MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d21044ef9c5f4c70e95e97da7a3bc47a775c698bb6025b169c5efb8b4cdd7647. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XFilesStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d21044ef9c5f4c70e95e97da7a3bc47a775c698bb6025b169c5efb8b4cdd7647
SHA3-384 hash: 63b5bbade27e507a54e77e9a9cf01ebb7e4eb659febe16b3494e0906d057846e00306ddf3cb122e1a86648de6474271c
SHA1 hash: 4e16911665d23e288f3ec2ef8c4b34bdbe9a178f
MD5 hash: d14d39186eb9c07ce8b748e4071a226b
humanhash: music-angel-december-batman
File name:d14d39186eb9c07ce8b748e4071a226b.exe
Download: download sample
Signature XFilesStealer
Create hunting rule
File size:6'605'312 bytes
First seen:2022-06-17 09:25:52 UTC
Last seen:2022-06-17 09:49:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 196608:0DILJ34rcr3GKxdFsabdvKRh0QSZG1WWEJIPy0c3vn10k/:0014Yr3h0a69S0HEycv1l
TLSH T123660252B6429C55EEEA0331F0B5EF3883F57A43A6E9E41F5DCC1E4625B6784B82108F
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:exe XFilesStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/280919/
Detection(s):
PUA.Win.Packed.ConfuserEx-6391397-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
anti-vm obfuscated
Link:
https://www.filescan.io/uploads/62ac48f5745ae0fa14f34582/reports/29ee0d04-9365-4503-bfb2-1307eae7a179/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3412248d-e657-4e96-9c91-47a9847070c0
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1015045
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d21044ef9c5f4c70e95e97da7a3bc47a775c698bb6025b169c5efb8b4cdd7647/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-06-17 09:26:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
10 of 26 (38.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2iiej344l5ghb2k6s7nhuo6epj3vy2mlwybfwfu4l35ywtg5ozdq._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220617-ld69zadhc4/
Behaviour
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
d21044ef9c5f4c70e95e97da7a3bc47a775c698bb6025b169c5efb8b4cdd7647
MD5 hash:
d14d39186eb9c07ce8b748e4071a226b
SHA1 hash:
4e16911665d23e288f3ec2ef8c4b34bdbe9a178f
Link:
https://www.unpac.me/results/3e294eef-1eb4-4d95-881d-de28adf9a7e3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/d21044ef9c5f4c70e95e97da7a3bc47a775c698bb6025b169c5efb8b4cdd7647

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XFilesStealer

Executable exe d21044ef9c5f4c70e95e97da7a3bc47a775c698bb6025b169c5efb8b4cdd7647

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2241991/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/280919/

Comments