MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4546d19839b78710e9a07fdfd401fedf28383c7e12ea7d216837b5a76819d35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XFilesStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4546d19839b78710e9a07fdfd401fedf28383c7e12ea7d216837b5a76819d35
SHA3-384 hash: d8e583bda4d53f96ad5cd0239c0a71257265e7a559db9f36a6218c59c061e7874b8a2d76582b2a7aa915f467eb45eb7b
SHA1 hash: 79a0f7f6256e85c485cd090c6e767e084a81edbf
MD5 hash: 5ac4db2f6181bd89459bffbe040e9f34
humanhash: stream-carolina-mobile-venus
File name:5ac4db2f6181bd89459bffbe040e9f34
Download: download sample
Signature XFilesStealer
Create hunting rule
File size:5'353'472 bytes
First seen:2022-07-31 15:06:43 UTC
Last seen:2022-07-31 16:03:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 98304:KlP/I+xDGw28YWFF3HOC0hhJtQyhyjAcsXqKGsbhCCS0XEP8PoKxl02HN:SHxxDGSY/PhejAZxGYCL0XEPe08
TLSH T10F46337B33381154E8A8CEB89CD162CCFB57DC9482560FA7867478E37D6ADE698408E1
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 28e8d4e2c4c0c504 (1 x XFilesStealer)
Reporter zbetcheckin
Tags:exe XFilesStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
386
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295384/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.1498.11469.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Launching a process
Creating a file
Sending a custom TCP request
Enabling autorun
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62e69b125c07b66577e133e9/reports/def6273e-7422-472f-9edb-0f9fee814050/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b06bf03f-8a95-4cd9-9ac2-634085dd06be
Result
Threat name:
Phoenix Miner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1043810
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected Phoenix Miner
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e4546d19839b78710e9a07fdfd401fedf28383c7e12ea7d216837b5a76819d35/
Threat name:
Win64.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-07-31 15:07:15 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
21
AV detection:
16 of 25 (64.00%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4rkg2gmdtn4hcdu2a7672qa75xziha6h4exkpuqwqn5vu5ubtu2q._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/220731-shavwshfaq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
e4546d19839b78710e9a07fdfd401fedf28383c7e12ea7d216837b5a76819d35
MD5 hash:
5ac4db2f6181bd89459bffbe040e9f34
SHA1 hash:
79a0f7f6256e85c485cd090c6e767e084a81edbf
Link:
https://www.unpac.me/results/ec609b01-92d4-4e37-a36f-e43828f57d08/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/e4546d19839b78710e9a07fdfd401fedf28383c7e12ea7d216837b5a76819d35

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XFilesStealer

Executable exe e4546d19839b78710e9a07fdfd401fedf28383c7e12ea7d216837b5a76819d35

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2263267/
Cape
Cape
https://www.capesandbox.com/analysis/295384/

Comments


Avatar
zbet commented on 2022-07-31 15:06:46 UTC

url : hxxp://141.98.6.236/TikTok-Bot/Ryesfzsg-TikTiok-4.exe