MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 186992db0748857e13271f18b519fbf2b6f016bd8d81c3ee952786de798a6dad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 11


Intelligence 11 IOCs 3 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 186992db0748857e13271f18b519fbf2b6f016bd8d81c3ee952786de798a6dad
SHA3-384 hash: ea726ae2ed5f46cf8b06acbef2324b0f294051cc60be17239fb13abaa54411dfa472a88b20fa57748a60f12adf2cdb4f
SHA1 hash: 4f397e56fd9fcc37d8fef315e4949adb90ff8e17
MD5 hash: 141f2f0295414b069c74a1be852a05f1
humanhash: mirror-music-social-tango
File name:141F2F0295414B069C74A1BE852A05F1.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:2'590'372 bytes
First seen:2021-08-17 19:50:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 49152:9g1zPYCrGa7uHLbUlfL2hS2oXlBusU6qz0JJK/70x6ajn42BuLsJcyLUHJ:yxYCrGjjSB1y6hE/70AWnvwsJkJ
Threatray 1'393 similar samples on MalwareBazaar
TLSH T1FAC5335C6BDE91A7E1250D3F1A126210FE6487662063480C5BDFE62EFB6F1CD4A2D8F4
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
185.186.142.245:1778

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.186.142.245:1778 https://threatfox.abuse.ch/ioc/191733/
195.2.78.147:59722 https://threatfox.abuse.ch/ioc/191737/
http://116.203.127.162/ https://threatfox.abuse.ch/ioc/191740/

