Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

X-Files

126
Global rank
136 infographic chevron month
Month rank
132 infographic chevron week
Week rank
0
IOCs

X-FILES Stealer is a sophisticated malware designed to infiltrate systems and steal sensitive information, targeting login credentials for email, social media, and other personal accounts. It captures data and transmits it back to the attacker’s command-and-control server. X-FILES Stealer employs advanced evasion techniques to avoid detection, making it a persistent threat in the cyber landscape.

Stealer
Type
Unknown
Origin
15 March, 2021
First seen
7 November, 2024
Last seen

How to analyze X-Files with ANY.RUN

Type
Unknown
Origin
15 March, 2021
First seen
7 November, 2024
Last seen

IOCs

Last Seen at

Recent blog posts

post image
TI Lookup Named Best Threat Intelligence Serv...
watchers 180
comments 0
post image
Decoding a Malware Analyst: Essential Skills...
watchers 250
comments 0
post image
Expose Android Malware in Seconds: ANY.RUN Sa...
watchers 2782
comments 0

What is X-FILES malware?

X-FILES is a sophisticated infostealer that primarily targets sensitive data, including login credentials, financial information, and other personal details. Since its initial discovery in March 2021, the malware has undergone various updates that have enhanced its capabilities and delivery methods.

While specific campaigns are not widely publicized, X-FILES Stealer has been involved in various phishing campaigns targeting users and organizations, particularly focusing on individuals who store sensitive information in browsers and email clients.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

X-FILES malware technical details

X-FILES Stealer steals login credentials, hijacks accounts, and exfiltrates other sensitive data to its command-and-control (C2) servers. The malware can also use the compromised accounts to spread further infections.

The primary functionalities of X-FILES malware include:

  • Steals sensitive information like login credentials, cookies, browsing history, and cryptocurrency data.
  • Gains unauthorized access to personal and corporate accounts, including email and social media.
  • Alters startup directories or registry settings to ensure the malware runs on every system boot.
  • Runs its payload directly in memory to evade traditional detection methods.
  • Uses complex encoding and decryption to avoid detection by security tools.
  • Exploits known vulnerabilities through phishing emails with malicious attachments or links.

Cybercriminals often use a variety of file types to deliver X-FILES Stealer and other malware through phishing emails. These files include executable files (.exe), archive files like RAR and ZIP, and documents such as PDFs, JavaScript files, and Microsoft Office documents. The attachments are designed to appear legitimate, luring users into opening them and unknowingly initiating the malware infection.

A significant aspect of X-FILES Stealer’s operation is its integration with Telegram. The malware utilizes Telegram as a communication platform to exfiltrate stolen data.

This method is advantageous for attackers because Telegram offers end-to-end encryption, providing a level of anonymity and security that makes it difficult for cybersecurity professionals to trace the data back to its source. The malware sends the exfiltrated data directly to a Telegram bot or channel controlled by the attackers, where it can be accessed remotely and anonymously.

X-FILES Stealer execution process

To see how X-FILES stealer operates, let’s upload its sample to the ANY.RUN sandbox.

The infection chain usually begins with phishing emails containing malicious attachments, which are often disguised as legitimate documents, such as Word, Excel, or other Office files. When users open these documents, they may unknowingly execute embedded scripts that trigger the malware's payload.

One of the recent variants of X-FILES uses the Follina vulnerability (CVE-2022-30190), which allows attackers to execute PowerShell commands simply by opening a Word document. This document contains an OLE object that references an external HTML file, which subsequently executes JavaScript to download the malware payload.

X-FILES Stealer process graph in ANY.RUN X-FILES Stealer process graph shown in ANY.RUN sandbox

Once the document is opened, it retrieves a base64-encoded string containing PowerShell commands. These commands establish persistence on the infected machine by placing the malware in the Windows startup directory and executing it.

The main payload includes encrypted shellcode, which is decrypted and executed in memory. This approach enables the malware to run without leaving significant traces on the disk, making it more difficult to detect.

The stolen data is typically stored in newly created directories on the infected machine and is exfiltrated using secure channels, often via Telegram, providing attackers with a degree of anonymity.

X-FILES Stealer delivery methods

X-FILES Stealer is distributed through a variety of methods, each designed to exploit common vulnerabilities and user behaviors:

  • Infected email attachments: The most common method involves phishing emails with infected attachments, tricking users into opening them and initiating the malware.
  • Malicious online advertisements: Also known as malvertising, this method involves embedding malware in online ads. When users click on these ads, they are redirected to a compromised website or directly download the malware, unknowingly initiating the infection.
  • Social engineering: Attackers employ deceptive tactics like fake security alerts or bogus software updates to convince users to download and install the malware.
  • Pirated software: X-FILES Stealer is often bundled with pirated software and 'cracks,' leading users who download these tools to unknowingly infect their systems.

Conclusion

X-FILES Stealer’s focus on hijacking accounts and exfiltrating sensitive data highlights the need for strong security measures. Protecting against X-FILES Stealer requires a combination of security practices, including proactive analysis of suspicious emails, files, or links using a malware sandbox.

ANY.RUN offers a powerful solution for this, allowing anyone to analyze and understand the behavior of threats like X-FILES Stealer in a controlled environment. By using ANY.RUN, you can proactively identify and respond to these threats before they can compromise your data.

Sign up for a free ANY.RUN account to analyze malware and phishing without limits!

HAVE A LOOK AT

Crypto malware screenshot
Crypto malware
miner xmrig jsminer
Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.
Read More
GootLoader screenshot
GootLoader
gootloader
GootLoader is an initial-access-as-a-service malware that operates by delivering the GootKit banking trojan and other malicious payloads. It utilizes techniques such as fileless execution and process injection to avoid detection. The malware is often distributed through SEO poisoning and compromised websites, deceiving users into downloading infected files.
Read More
Orcus RAT screenshot
Orcus RAT
orcus rat trojan
Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class.
Read More
Stealer screenshot
Stealer
stealer
Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.
Read More
Phorpiex screenshot
Phorpiex
phorpiex
Phorpiex is a malicious software that has been a significant threat in the cybersecurity landscape since 2016. It is a modular malware known for its ability to maintain an extensive botnet. Unlike other botnets, Phorpiex does not concentrate on DDoS attacks. Instead, it has been involved in numerous large-scale spam email campaigns and the distribution of other malicious payloads, such as LockBit.
Read More
Trojan screenshot
Trojan
trojan trojan horse
Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.
Read More