MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 041fa6acb0d512cd68e538d2e4bd11a9a1345839d3803ec8c096862eafc0cd81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 041fa6acb0d512cd68e538d2e4bd11a9a1345839d3803ec8c096862eafc0cd81
SHA3-384 hash: a4935c9d01bb483599bff31dbbb20d2d66e69f563fe31de975982ac4372636ee7edf32786fcc408b111b9afec23a32cd
SHA1 hash: 19671765f1d4db74a1a9bca2911ff8f3d9633a81
MD5 hash: 574843ce13304217f897e35ccfa66118
humanhash: papa-massachusetts-fruit-texas
File name:574843CE13304217F897E35CCFA66118.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:1'662'464 bytes
First seen:2021-08-14 22:11:10 UTC
Last seen:2021-08-14 22:48:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ba9ba55b1a716b6a71a11f5d3a4844e7 (1 x RedLineStealer, 1 x DiamondFox)
ssdeep 24576:5E6IrX+7auPGoX8DqTyECMkDwff7h0cykj3uBL8hxCMcIYwTxKAyuxCQyD2uG8wM:5sMeBQxC/wTW2owTt8fpSKc
Threatray 98 similar samples on MalwareBazaar
TLSH T1FA759D10FB138224DD6221B548FA7E28D5AD7D0043784EE7A7C82F69D6732C2B93665F
dhash icon f0a8bab082828292 (8 x AgentTesla, 3 x RedLineStealer, 3 x PrivateLoader)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
185.53.46.25:38743

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.53.46.25:38743 https://threatfox.abuse.ch/ioc/186188/

