BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

X-Files

xfiles
110
Global rank
86 infographic chevron month
Month rank
120 infographic chevron week
Week rank
0
IOCs

X-FILES Stealer is a sophisticated malware designed to infiltrate systems and steal sensitive information, targeting login credentials for email, social media, and other personal accounts. It captures data and transmits it back to the attacker’s command-and-control server. X-FILES Stealer employs advanced evasion techniques to avoid detection, making it a persistent threat in the cyber landscape.

Stealer
Type
Unknown
Origin
15 March, 2021
First seen
7 November, 2024
Last seen

How to analyze X-Files with ANY.RUN

Stealer
Type
Unknown
Origin
15 March, 2021
First seen
7 November, 2024
Last seen

IOCs

Last Seen at
7 November, 2024
Malicious activity
582cd56afe40a1e49d91486e40c4d5a27d1a890f451e5ba5d0d948511cde3987
deerstealer
xfiles
stealer
7 November, 2024
Malicious activity
sxqnmytm.exe
deerstealer
xfiles
stealer
6 November, 2024
Malicious activity
05ffd1835da6892f990f92b3a3a933c08038bce94e71b5750ad8e374da877552
amadey
botnet
stealer
themida
loader
deerstealer
xfiles
6 November, 2024
Malicious activity
72e18d1f94925f558f47baf67848e00775a07622df025ebce3c1264296d6d44e
amadey
botnet
stealer
lumma
possible-phishing
loader
themida
exfiltration
stealc
deerstealer
xfiles
14 October, 2024
Malicious activity
84e059bb286a4d546c18b3e2f61d0bc0fe7c635fd2c1ca998722324d48d1c584
deerstealer
xfiles
stealer
12 October, 2024
Malicious activity
FWBEYCSW.exe
deerstealer
xfiles
stealer
10 October, 2024
Malicious activity
f25be1c6046bf8691b7ba7fe20998d89a5cf4ab3520ba4782894c7a810b7563e.exe
deerstealer
xfiles
stealer
9 October, 2024
Malicious activity
08e1d8d41bef83310ed290e5b8b3821d7ead8f66709c90cd4caa27c567ab4e80.exe
deerstealer
xfiles
stealer
4 October, 2024
Malicious activity
3333333123123123123.exe
deerstealer
xfiles
stealer
16 September, 2024
Malicious activity
28a77038b1f69e4df9ae5f2e5333c3e1911eff6768ed4eeb6c7a7d3de4ec2e57.exe
deerstealer
stealer
xfiles
TRACK THEM ALL AT
Public Submissions
Last Seen at
7 November, 2024
Malicious activity
582cd56afe40a1e49d91486e40c4d5a27d1a890f451e5ba5d0d948511cde3987
deerstealer
xfiles
stealer
7 November, 2024
Malicious activity
sxqnmytm.exe
deerstealer
xfiles
stealer
6 November, 2024
Malicious activity
05ffd1835da6892f990f92b3a3a933c08038bce94e71b5750ad8e374da877552
amadey
botnet
stealer
themida
loader
deerstealer
xfiles
6 November, 2024
Malicious activity
72e18d1f94925f558f47baf67848e00775a07622df025ebce3c1264296d6d44e
amadey
botnet
stealer
lumma
possible-phishing
loader
themida
exfiltration
stealc
deerstealer
xfiles
14 October, 2024
Malicious activity
84e059bb286a4d546c18b3e2f61d0bc0fe7c635fd2c1ca998722324d48d1c584
deerstealer
xfiles
stealer
12 October, 2024
Malicious activity
FWBEYCSW.exe
deerstealer
xfiles
stealer
10 October, 2024
Malicious activity
f25be1c6046bf8691b7ba7fe20998d89a5cf4ab3520ba4782894c7a810b7563e.exe
deerstealer
xfiles
stealer
9 October, 2024
Malicious activity
08e1d8d41bef83310ed290e5b8b3821d7ead8f66709c90cd4caa27c567ab4e80.exe
deerstealer
xfiles
stealer
4 October, 2024
Malicious activity
3333333123123123123.exe
deerstealer
xfiles
stealer
16 September, 2024
Malicious activity
28a77038b1f69e4df9ae5f2e5333c3e1911eff6768ed4eeb6c7a7d3de4ec2e57.exe
deerstealer
stealer
xfiles
TRACK THEM ALL AT
Public Submissions

Recent blog posts

post image
6 Common Persistence Mechanisms in Malware
watchers 323
comments 0
post image
Automated Interactivity: Stage 2
watchers 2186
comments 0
post image
HawkEye Malware: Technical Analysis
watchers 3149
comments 0

Contents

  • What is X-FILES malware?
  • X-FILES malware technical details
  • X-FILES Stealer execution process
  • X-FILES Stealer delivery methods
  • Conclusion

Recent blog posts

post image
6 Common Persistence Mechanisms in Malware
watchers 323
comments 0
post image
Automated Interactivity: Stage 2
watchers 2186
comments 0
post image
HawkEye Malware: Technical Analysis
watchers 3149
comments 0

What is X-FILES malware?

X-FILES is a sophisticated infostealer that primarily targets sensitive data, including login credentials, financial information, and other personal details. Since its initial discovery in March 2021, the malware has undergone various updates that have enhanced its capabilities and delivery methods.

