MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06be4fd28372a6476533130d18bb309666c3e3601dd037b3b7e8795a1c791a74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06be4fd28372a6476533130d18bb309666c3e3601dd037b3b7e8795a1c791a74
SHA3-384 hash: cc433180b162917d2aef2d43dce7a18fbf92c74bf21c44695445253d94fd19a3e37ec7926dc14a8ace7698774b9a9ca6
SHA1 hash: da0ad6136c04c616f814ed4a6638972fe7821955
MD5 hash: 9aa8e640a659ffe47ed3665ac11482b0
humanhash: double-fourteen-kansas-lemon
File name:9AA8E640A659FFE47ED3665AC11482B0.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:3'036'023 bytes
First seen:2021-09-02 01:31:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 49152:xcBpEwJ84vLRaBtIl9mVOwOBbJxpZpKEy7a+p0wnRKAQmM/84+cPzkot0zaHuk:xXCvLUBsgtOBbJ37KEyO+p0ah39TGk/+
TLSH T168E5332437CAC4F3EA81A4718D089FF390A6D7E80E7609E3A750E51D5E399F5C53A81B
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://45.142.215.144/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.142.215.144/ https://threatfox.abuse.ch/ioc/204183/

Intelligence

File Origin
# of uploads :
1
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9AA8E640A659FFE47ED3665AC11482B0.exe
Verdict:
No threats detected
Analysis date:
2021-09-02 01:31:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3ecc5531-dcdd-47d5-8726-fe799bfc877e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184624/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Launching a process
Deleting a recently created file
Creating a window
Reading critical registry keys
Launching the default Windows debugger (dwwin.exe)
Creating a file
Creating a file in the %AppData% directory
Creating a process with a hidden window
Sending a UDP request
Using the Windows Management Instrumentation requests
Delayed reading of the file
Unauthorized injection to a recently created process
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Blocking the Windows Defender launch
Sending an HTTP GET request to an infection source
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/37fc09e5-7d65-452b-89a1-8e405eacf599
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06be4fd28372a6476533130d18bb309666c3e3601dd037b3b7e8795a1c791a74/
Threat name:
Win32.Trojan.Ditertag
Create hunting rule
Status:
Malicious
First seen:
2021-08-31 12:48:48 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a27e7uudokteozjtcmgrrozqsztmhy3adxidpm5x5b4vuhdzdj2a._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:vidar family:xmrig botnet:706 aspackv2 backdoor infostealer miner stealer trojan
Link:
https://tria.ge/reports/210902-ryeszbdtv6/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
XMRig Miner Payload
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Vidar
xmrig
Malware Config
C2 Extraction:
https://eduarroma.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/af94b773-e91e-4ff3-ad1c-9a4a8156772e/
SH256 hash:
a1a1f636b65bd84247c87965980f3adc0fa1316506a56bb6ea1042de0c9526c6
MD5 hash:
638e8b3e6640a0885cd8a1fe8ff70065
SHA1 hash:
56e819d5ff1b424f1c8d39d82d699f5567bcfac9
Link:
https://www.unpac.me/results/af94b773-e91e-4ff3-ad1c-9a4a8156772e/
SH256 hash:
a18e5d223da775448e2e111101fe1f4ab919be801fd435d3a278718aa5e6ccba
MD5 hash:
0c6cae115465a83f05d3ff391fd009ac
SHA1 hash:
066ea93bb540ae4be0d2e522d4bb59eec74053ad
Link:
https://www.unpac.me/results/af94b773-e91e-4ff3-ad1c-9a4a8156772e/
Parent samples :
7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
fc2e04d392ab5e508fdf6c90ce456bfd0af6def1f10a2074f82df8f58079d5e4
f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
22275b7c5a57111aca919f6bbfae171e5e99f5ef777d1043802deb672f5136a0
d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
0a7d966e66cbd260c909de1d79038c86a071f2f10a810f5890a150b67c4fd954
