4a6e86899649eefd30190ff83d93f0daf36630e376
SHA3-384 hash:	f80ca4acd81c36bbe95aa2355222aaaef387651b5ceb9ddf303d40d9d77d30f5fe77d9e393d893af02abe59bb1a3b319
SHA1 hash:	f40e5efb57c0d7ef89b26cfb9b9a9babac4bce11
MD5 hash:	1b394ca621cbcd4a4d55275258240004
humanhash:	crazy-georgia-river-michigan
File name:	1b394ca621cbcd4a4d55275258240004
Download:	download sample
Signature	XFilesStealer Create hunting rule
File size:	5'548'544 bytes
First seen:	2022-07-21 06:30:10 UTC
Last seen:	2022-07-23 02:45:27 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	98304:mROVCeYU95/+o/nxi+bPK94uKwb+E85KDuyFGE9t5mPk1qdT:mgVCpU9fVbq4rwnDwERms1qd
Threatray	1'946 similar samples on MalwareBazaar
TLSH	T1944622262F02D75EC6C4F6F46A122B84CA62FD583DEBCD2292F1A71D48747D421AD42F
TrID	63.5% (.EXE) Win64 Executable (generic) (10523/12/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	6cc8c8f8f0f0e8cc (2 x XFilesStealer, 2 x AsyncRAT)
Reporter	zbetcheckin
Tags:	exe XFilesStealer

Intelligence

File Origin

# of uploads :

# of downloads :

266

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/293079/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.27929.8292.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% subdirectories

Launching a process

Creating a file

Sending a custom TCP request

Enabling autorun

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/62d8f2e980dba4f80a264259/reports/ba47c9c8-c77d-4f43-a7f3-2f3750a9b991/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/db59ef3a-c48f-4cac-99ab-7641bca25490

Result

Threat name:

Phoenix Miner

Detection:

malicious

Classification:

evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1038386

Signature

Antivirus detection for dropped file

Creates an undocumented autostart registry key

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Writes to foreign memory regions

Yara detected Phoenix Miner

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c69decc448626e1aa6652d4a6e86899649eefd30190ff83d93f0daf36630e376/

Threat name:

ByteCode-MSIL.Downloader.Seraph

Status:

Malicious

First seen:

2022-07-21 06:31:17 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

15 of 26 (57.69%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=y2o6zrcimjxbvjtffvfg5bujsze657jqdeh7qpmt6dnpgzrq4n3a._file

Verdict:

malicious

XFilesStealer

2447933c7bf0db3f5bdcf7c901f4dd45f08267cbb5c5e4efe5f5a118195f0f86

XFilesStealer

389f5ad5330ae27ed43bc0b3f33cd1655a49365f0310e25fd35f6771824d009e

XFilesStealer

82edebd73b6b366121ccf9b066f1a4d140aed527ce9058866fddfa1b7f884466

XFilesStealer

83a8442f2117669d14593780f08d70dce9ad99cfdf26b827cba2feacc856c49b

XFilesStealer

97261fee3b80f8396ae8c4c2522d7613b69b41644e5c8e03948aedf6778c3e42

XFilesStealer

9c069b3043b757ab5e67889b9f2820758ddb92823bf91678182d6386a16fd5ea

XFilesStealer

cd8096c2e2a3539c662ab68ca5a4067e58e053d345f5f040123efb0ef9ed5eb5

XFilesStealer

ce442fab80f616645429e47bededf88f2104476899a35952f70e1e31a21e734a

XFilesStealer

ef5e11914dc0593327b1696d65668e32d8ef278310fb6913a74a54f992ef2b77

XFilesStealer

+ 1'936 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

persistence

Link:

https://tria.ge/reports/220721-g92l5sdgfj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Modifies WinLogon for persistence

Unpacked files

SH256 hash:

c69decc448626e1aa6652d4a6e86899649eefd30190ff83d93f0daf36630e376

MD5 hash:

1b394ca621cbcd4a4d55275258240004

SHA1 hash:

f40e5efb57c0d7ef89b26cfb9b9a9babac4bce11

Link:

https://www.unpac.me/results/a4d8f249-e5ff-41cd-a7a4-56d610b1d105/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c69decc44862/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/c69decc448626e1aa6652d4a6e86899649eefd30190ff83d93f0daf36630e376

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.