While specific campaigns are not widely publicized, X-FILES Stealer has been involved in various phishing campaigns targeting users and organizations, particularly focusing on individuals who store sensitive information in browsers and email clients.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

X-FILES malware technical details

X-FILES Stealer steals login credentials, hijacks accounts, and exfiltrates other sensitive data to its command-and-control (C2) servers. The malware can also use the compromised accounts to spread further infections.

The primary functionalities of X-FILES malware include:

  • Steals sensitive information like login credentials, cookies, browsing history, and cryptocurrency data.
  • Gains unauthorized access to personal and corporate accounts, including email and social media.
  • Alters startup directories or registry settings to ensure the malware runs on every system boot.
  • Runs its payload directly in memory to evade traditional detection methods.
  • Uses complex encoding and decryption to avoid detection by security tools.
  • Exploits known vulnerabilities through phishing emails with malicious attachments or links.

Cybercriminals often use a variety of file types to deliver X-FILES Stealer and other malware through phishing emails. These files include executable files (.exe), archive files like RAR and ZIP, and documents such as PDFs, JavaScript files, and Microsoft Office documents. The attachments are designed to appear legitimate, luring users into opening them and unknowingly initiating the malware infection.

A significant aspect of X-FILES Stealer’s operation is its integration with Telegram. The malware utilizes Telegram as a communication platform to exfiltrate stolen data.

This method is advantageous for attackers because Telegram offers end-to-end encryption, providing a level of anonymity and security that makes it difficult for cybersecurity professionals to trace the data back to its source. The malware sends the exfiltrated data directly to a Telegram bot or channel controlled by the attackers, where it can be accessed remotely and anonymously.

X-FILES Stealer execution process

To see how X-FILES stealer operates, let’s upload its sample to the ANY.RUN sandbox.

The infection chain usually begins with phishing emails containing malicious attachments, which are often disguised as legitimate documents, such as Word, Excel, or other Office files. When users open these documents, they may unknowingly execute embedded scripts that trigger the malware's payload.

One of the recent variants of X-FILES uses the Follina vulnerability (CVE-2022-30190), which allows attackers to execute PowerShell commands simply by opening a Word document. This document contains an OLE object that references an external HTML file, which subsequently executes JavaScript to download the malware payload.

X-FILES Stealer process graph in ANY.RUN X-FILES Stealer process graph shown in ANY.RUN sandbox

Once the document is opened, it retrieves a base64-encoded string containing PowerShell commands. These commands establish persistence on the infected machine by placing the malware in the Windows startup directory and executing it.

The main payload includes encrypted shellcode, which is decrypted and executed in memory. This approach enables the malware to run without leaving significant traces on the disk, making it more difficult to detect.

The stolen data is typically stored in newly created directories on the infected machine and is exfiltrated using secure channels, often via Telegram, providing attackers with a degree of anonymity.

X-FILES Stealer delivery methods

X-FILES Stealer is distributed through a variety of methods, each designed to exploit common vulnerabilities and user behaviors:

  • Infected email attachments: The most common method involves phishing emails with infected attachments, tricking users into opening them and initiating the malware.
  • Malicious online advertisements: Also known as malvertising, this method involves embedding malware in online ads. When users click on these ads, they are redirected to a compromised website or directly download the malware, unknowingly initiating the infection.
  • Social engineering: Attackers employ deceptive tactics like fake security alerts or bogus software updates to convince users to download and install the malware.
  • Pirated software: X-FILES Stealer is often bundled with pirated software and 'cracks,' leading users who download these tools to unknowingly infect their systems.

Conclusion

X-FILES Stealer’s focus on hijacking accounts and exfiltrating sensitive data highlights the need for strong security measures. Protecting against X-FILES Stealer requires a combination of security practices, including proactive analysis of suspicious emails, files, or links using a malware sandbox.

ANY.RUN offers a powerful solution for this, allowing anyone to analyze and understand the behavior of threats like X-FILES Stealer in a controlled environment. By using ANY.RUN, you can proactively identify and respond to these threats before they can compromise your data.

Sign up for a free ANY.RUN account to analyze malware and phishing without limits!

HAVE A LOOK AT

Gh0st RAT screenshot
Gh0st RAT
gh0st
Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.
Read More
Orcus RAT screenshot
Orcus RAT
orcus rat trojan
Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class.
Read More
Havoc screenshot
Havoc
havoc
Havoc is an advanced post-exploitation framework used by hackers to take control of a system once they've breached it. With Havoc, attackers can run commands remotely, inject malicious processes, and access sensitive data. It's often used in targeted attacks, allowing cybercriminals to stay hidden in a network while stealing information or launching further attacks. Its flexibility and ability to bypass detection make it a serious threat, especially in environments that rely on traditional security tools.
Read More
Latrodectus screenshot
Latrodectus
latrodectus
Latrodectus is a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware. It has been associated with the IcedID trojan and has been used by APT groups in targeted attacks. The malware can gather system information, launch executables, and detect sandbox environments. It uses encryption and obfuscation to evade detection and can establish persistence on the infected device.
Read More
Remcos screenshot
Remcos
remcos trojan rat stealer
Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.
Read More
WarmCookie screenshot
WarmCookie
badspace
WarmCookie is a backdoor malware that cyber attackers use to gain initial access to targeted systems. It is often distributed through phishing emails, frequently using job recruitment lures to entice victims into downloading and executing the malware.
Read More