1b4c7144874551beb52bc3e864822c0b803d0967531addf9612f61898cf2394d
090f1369dc856e37b73969d22799341b1d328a235470ee608d3e32dd34df7022
4879803b6326f27bb8b68448fe7394b2358c2eeb25ec2c4c6a176313d003c29a
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
ada6977abf5caa24a75f0db17220267f6b05f11ed949757e8fc8beab3c720fc1
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/af94b773-e91e-4ff3-ad1c-9a4a8156772e/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3
MD5 hash:
6961557695f34a53cf8224be7c265fbe
SHA1 hash:
f52d34d0b1dbd181f2acb21f42d875d514afb6f7
Link:
https://www.unpac.me/results/af94b773-e91e-4ff3-ad1c-9a4a8156772e/
SH256 hash:
16fe676f338597ae7eb18cb0b514a5112e1647350b8415ab1a5acc2e49bcfb51
MD5 hash:
81f4be10fd5f6c757d7b4a0edba497c2
SHA1 hash:
d9cf8601bb46ce25660b5b0be7e42f1c3b3d9eae
Link:
https://www.unpac.me/results/af94b773-e91e-4ff3-ad1c-9a4a8156772e/
SH256 hash:
1b9d29f4887cb5ec2f7980f3b51fccf0eb699bf81361b31342e9a895cc362c8d
MD5 hash:
abea1f518f0b3957a1755eae02698ca3
SHA1 hash:
b3130e09832595c47cfb06a883388fabdd5bc488
Link:
https://www.unpac.me/results/af94b773-e91e-4ff3-ad1c-9a4a8156772e/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/af94b773-e91e-4ff3-ad1c-9a4a8156772e/
SH256 hash:
603c61184bc21390d64d8fe234f3b5928bb38384bd382aa0466980909b7ed60b
MD5 hash:
427aa284f4b287435f555b948ea061ce
SHA1 hash:
3d087b25e1fedf107abb78c337b965a9bdea8c1d
Link:
https://www.unpac.me/results/af94b773-e91e-4ff3-ad1c-9a4a8156772e/
SH256 hash:
4438e15afb0549b0db63713d45e4c2b99eedb619bad14a5d94669c759b83dc1e
MD5 hash:
b12fffe6959038b515fb279ae71789d6
SHA1 hash:
2cd3585f598a0edccf750ed00696e7c96ed6b5c2
Link:
https://www.unpac.me/results/af94b773-e91e-4ff3-ad1c-9a4a8156772e/
SH256 hash:
d25e43f5e2a6210bdbe7aad0a15c9df189f4c482538f4afa1800388d59363cc9
MD5 hash:
55a6947edadfea22a51d58a736aa03e6
SHA1 hash:
0b7a5a03cf27323ce016bf556eae7e432d0b4e7e
Link:
https://www.unpac.me/results/af94b773-e91e-4ff3-ad1c-9a4a8156772e/
SH256 hash:
5e84a96ffeeb0be5791a24d444448b8d4bb73587b2401293ef92b1c2f3613fe5
MD5 hash:
06a9b87df331029bca353d043653ae90
SHA1 hash:
032f520769e38c2b250becd1b558860e3e2d37cc
Link:
https://www.unpac.me/results/af94b773-e91e-4ff3-ad1c-9a4a8156772e/
SH256 hash:
4049494e7d69691622ddbcc11cad6c9110b0e7c59f3716f1a9d11ca36c57a242
MD5 hash:
66106502ade4d07adf791766c5f659d1
SHA1 hash:
e6ee0b3185e477f87b118dfa0e3237d298114248
Link:
https://www.unpac.me/results/af94b773-e91e-4ff3-ad1c-9a4a8156772e/
SH256 hash:
75f4bbabec3565e7264784d1721750fcfbf425034687f660b6058fc2bcbcf609
MD5 hash:
4004e5d3aa8e632de2d3eb863e831325
SHA1 hash:
427c39e7c20844777016f8fd1e912cbfe2db2097
Link:
https://www.unpac.me/results/af94b773-e91e-4ff3-ad1c-9a4a8156772e/
SH256 hash:
ebf65c2b0d29286405a7fc1aed632d3a18ab524f492f6aed85bd040e6b4c2d92
MD5 hash:
c2c28a5a4c985a2fc5f3d7b5bacc590f
SHA1 hash:
6a8900a0ec1b6997933d0419e61c868ac1cd7643
Link:
https://www.unpac.me/results/af94b773-e91e-4ff3-ad1c-9a4a8156772e/
SH256 hash:
14dd2e463c80fcb0d6664dfe287a8cf62041e9c48659a33d158ca9722fae662e
MD5 hash:
6346a891b40ad1a3da4f2c6b02a2f2dd
SHA1 hash:
f4f22a6cc42d4125e1b6109124e7a8530ddd2e62
Link:
https://www.unpac.me/results/af94b773-e91e-4ff3-ad1c-9a4a8156772e/
SH256 hash:
06be4fd28372a6476533130d18bb309666c3e3601dd037b3b7e8795a1c791a74
MD5 hash:
9aa8e640a659ffe47ed3665ac11482b0
SHA1 hash:
da0ad6136c04c616f814ed4a6638972fe7821955
Link:
https://www.unpac.me/results/af94b773-e91e-4ff3-ad1c-9a4a8156772e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/06be4fd28372/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06be4fd28372a6476533130d18bb309666c3e3601dd037b3b7e8795a1c791a74

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/184624/

Comments