Intelligence

File Origin
# of uploads :
1
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180145/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a UDP request
Creating a file
Searching for the window
Connection attempt
Sending a custom TCP request
Running batch commands
Launching the default Windows debugger (dwwin.exe)
Launching a process
Reading critical registry keys
Delayed reading of the file
Deleting a recently created file
Creating a window
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Replacing files
Creating a process with a hidden window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Launching a tool to kill processes
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Forced shutdown of a browser
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cafe9ba1-2a3c-4d98-b5d8-dab612fb5cb6
Result
Threat name:
Cryptbot RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834704
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Chrome passwords or cookies
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Cryptbot
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 467132 Sample: MWKXcZ2TYE.exe Startdate: 17/08/2021 Architecture: WINDOWS Score: 100 80 20.42.65.92 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->80 120 Malicious sample detected (through community Yara rule) 2->120 122 Antivirus detection for dropped file 2->122 124 Multi AV Scanner detection for dropped file 2->124 126 12 other signatures 2->126 12 MWKXcZ2TYE.exe 10 2->12         started        signatures3 process4 file5 68 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->68 dropped 15 setup_installer.exe 16 12->15         started        process6 file7 70 C:\Users\user\AppData\...\setup_install.exe, PE32 15->70 dropped 72 C:\Users\user\...\Sun02c9fa9e893321.exe, PE32 15->72 dropped 74 C:\Users\user\...\Sun02c15b5925e78ff89.exe, PE32 15->74 dropped 76 11 other files (4 malicious) 15->76 dropped 18 setup_install.exe 1 15->18         started        process8 dnsIp9 82 127.0.0.1 unknown unknown 18->82 128 Adds a directory exclusion to Windows Defender 18->128 22 cmd.exe 18->22         started        24 cmd.exe 1 18->24         started        26 cmd.exe 1 18->26         started        28 7 other processes 18->28 signatures10 process11 signatures12 31 Sun02c15b5925e78ff89.exe 22->31         started        36 Sun0210eeb3a99d13d.exe 1 14 24->36         started        38 Sun024d1be6a47f.exe 26->38         started        130 Adds a directory exclusion to Windows Defender 28->130 40 Sun02c9fa9e893321.exe 28->40         started        42 Sun029ff1fd15d.exe 2 28->42         started        44 Sun02bc50fece462.exe 28->44         started        46 3 other processes 28->46 process13 dnsIp14 84 185.233.185.134 YURTEH-ASUA Russian Federation 31->84 86 37.0.10.171 WKD-ASIE Netherlands 31->86 92 17 other IPs or domains 31->92 54 C:\Users\...\z3qLtiIAmatpty4F_PvyHTIZ.exe, PE32 31->54 dropped 56 C:\Users\...\yyjaukTeEpfi2S4F1YlxvxJ0.exe, PE32 31->56 dropped 58 C:\Users\...\tXDUuUJtPZx8HfqdMauViytP.exe, PE32 31->58 dropped 64 54 other files (44 malicious) 31->64 dropped 98 Drops PE files to the document folder of the user 31->98 100 Creates HTML files with .exe extension (expired dropper behavior) 31->100 102 Disable Windows Defender real time protection (registry) 31->102 94 4 other IPs or domains 36->94 60 C:\Users\user\AppData\...\fastsystem.exe, PE32+ 36->60 dropped 62 C:\Users\user\AppData\...\aaa_011[1].dll, DOS 36->62 dropped 104 Contains functionality to steal Chrome passwords or cookies 36->104 106 Drops PE files to the startup folder 36->106 88 185.215.113.15 WHOLESALECONNECTIONSNL Portugal 38->88 90 104.26.12.31 CLOUDFLARENETUS United States 38->90 108 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 38->108 110 Tries to steal Crypto Currency Wallets 38->110 112 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 40->112 114 Checks if the current machine is a virtual machine (disk enumeration) 40->114 116 Creates processes via WMI 42->116 48 Sun029ff1fd15d.exe 42->48         started        118 Tries to harvest and steal browser information (history, passwords, etc) 44->118 96 3 other IPs or domains 46->96 file15 signatures16 process17 dnsIp18 78 172.67.222.125 CLOUDFLARENETUS United States 48->78 66 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 48->66 dropped 52 conhost.exe 48->52         started        file19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/186992db0748857e13271f18b519fbf2b6f016bd8d81c3ee952786de798a6dad/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-08-15 09:05:34 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dbuzfwyhjccx4ezhd4mlkgp36k3pafv5rwa4h3uve6dn46mknwwq._file
Verdict:
malicious
Similar samples:
06d2ef3f80066d655c788069de3098105f6128e388e43baf73e2d9bf69365ce3
DiamondFox
1d76266267ca27570b9cfb6f2a84b80ef607e9450d475eabad2e630cfbd77b7e
DiamondFox
328e682510e9c0e0c37a7c8d347ecb4e7791a03b44962675a3f5f23d85250e08
DiamondFox
39326cdd0c863e1766ecc3d119ec18fdaa93ef886cfbc887f76784f745df73e4
DiamondFox
41ce43aa875bf977ec9eb039e5853ade1af522dd0dff4f19282f6c8038ae2dff
DiamondFox
5f0caccb3ca599a30b5f298f9bb414fe721121c83b7bedc7c59ffe4128c96b61
DiamondFox
c5fc8453bf6cdd3e96740b1616ba2f6b359710ce2eb32f02faf8c0e299a0a057
DiamondFox
c7839db336f11c965ab8e6fbad1a6c757711a24362cc20d63d4ce37aef9b83b1
DiamondFox
cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1
DiamondFox
