MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1cb6084ac66c0a7fc1371aebf60cf361b70e3882d5a7da33e24fae720094b3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XFilesStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1cb6084ac66c0a7fc1371aebf60cf361b70e3882d5a7da33e24fae720094b3a
SHA3-384 hash: 6a296550b2d640c3dc4d54bc972e2df2a8f520650a3822bb4e201005e174390cc7157d018d4e8ef28714071d8bcf76ee
SHA1 hash: 0e01a401a99876fddd8a2cdc6b8de9600c8565d4
MD5 hash: 9907569cbe56ec0eb5a27e29e65ab4d9
humanhash: kitten-black-oven-hotel
File name:9907569cbe56ec0eb5a27e29e65ab4d9.exe
Download: download sample
Signature XFilesStealer
Create hunting rule
File size:2'046'464 bytes
First seen:2022-07-21 19:35:18 UTC
Last seen:2022-07-22 10:39:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 02549ff92b49cce693542fc9afb10102 (84 x CoinMiner, 2 x CoinMiner.XMRig, 1 x AgentTesla)
ssdeep 49152:G6CjgPgQ2pMPStAiEgHh28X5Y0JYcXsxaK2:MEo/tCgBpY0PXc2
Threatray 27 similar samples on MalwareBazaar
TLSH T14F9533BB415050D9F0DEB7F301BA72506B15FF02AC7C62D07AA4331E9E75A36865E3A8
TrID 59.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
18.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.3% (.EXE) OS/2 Executable (generic) (2029/13)
7.2% (.EXE) Generic Win/DOS Executable (2002/3)
7.2% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:exe XFilesStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
340
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/293252/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.86787.29760.25873.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/26957/overview
Behaviour
MalwareBazaar
CallSleep
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
donut packed
Link:
https://www.filescan.io/uploads/62d9ab27ef2b0e63a82e8ccf/reports/0ac28b21-f766-44f4-8cdf-12b8a10531cd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f3fc4e31-cb50-49bf-a463-60ebf6657ffb
Result
Threat name:
BitCoin Miner, SilentXMRMiner, Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1038860
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Found strings related to Crypto-Mining
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected SilentXMRMiner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 671354 Sample: PXGtY5FsPu.exe Startdate: 21/07/2022 Architecture: WINDOWS Score: 100 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected SilentXMRMiner 2->53 55 3 other signatures 2->55 11 PXGtY5FsPu.exe 2->11         started        14 winsyscfg32.exe 2->14         started        process3 signatures4 73 Writes to foreign memory regions 11->73 75 Allocates memory in foreign processes 11->75 77 Creates a thread in another existing process (thread injection) 11->77 16 conhost.exe 6 11->16         started        79 Antivirus detection for dropped file 14->79 81 Multi AV Scanner detection for dropped file 14->81 19 conhost.exe 2 14->19         started        process5 file6 43 C:\Users\user\Windows\winsyscfg32.exe, PE32+ 16->43 dropped 45 C:\Users\...\winsyscfg32.exe:Zone.Identifier, ASCII 16->45 dropped 21 cmd.exe 1 16->21         started        23 cmd.exe 1 16->23         started        process7 signatures8 26 winsyscfg32.exe 21->26         started        29 conhost.exe 21->29         started        65 Uses schtasks.exe or at.exe to add and modify task schedules 23->65 31 conhost.exe 23->31         started        33 schtasks.exe 1 23->33         started        process9 signatures10 67 Writes to foreign memory regions 26->67 69 Allocates memory in foreign processes 26->69 71 Creates a thread in another existing process (thread injection) 26->71 35 conhost.exe 7 26->35         started        process11 file12 47 C:\Users\user\AppData\...\sihost64.exe, PE32+ 35->47 dropped 38 sihost64.exe 35->38         started        process13 signatures14 57 Antivirus detection for dropped file 38->57 59 Multi AV Scanner detection for dropped file 38->59 61 Writes to foreign memory regions 38->61 63 2 other signatures 38->63 41 conhost.exe 2 38->41         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1cb6084ac66c0a7fc1371aebf60cf361b70e3882d5a7da33e24fae720094b3a/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2022-07-21 06:29:34 UTC
File Type:
PE+ (Exe)
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6hfwbbfmm3akp7atogxl6ygpgynxby4ifvnh3iz6et5ooiajjm5a._file
Verdict:
malicious
Similar samples:
0ba5bc2a4412ad5a9e6c873d77ca59d2650ca6138126737e02f89a0581832ed5
XFilesStealer
1660fa277deb0f1afcd706189ecca08930050458121c2a2f42f2dcdeb1cf9c29
XFilesStealer
436b57eb4ebf6768af469abaabbb1de5ef33ee07a87a82e279f98c9a079a2497
XFilesStealer
7e1624df0ec310b2766bd7a9a98f05ef1ed576f0f7e0699aee3ecc35ddb03c12
XFilesStealer
7f94c21c8bb8b634df7616ec35572439237604fae7e049e1fad38403955996b9
XFilesStealer
cc6d0138a98d588a8a180929426c3095a18f109d5e0272456a62f06eacac01cc
XFilesStealer
cde7e237d3724ede32827c724793cd1e44f041b020a49a5188df9f0f0a92a722
XFilesStealer
ec86b00b3f187f93e86711f82043af2ec359861bd60497b53998b0a28bc20d3e
XFilesStealer
f24c30b470bbed7b13040919adaad588854f82e994cd2aa620bf94adffbdaa2c
XFilesStealer
f6db67d86284b56e01a696535996455416a4e86ec12b923721771d010210c487
XFilesStealer
+ 17 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220721-ya8d3shfh3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
f1cb6084ac66c0a7fc1371aebf60cf361b70e3882d5a7da33e24fae720094b3a
MD5 hash:
9907569cbe56ec0eb5a27e29e65ab4d9
SHA1 hash:
0e01a401a99876fddd8a2cdc6b8de9600c8565d4
Link:
https://www.unpac.me/results/9e9fec4a-a76b-4480-860e-4826c8a89891/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f1cb6084ac66/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f1cb6084ac66c0a7fc1371aebf60cf361b70e3882d5a7da33e24fae720094b3a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XFilesStealer

Executable exe f1cb6084ac66c0a7fc1371aebf60cf361b70e3882d5a7da33e24fae720094b3a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2015851/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/293252/

Comments