MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031
SHA3-384 hash: 4fb49c05648d404577404d5282e03f194f53a8e20e84af9db18dc0d144b6cee28dcb8bc1b553ccbf6d49d30a43f05181
SHA1 hash: 8932669b409dbd2abe2039d0c1a07f71d3e61ecd
MD5 hash: 20f8196b6f36e4551d1254d3f8bcd829
humanhash: lactose-don-london-eight
File name:20F8196B6F36E4551D1254D3F8BCD829.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:1'028'608 bytes
First seen:2021-08-29 20:40:51 UTC
Last seen:2021-08-29 21:59:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d829f266aa146de717eb87c227ada96a (2 x DiamondFox, 2 x RaccoonStealer, 1 x Adware.FileTour)
ssdeep 12288:y6Mx93Pohy2krjuOmUORtyncxQRhJJzhoqgH5sB4dxHGYV:y6C5PYczORhQRh9B4dd
Threatray 73 similar samples on MalwareBazaar
TLSH T1EE257D10A3D85A26D6FE1370F0B4092946F5BE317B72E78F9644B4AD1E73BC298107A7
dhash icon f0d8b06969e0e8f0 (3 x DiamondFox, 2 x RaccoonStealer, 2 x RedLineStealer)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://5.181.156.252/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.181.156.252/ https://threatfox.abuse.ch/ioc/201911/

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-08-29 01:14:17 UTC
Tags:
loader trojan rat redline stealer evasion opendir vidar danabot
Link:
https://app.any.run/tasks/991e1eaa-b9db-48b7-85ce-e2177d509cb4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183307/
Detection(s):
SecuriteInfo.com.Variant.Zusy.398931.12389.26617.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Reading critical registry keys
Creating a process from a recently created file
Creating a process with a hidden window
Sending a UDP request
Creating a window
Delayed reading of the file
Searching for the window
Launching a process
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Launching the default Windows debugger (dwwin.exe)
Launching cmd.exe command interpreter
Connection attempt
Sending an HTTP GET request
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/86743789-54b0-4f09-ad01-47b77336eaf2
Result
Threat name:
Glupteba Metasploit RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841123
Signature
.NET source code contains very large strings
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found C&C like URL pattern
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
May modify the system service descriptor table (often done to hook functions)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Glupteba
Yara detected Metasploit Payload
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 473551 Sample: mloklwllHo.exe Startdate: 29/08/2021 Architecture: WINDOWS Score: 100 62 staticimg.youtuuee.com 2->62 64 s.lletlee.com 2->64 66 3 other IPs or domains 2->66 80 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->80 82 Antivirus detection for URL or domain 2->82 84 Multi AV Scanner detection for dropped file 2->84 86 16 other signatures 2->86 9 mloklwllHo.exe 4 59 2->9         started        signatures3 process4 dnsIp5 74 privacytoolz123foryou.xyz 9->74 76 i.spesgrt.com 9->76 78 12 other IPs or domains 9->78 54 C:\Users\...\x43aBxjVAL9edJqz3z2ON4DB.exe, PE32 9->54 dropped 56 C:\Users\...\txXnqv6Z8zPbAGSP_gfioMFR.exe, PE32 9->56 dropped 58 C:\Users\...