+ 1'383 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:glupteba family:metasploit family:raccoon family:redline family:smokeloader family:vidar botnet:171b0ea0beebb33c2d9043b095edfe8ec188b323 botnet:706 botnet:first_7.5k botnet:sewpalpadin botnet:test1 aspackv2 backdoor discovery dropper evasion infostealer loader spyware stealer themida trojan
Link:
https://tria.ge/reports/210817-e2req4sh96/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
CryptBot
CryptBot Payload
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
Raccoon Stealer Payload
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
lysoip68.top
morwaf06.top
185.215.113.15:61506
https://lenak513.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
185.215.113.114:8887
45.14.49.200:27625
Unpacked files
SH256 hash:
9c47277ff3d5698263c12303316c58733acb586d61b4d0c8d84a841907cc7a88
MD5 hash:
58091fc33eb557bf2fa526005ca8b697
SHA1 hash:
aaea7b3219659a65ac118b1e9686df569a943b16
Link:
https://www.unpac.me/results/e3a3bfd7-f055-4802-9192-5132e84bd600/
SH256 hash:
7a78703220a6965b5d24a7609a9f4532390068c040866885da7bdf7d65346136
MD5 hash:
c537a141a741e32beeefae77636ddde5
SHA1 hash:
6c292b2b1e043d9240e736bcdae96bb24bc45090
Link:
https://www.unpac.me/results/e3a3bfd7-f055-4802-9192-5132e84bd600/
SH256 hash:
988786a63d8dc374576558bc86b59da0f2ca2dd4dc4b4c78a9517f7677632987
MD5 hash:
bb48e720f954fdd56fb3c10b136a8036
SHA1 hash:
581d37dd59dc69fac015baef30cfd6e65e2cc4d4
Link:
https://www.unpac.me/results/e3a3bfd7-f055-4802-9192-5132e84bd600/
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Link:
https://www.unpac.me/results/e3a3bfd7-f055-4802-9192-5132e84bd600/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9
MD5 hash:
4955a27a03f35933fdbd801f425b6c58
SHA1 hash:
97f3b8f33fd1a49cf9db5a246d996047beef3c12
Link:
https://www.unpac.me/results/e3a3bfd7-f055-4802-9192-5132e84bd600/
Parent samples :
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
SH256 hash:
d98e2d510f3649d8879dab84a50e50619752b11f19a299256f0f74faf465de88
MD5 hash:
0f142215ff5820431352b8228f395f1b
SHA1 hash:
fb5732ae5325f17f6d27001b01837683d30ae0ed
Link:
https://www.unpac.me/results/e3a3bfd7-f055-4802-9192-5132e84bd600/
SH256 hash:
ae75900d17e4f942ad311ff076eff728b8772607c2cc371cc6f5279eb9c908ba
MD5 hash:
55d0ad517e47c0db782ae46d288fd21a
SHA1 hash:
d7842333dea8c1374a36cbf5318aa2270033e874
Link:
https://www.unpac.me/results/e3a3bfd7-f055-4802-9192-5132e84bd600/
SH256 hash:
a4fae2b3f2d8e90a618869cfbe0f334918420b63334f8d5c5096f9f7f42cf15f
MD5 hash:
0756478a16866d56de3f1f3aec68c10e
SHA1 hash:
d2ab5efa71d8d79e0534a413331a1245bd64e96e
Link:
https://www.unpac.me/results/e3a3bfd7-f055-4802-9192-5132e84bd600/
SH256 hash:
b0967ff661cc89044bdd27a956c88dc2d2b94340c608c9eb7e7d87058d8665a1
MD5 hash:
06c55ec27e5408a4890fd322065bd938
SHA1 hash:
8a0bbaaf87ff23aca72f6c5546b5b2ee244a8634
Link:
https://www.unpac.me/results/e3a3bfd7-f055-4802-9192-5132e84bd600/
SH256 hash:
600b5ed067f0465b8ba19708dd137225da391a96cacddff987d6751cb6e2e33a
MD5 hash:
eae52f3fd241bff9af3c1588b6c25287
SHA1 hash:
81a06454152231a275147f14f11c6d90b1687deb
Link:
https://www.unpac.me/results/e3a3bfd7-f055-4802-9192-5132e84bd600/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/e3a3bfd7-f055-4802-9192-5132e84bd600/
SH256 hash:
887ee97eb32e4018dab48828c62e1920e2da2fef7c027624c34000ce4de26fea
MD5 hash:
2dec43b71b9307db08d6ea82f2eb5666
SHA1 hash:
fab2321e459f0ebd44ecf65f9c69eecad505ae5d
Link:
https://www.unpac.me/results/e3a3bfd7-f055-4802-9192-5132e84bd600/
SH256 hash:
8ecb16f92bfd8147a1ecd15f0f972d35114a64e21cfac40ccd1e87444c8f9c93
MD5 hash:
bc12329e863984f493dd18d6184fd5e3
SHA1 hash:
0c2d9c7cdc28daa702f25274e018405a2484dcef
Link:
https://www.unpac.me/results/e3a3bfd7-f055-4802-9192-5132e84bd600/
SH256 hash:
c09840a46b79836bc07bb0f54de3e63b7e4ed35e86b505b5657d6bbdb2101592
MD5 hash:
6475d29c2d7b0435d71ffd36d1f09f1d
SHA1 hash:
aa7824fb9694333eab75021fff80a58265e5f535
Detections:
win_cryptbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/e3a3bfd7-f055-4802-9192-5132e84bd600/
Parent samples :
186992db0748857e13271f18b519fbf2b6f016bd8d81c3ee952786de798a6dad
423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110
SH256 hash:
7f4bdd50c3151cfb1c8d6867b6f0d170731e01664aa12ea596a3c8da73c25163
MD5 hash:
46317e6e4ae1ae85ab3bb07dfa4c118e
SHA1 hash:
136bb005965b0cce14e751fe9e040feb418061b1
Link:
https://www.unpac.me/results/e3a3bfd7-f055-4802-9192-5132e84bd600/
SH256 hash:
424a7f50067fa06ed482b0cee8e389fee305929040e7cec89221be7dfaa5bd11
MD5 hash:
f8b04aba7795ac6886049ee0f0a8e225
SHA1 hash:
8b9a79cae504da1d50c3323165fb5096289e4db9
Link:
https://www.unpac.me/results/e3a3bfd7-f055-4802-9192-5132e84bd600/
SH256 hash:
a0c20b904d94a1c4e09f1b4eb7aa8494e4273f7e888f0fbbe829912a43233552
MD5 hash:
8489b90446e685837e41ae1d3ce76eaf
SHA1 hash:
f49b7ec7ab43db997e760116339f34cd37adfe37
Link:
https://www.unpac.me/results/e3a3bfd7-f055-4802-9192-5132e84bd600/
SH256 hash:
186992db0748857e13271f18b519fbf2b6f016bd8d81c3ee952786de798a6dad
MD5 hash:
141f2f0295414b069c74a1be852a05f1
SHA1 hash:
4f397e56fd9fcc37d8fef315e4949adb90ff8e17
Link:
https://www.unpac.me/results/e3a3bfd7-f055-4802-9192-5132e84bd600/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/186992db0748/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/186992db0748857e13271f18b519fbf2b6f016bd8d81c3ee952786de798a6dad

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/180145/

Comments