Intelligence

File Origin
# of uploads :
2
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
574843CE13304217F897E35CCFA66118.exe
Verdict:
No threats detected
Analysis date:
2021-08-14 22:12:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3c3c828d-6d64-4bf5-b837-e3b83182f70d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179295/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.59190.49.13180.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Sending an HTTP POST request
Sending a UDP request
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Creating a window
Connection attempt to an infection source
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Moving a file to the Program Files subdirectory
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Query of malicious DNS domain
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/13382e5e-eefe-4a43-af0f-82f1e308e724
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/833001
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: MSHTA Spawning Windows Shell
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 465432 Sample: bSL9yTxjQf.exe Startdate: 15/08/2021 Architecture: WINDOWS Score: 100 84 sandedean.xyz 2->84 126 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->126 128 Antivirus detection for URL or domain 2->128 130 Multi AV Scanner detection for dropped file 2->130 132 12 other signatures 2->132 10 bSL9yTxjQf.exe 4 27 2->10         started        15 WinHoster.exe 2->15         started        17 WinHoster.exe 2->17         started        signatures3 process4 dnsIp5 120 37.0.10.236, 49720, 49735, 80 WKD-ASIE Netherlands 10->120 122 37.0.11.8, 49722, 49723, 80 WKD-ASIE Netherlands 10->122 124 3 other IPs or domains 10->124 72 C:\Users\...\keTqElutIItTyv3USEUm9NYz.exe, PE32 10->72 dropped 74 C:\Users\...\kUnDWOrDYn0HPruOTIL6i0Ge.exe, PE32 10->74 dropped 76 C:\Users\...\_ocBT_NQrnRaCD8gs5yDt9ON.exe, PE32+ 10->76 dropped 78 7 other malicious files 10->78 dropped 146 Drops PE files to the document folder of the user 10->146 148 Disable Windows Defender real time protection (registry) 10->148 19 IOhpRx9J_3QGYu1JlFY4CPSW.exe 15 6 10->19         started        24 ICmsoLDGPGLbnhoGN5m7yufr.exe 10->24         started        26 _ocBT_NQrnRaCD8gs5yDt9ON.exe 14 33 10->26         started        28 2 other processes 10->28 file6 signatures7 process8 dnsIp9 102 iplis.ru 88.99.66.31, 443, 49732, 49733 HETZNER-ASDE Germany 19->102 104 music-sec.xyz 104.21.92.87, 49730, 80 CLOUDFLARENETUS United States 19->104 106 iplogger.org 19->106 66 C:\Users\user\AppData\Roaming\8657101.exe, PE32 19->66 dropped 68 C:\Users\user\AppData\Roaming\2611500.exe, PE32 19->68 dropped 134 Detected unpacking (overwrites its own PE header) 19->134 136 Performs DNS queries to domains with low reputation 19->136 30 2611500.exe 19->30         started        34 8657101.exe 19->34         started        37 ICmsoLDGPGLbnhoGN5m7yufr.exe 24->37         started        108 185.53.46.25, 38743, 49737, 49755 STNB-ASDE Germany 26->108 110 api.ip.sb 26->110 138 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->138 140 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 26->140 142 Tries to steal Crypto Currency Wallets 26->142 112 sandedean.xyz 28->112 39 mshta.exe 28->39         started        41 conhost.exe 28->41         started        file10 signatures11 process12 dnsIp13 80 C:\Users\user\AppData\...\WinHoster.exe, PE32 30->80 dropped 150 Multi AV Scanner detection for dropped file 30->150 152 Detected unpacking (changes PE section rights) 30->152 43 WinHoster.exe 30->43         started        86 192.168.2.1 unknown unknown 34->86 88 getdesignusa.xyz 34->88 154 Performs DNS queries to domains with low reputation 34->154 156 Tries to harvest and steal browser information (history, passwords, etc) 34->156 46 WerFault.exe 34->46         started        48 WerFault.exe 34->48         started        90 p6701.softemstore.xyz 172.67.162.27, 443, 49758 CLOUDFLARENETUS United States 37->90 82 C:\Windows\System32\drivers\etc\hosts, ASCII 37->82 dropped 158 Modifies the hosts file 37->158 50 chrome.exe 37->50         started        92 bitbucket.org 104.192.141.1, 443, 49727, 49738 AMAZON-02US United States 39->92 94 s3-w.us-east-1.amazonaws.com 52.217.201.57, 443, 49729 AMAZON-02US United States 39->94 96 2 other IPs or domains 39->96 160 Obfuscated command line found 39->160 54 powershell.exe 39->54         started        file14 signatures15 process16 dnsIp17 144 Detected unpacking (changes PE section rights) 43->144 98 239.255.255.250 unknown Reserved 50->98 62 C:\Users\user\...\the-real-index (copy), PDP-11 50->62 dropped 64 C:\Users\user\AppData\Local\...\temp-index, PDP-11 50->64 dropped 56 chrome.exe 50->56         started        100 bitbucket.org 54->100 60 conhost.exe 54->60         started        file18 signatures19 process20 dnsIp21 114 accounts.google.com 142.250.203.109, 443, 49759 GOOGLEUS United States 56->114 116 plus.l.google.com 142.250.203.110, 443, 49769 GOOGLEUS United States 56->116 118 3 other IPs or domains 56->118 70 C:\Users\user\AppData\Local\...\Cookies, SQLite 56->70 dropped file22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/041fa6acb0d512cd68e538d2e4bd11a9a1345839d3803ec8c096862eafc0cd81/
Threat name:
Win32.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 20:55:45 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aqp2nlfq2ujm22hfhdjojpirvgqtiwbz2oad5sgas2dc5l6azwaq._file
Verdict:
malicious
Similar samples:
31452b50fe8475fa4566b814ed702c6910029ff66db45d3dbb21c2e3ed63594f
DiamondFox
3555826df75751600d127b343a3214a0f9b4c211b1fdcdf9ccceb1dda6be5f27
DiamondFox
55da2aa80bd64db9aebd250ce15446ab248255669e64ef3353b7eaae000c6241
DiamondFox
5cb7dc8f48821f9e1f48c9d2d52f0f8e435c1286e5e0df3551f614deccdc47dc
DiamondFox
7fec25753b7597c9bf89e634043cc93f7bfd724d4c2f09e02b2c0aeefd0c99ed
DiamondFox
908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
DiamondFox
a526e9dae9298bbd03ca2a8fc8a45809eac1543bbec4680182493c551d65f731
DiamondFox
d82cb4755924ead169ce150c3e22d12a1820d92e65bf5dfa4c7003b3147441f3
DiamondFox
d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6
DiamondFox
+ 88 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:birja traff botnet:ruz botnet:usacash888 discovery evasion infostealer persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210814-9zc6tz6t5j/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Core1 .NET packer
CustAttr .NET packer
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
Malware Config
C2 Extraction:
185.53.46.25:38743
sandedean.xyz:80
alasshrilm.xyz:80
Dropper Extraction:
https://bitbucket.org/thereopportunity/en-en/downloads/Shtate.txt
Unpacked files
SH256 hash:
041fa6acb0d512cd68e538d2e4bd11a9a1345839d3803ec8c096862eafc0cd81
MD5 hash:
574843ce13304217f897e35ccfa66118
SHA1 hash:
19671765f1d4db74a1a9bca2911ff8f3d9633a81
Link:
https://www.unpac.me/results/5682e219-fb9f-4b0a-a90f-0df7bbefd554/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/041fa6acb0d5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/041fa6acb0d512cd68e538d2e4bd11a9a1345839d3803ec8c096862eafc0cd81

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179295/

Comments