Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

X-Files

112
Global rank
123 infographic chevron month
Month rank
121 infographic chevron week
Week rank
0
IOCs

X-FILES Stealer is a sophisticated malware designed to infiltrate systems and steal sensitive information, targeting login credentials for email, social media, and other personal accounts. It captures data and transmits it back to the attacker’s command-and-control server. X-FILES Stealer employs advanced evasion techniques to avoid detection, making it a persistent threat in the cyber landscape.

Stealer
Type
Unknown
Origin
15 March, 2021
First seen
7 November, 2024
Last seen

How to analyze X-Files with ANY.RUN

Type
Unknown
Origin
15 March, 2021
First seen
7 November, 2024
Last seen

IOCs

Last Seen at

Recent blog posts

post image
Access and Use ANY.RUN’s TI Feeds via MISP
watchers 263
comments 0
post image
Analysis of Nova: A Snake Keylogger Fork
watchers 1376
comments 0
post image
Manufacturing Companies Targeted with New Lum...
watchers 1819
comments 0

What is X-FILES malware?

X-FILES is a sophisticated infostealer that primarily targets sensitive data, including login credentials, financial information, and other personal details. Since its initial discovery in March 2021, the malware has undergone various updates that have enhanced its capabilities and delivery methods.

While specific campaigns are not widely publicized, X-FILES Stealer has been involved in various phishing campaigns targeting users and organizations, particularly focusing on individuals who store sensitive information in browsers and email clients.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

X-FILES malware technical details

X-FILES Stealer steals login credentials, hijacks accounts, and exfiltrates other sensitive data to its command-and-control (C2) servers. The malware can also use the compromised accounts to spread further infections.

The primary functionalities of X-FILES malware include:

  • Steals sensitive information like login credentials, cookies, browsing history, and cryptocurrency data.
  • Gains unauthorized access to personal and corporate accounts, including email and social media.
  • Alters startup directories or registry settings to ensure the malware runs on every system boot.
  • Runs its payload directly in memory to evade traditional detection methods.
  • Uses complex encoding and decryption to avoid detection by security tools.
  • Exploits known vulnerabilities through phishing emails with malicious attachments or links.

Cybercriminals often use a variety of file types to deliver X-FILES Stealer and other malware through phishing emails. These files include executable files (.exe), archive files like RAR and ZIP, and documents such as PDFs, JavaScript files, and Microsoft Office documents. The attachments are designed to appear legitimate, luring users into opening them and unknowingly initiating the malware infection.

A significant aspect of X-FILES Stealer’s operation is its integration with Telegram. The malware utilizes Telegram as a communication platform to exfiltrate stolen data.

This method is advantageous for attackers because Telegram offers end-to-end encryption, providing a level of anonymity and security that makes it difficult for cybersecurity professionals to trace the data back to its source. The malware sends the exfiltrated data directly to a Telegram bot or channel controlled by the attackers, where it can be accessed remotely and anonymously.

X-FILES Stealer execution process

To see how X-FILES stealer operates, let’s upload its sample to the ANY.RUN sandbox.

The infection chain usually begins with phishing emails containing malicious attachments, which are often disguised as legitimate documents, such as Word, Excel, or other Office files. When users open these documents, they may unknowingly execute embedded scripts that trigger the malware's payload.

One of the recent variants of X-FILES uses the Follina vulnerability (CVE-2022-30190), which allows attackers to execute PowerShell commands simply by opening a Word document. This document contains an OLE object that references an external HTML file, which subsequently executes JavaScript to download the malware payload.

X-FILES Stealer process graph in ANY.RUN X-FILES Stealer process graph shown in ANY.RUN sandbox

Once the document is opened, it retrieves a base64-encoded string containing PowerShell commands. These commands establish persistence on the infected machine by placing the malware in the Windows startup directory and executing it.

The main payload includes encrypted shellcode, which is decrypted and executed in memory. This approach enables the malware to run without leaving significant traces on the disk, making it more difficult to detect.

The stolen data is typically stored in newly created directories on the infected machine and is exfiltrated using secure channels, often via Telegram, providing attackers with a degree of anonymity.

X-FILES Stealer delivery methods

X-FILES Stealer is distributed through a variety of methods, each designed to exploit common vulnerabilities and user behaviors:

  • Infected email attachments: The most common method involves phishing emails with infected attachments, tricking users into opening them and initiating the malware.
  • Malicious online advertisements: Also known as malvertising, this method involves embedding malware in online ads. When users click on these ads, they are redirected to a compromised website or directly download the malware, unknowingly initiating the infection.
  • Social engineering: Attackers employ deceptive tactics like fake security alerts or bogus software updates to convince users to download and install the malware.
  • Pirated software: X-FILES Stealer is often bundled with pirated software and 'cracks,' leading users who download these tools to unknowingly infect their systems.

Conclusion

X-FILES Stealer’s focus on hijacking accounts and exfiltrating sensitive data highlights the need for strong security measures. Protecting against X-FILES Stealer requires a combination of security practices, including proactive analysis of suspicious emails, files, or links using a malware sandbox.

ANY.RUN offers a powerful solution for this, allowing anyone to analyze and understand the behavior of threats like X-FILES Stealer in a controlled environment. By using ANY.RUN, you can proactively identify and respond to these threats before they can compromise your data.

Sign up for a free ANY.RUN account to analyze malware and phishing without limits!

HAVE A LOOK AT

Black Basta screenshot
Black Basta
blackbasta
Black Basta is a ransomware-as-a-service operated by Storm-1811. It emerged in 2022 and uses double extortion tactics, encrypting data and stealing it for ransom. The malware often gains access through spear-phishing and uses tools like QakBot and Cobalt Strike. It's known for exploiting system vulnerabilities and using advanced obfuscation techniques.
Read More
MetaStealer screenshot
MetaStealer
metastealer
MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.
Read More
Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
Adware screenshot
Adware
adware
Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.
Read More
DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More
Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More