MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ef2423530764d0f9a745e60c251176c903929d958ce3ff1c22a6867c97bbc13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 11


Intelligence 11 IOCs 9 YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ef2423530764d0f9a745e60c251176c903929d958ce3ff1c22a6867c97bbc13
SHA3-384 hash: 54d86c59a53a72a74fb5681415d95cd3a22f610f8e67e0359a4100516d8717a6ec00d090d77edbd68476d2620b505f25
SHA1 hash: a393fe0edecbd9f8595d9994a6d72a8f72cc78e9
MD5 hash: 4ab86ecf57745c9e783700043a906716
humanhash: mobile-east-alabama-wyoming
File name:sahiba_4.txt
Download: download sample
Signature DiamondFox
Create hunting rule
File size:8'192 bytes
First seen:2021-07-14 14:13:20 UTC
Last seen:2021-07-14 15:07:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 96:ZyJOuTNNLXqqCWV2sLZS4kdtKozt15Lf3BKEzNt:Z0Tj2qH39Gt35Lgu
Threatray 2'319 similar samples on MalwareBazaar
TLSH T1B0F1E70AE7E50733EDAE4B3EACB3132053B5E7095C53DB5E68C8425A5CA33441A92BB5
Reporter CholeVallabh
Tags:DiamondFox exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.69.55.138:80 https://threatfox.abuse.ch/ioc/160166/
185.244.182.34:56068 https://threatfox.abuse.ch/ioc/160383/
http://a343345.me/6.jpg https://threatfox.abuse.ch/ioc/160433/
http://a343345.me/1.jpg https://threatfox.abuse.ch/ioc/160434/
http://a343345.me/2.jpg https://threatfox.abuse.ch/ioc/160435/
http://a343345.me/3.jpg https://threatfox.abuse.ch/ioc/160436/
http://a343345.me/4.jpg https://threatfox.abuse.ch/ioc/160437/
http://a343345.me/5.jpg https://threatfox.abuse.ch/ioc/160438/
http://a343345.me/7.jpg https://threatfox.abuse.ch/ioc/160439/

Intelligence

File Origin
# of uploads :
2
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
sahiba_4.txt
Verdict:
Malicious activity
Analysis date:
2021-07-14 14:28:57 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/75736347-3846-4e6e-bcc6-ca321a7803a9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Gcleaner
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171681/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.29722.24679.UNOFFICIAL
Create hunting rule

Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Chapak
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d2cc7efd-ba26-4484-a580-329f66d61e4c
Result
Threat name:
Backstage Stealer Cookie Stealer Oski
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816280
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files with benign system names
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Posts data to a JPG file (protocol mismatch)
Sample uses process hollowing technique
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Backstage Stealer
Yara detected Cookie Stealer
Yara detected Oski Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 448694 Sample: sahiba_4.txt Startdate: 14/07/2021 Architecture: WINDOWS Score: 100 110 google.vrthcobj.com 2->110 140 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->140 142 Found malware configuration 2->142 144 Antivirus / Scanner detection for submitted sample 2->144 146 14 other signatures 2->146 12 sahiba_4.exe 14 5 2->12         started        17 haleng.exe 2->17         started        signatures3 process4 dnsIp5 126 cdn.discordapp.com 162.159.135.233, 443, 49733 CLOUDFLARENETUS United States 12->126 104 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 12->104 dropped 106 C:\Users\user\AppData\...\sahiba_4.exe.log, ASCII 12->106 dropped 182 Detected unpacking (overwrites its own PE header) 12->182 19 LzmwAqmV.exe 7 12->19         started        128 157.240.195.35 FACEBOOKUS United States 17->128 130 ip-api.com 17->130 108 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 17->108 dropped 184 Antivirus detection for dropped file 17->184 186 May check the online IP address of the machine 17->186 188 Machine Learning detection for dropped file 17->188 23 jfiag3g_gg.exe 17->23         started        file6 signatures7 process8 dnsIp9 72 C:\Users\user\AppData\Local\Temp\zp.exe, PE32 19->72 dropped 74 C:\Users\user\AppData\Local\...\playfile.exe, PE32 19->74 dropped 76 C:\Users\user\AppData\Local\Temp\jhuuee.exe, PE32 19->76 dropped 78 2 other files (none is malicious) 19->78 dropped 150 Machine Learning detection for dropped file 19->150 26 playfile.exe 4 19->26         started        30 jhuuee.exe 3 2 19->30         started        33 prestige.exe 10 19->33         started        35 2 other processes 19->35 124 192.168.2.1 unknown unknown 23->124 file10 signatures11 process12 dnsIp13 98 C:\Users\user\AppData\Local\...\svchost.exe, PE32 26->98 dropped 164 Writes to foreign memory regions 26->164 166 Allocates memory in foreign processes 26->166 168 Sample uses process hollowing technique 26->168 180 2 other signatures 26->180 37 svchost.exe 193 26->37         started        132 www.facebook.com 30->132 134 ip-api.com 208.95.112.1, 49737, 49743, 80 TUT-ASUS United States 30->134 138 3 other IPs or domains 30->138 100 C:\Users\user\AppData\Local\Temp\haleng.exe, PE32 30->100 dropped 170 Antivirus detection for dropped file 30->170 172 May check the online IP address of the machine 30->172 174 Machine Learning detection for dropped file 30->174 42 jfiag3g_gg.exe 1 30->42         started        44 jfiag3g_gg.exe 30->44         started        102 C:\Users\user\AppData\...\setup_installer.exe, PE32 33->102 dropped 46 setup_installer.exe 33->46         started        136 176.113.115.136 SELECTELRU Russian Federation 35->136 176 Creates processes via WMI 35->176 48 zp.exe 35->48         started        50 conhost.exe 35->50         started        52 WerFault.exe 35->52         started        file14 178 System process connects to network (likely due to code injection or exploit) 132->178 signatures15 process16 dnsIp17 118 a343345.me 198.54.114.131, 49740, 80 NAMECHEAP-NETUS United States 37->118 80 C:\ProgramData\vcruntime140.dll, PE32 37->80 dropped 94 6 other files (none is malicious) 37->94 dropped 152 System process connects to network (likely due to code injection or exploit) 37->152 154 Detected unpacking (changes PE section rights) 37->154 156 Detected unpacking (overwrites its own PE header) 37->156 160 2 other signatures 37->160 158 Antivirus detection for dropped file 42->158 82 C:\Users\user\AppData\...\setup_install.exe, PE32 46->82 dropped 84 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 46->84 dropped 86 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 46->86 dropped 96 5 other files (none is malicious) 46->96 dropped 54 setup_install.exe 46->54         started        88 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 48->88 dropped 90 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 48->90 dropped 92 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 48->92 dropped 58 conhost.exe 48->58         started        file18 signatures19 process20 dnsIp21 120 104.21.56.66 CLOUDFLARENETUS United States 54->120 122 127.0.0.1 unknown unknown 54->122 162 Detected unpacking (changes PE section rights) 54->162 60 cmd.exe 54->60         started        62 cmd.exe 54->62         started        64 conhost.exe 54->64         started        signatures22 process23 process24 66 karotima_1.exe 60->66         started        70 karotima_2.exe 62->70         started        dnsIp25 112 79.174.12.174 THEFIRST-ASRU Russian Federation 66->112 114 34.117.59.81 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 66->114 116 2.56.59.245 GBTCLOUDUS Netherlands 66->116 148 Disable Windows Defender real time protection (registry) 66->148 signatures26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ef2423530764d0f9a745e60c251176c903929d958ce3ff1c22a6867c97bbc13/
Threat name:
ByteCode-MSIL.Infostealer.Passteal
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 14:14:07 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b3zeenjqozgq7gtulzqmeuixnsidskozldhd74ocfjugpsl3xqjq._file
Verdict:
malicious
Similar samples:
421b0a7152dfe73bcaae17fa1b6efa1ea2778f6428bb15938dcd4e3be5690c2d
DiamondFox
56f958f289d5af36088cf03190de09be80dc84e6bb71b5b9ab6439c9e7f1152d
DiamondFox
673453fec6e11175bf0a749c94594c22a886d2f287e9648b51aa305b17109ffd
DiamondFox
7010d5ddded81107f17f04b164bdcf1d3f9cd3e84745f711ad5178356c13bff7
DiamondFox
76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93
DiamondFox
924bb78c8e816ebd25d656fb6cf0387449cd4b3cd55846c99d4f0ddb47f71dd5
DiamondFox
948bd9774b0dfad1762f459a078f55426780b722585aa701941e95b188a552de
DiamondFox
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a
DiamondFox
b5836dfd74e9e193cb8b3ee99d34f6b93ff5b88fecdc8f0b55928407bd0af376
DiamondFox
f19dff408fd65268a61ec79e52e8c19780d7364b20560eac8a09f12d14487e19
DiamondFox
+ 2'309 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:oski family:raccoon family:redline family:smokeloader family:vidar botnet:865 botnet:903 botnet:new_crypt_1_20k botnet:sel12 agilenet aspackv2 backdoor discovery evasion infostealer persistence spyware stealer themida trojan upx
Link:
https://tria.ge/reports/210714-hfqf8yf61a/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Oski
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
a343345.me
kathonaror.xyz:80
45.140.147.128:4311
https://olegf9844.tumblr.com/
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
Unpacked files
SH256 hash:
0ef2423530764d0f9a745e60c251176c903929d958ce3ff1c22a6867c97bbc13
MD5 hash:
4ab86ecf57745c9e783700043a906716
SHA1 hash:
a393fe0edecbd9f8595d9994a6d72a8f72cc78e9
Link:
https://www.unpac.me/results/d98e5675-f40d-45b1-a9d0-be1ab2c83ece/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0ef2423530764d0f9a745e60c251176c903929d958ce3ff1c22a6867c97bbc13

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_new_mem
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8/
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171681/

Comments