\tuxYSoiArjl8rc97tpLeGC5L.exe, PE32 9->58 dropped 60 38 other files (33 malicious) 9->60 dropped 94 Drops PE files to the document folder of the user 9->94 96 May check the online IP address of the machine 9->96 98 Performs DNS queries to domains with low reputation 9->98 100 Disable Windows Defender real time protection (registry) 9->100 14 tuxYSoiArjl8rc97tpLeGC5L.exe 9->14         started        17 txXnqv6Z8zPbAGSP_gfioMFR.exe 9->17         started        19 b7CvN3URrJF87Ced76Bu3kTW.exe 9->19         started        21 18 other processes 9->21 file6 signatures7 process8 dnsIp9 102 Contains functionality to inject code into remote processes 14->102 104 Injects a PE file into a foreign processes 14->104 25 tuxYSoiArjl8rc97tpLeGC5L.exe 14->25         started        106 Detected unpacking (changes PE section rights) 17->106 108 Query firmware table information (likely to detect VMs) 17->108 110 Tries to detect sandboxes and other dynamic analysis tools (window names) 17->110 28 conhost.exe 17->28         started        112 Hides threads from debuggers 19->112 114 Tries to detect sandboxes / dynamic malware analysis system (registry check) 19->114 30 conhost.exe 19->30         started        68 ip-api.com 208.95.112.1 TUT-ASUS United States 21->68 70 94.140.112.35 TELEMACHBroadbandAccessCarrierServicesSI Latvia 21->70 72 17 other IPs or domains 21->72 46 C:\Users\user\AppData\...\mix3sourceh2[1].cfg, PE32 21->46 dropped 48 C:\Users\user\...\Dssdsdaw34k41y[1].exe, PE32 21->48 dropped 50 C:\...\PowerControl_Svc.exe, PE32 21->50 dropped 52 7 other files (3 malicious) 21->52 dropped 116 May check the online IP address of the machine 21->116 118 Performs DNS queries to domains with low reputation 21->118 120 Uses schtasks.exe or at.exe to add and modify task schedules 21->120 122 3 other signatures 21->122 32 schtasks.exe 21->32         started        34 schtasks.exe 21->34         started        36 conhost.exe 21->36         started        38 7 other processes 21->38 file10 signatures11 process12 signatures13 88 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 25->88 90 Maps a DLL or memory area into another process 25->90 92 Checks if the current machine is a virtual machine (disk enumeration) 25->92 40 explorer.exe 25->40 injected 42 conhost.exe 32->42         started        44 conhost.exe 34->44         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-08-27 12:59:12 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
24 of 46 (52.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dl2vmsnhggv3sxlr4lsjne5hxt4he4hlj6drfn2h67qeucrkgayq._file
Verdict:
suspicious
Similar samples:
0a823cbd6a32a10c927253fa40466c8a3177e487ee7895a8a2e244a9b4c415fc
DiamondFox
1cf6570844a3a440ad731d0c72ed9bd8369f2cfb44243a952942f91097767776
DiamondFox
2cc5f31570047becc5e77581e2f640afba8d6904c6be61105603d60d01c181d0
DiamondFox
4101bd379660a169d50442c9921d6fb0329620efbc5a163856c2f5e5f41e601c
DiamondFox
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
DiamondFox
59babf45239a61449061a606bd3f578c3caf0d604c1b9db4504e74582c6a4d30
DiamondFox
ba15a8b7d1ecc6348ee4806b0903afdf5917a595a909ce529e85cacd197c6e77
DiamondFox
bda2b27d917dc919d2df7f2768a5d20f4f554e6f0eeb687f5ac45b53aecbb2f3
DiamondFox
f7a805b251505433e34517da69eccb73955a424bb9d9061309091cf52c07a349
DiamondFox
fff25302774366cdb466fa0e4015f9c7de93fd0192585a3cab2e2f51b635047c
DiamondFox
+ 63 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:redline family:smokeloader family:vidar botnet:292.08 botnet:norman backdoor discovery dropper evasion infostealer loader stealer themida trojan
Link:
https://tria.ge/reports/210829-rckjycz6d2/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Vidar
Malware Config
C2 Extraction:
45.14.49.184:25321
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
95.181.152.47:15089
Unpacked files
SH256 hash:
1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031
MD5 hash:
20f8196b6f36e4551d1254d3f8bcd829
SHA1 hash:
8932669b409dbd2abe2039d0c1a07f71d3e61ecd
Link:
https://www.unpac.me/results/f00f6412-981d-4757-adc8-37da0780bb5b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1af55649a731/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/183307/

Comments