MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 210353e2c687a7e1e94408ca27cf59fbbec44495d75a3e466ae528a1a33a53ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 9


Intelligence 9 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 210353e2c687a7e1e94408ca27cf59fbbec44495d75a3e466ae528a1a33a53ea
SHA3-384 hash: 7763970bc78202a12e1afd974c9366842b42b01417c105fc0d4d27e4429bfe0a75e6bc224bf5aa695c9f87c1e5505e06
SHA1 hash: a6711c9fffe5f192d9e01445ad261ef74b601cfc
MD5 hash: e4af1c73101f2ab9f89d04a11986c58a
humanhash: mountain-charlie-hot-chicken
File name:E4AF1C73101F2AB9F89D04A11986C58A.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:2'972'527 bytes
First seen:2021-09-06 17:00:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 49152:xcB7EwJ84vLRaBtIl9mVUycpVTI1+ZjnN4zXH9kGhTeUUP07If+cgDU8e:xRCvLUBsgKxI1wjAXZaUUPEIf+fU8e
Threatray 508 similar samples on MalwareBazaar
TLSH T143D5333579CA8DF5E7811932C91D2F7299F6838C0F3205876758860E0E2D9B5A63B89F
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
5.45.83.127:1203

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.45.83.127:1203 https://threatfox.abuse.ch/ioc/216209/
http://45.142.215.237/ https://threatfox.abuse.ch/ioc/216755/

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
E4AF1C73101F2AB9F89D04A11986C58A.exe
Verdict:
No threats detected
Analysis date:
2021-09-06 17:02:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/355bb59a-c84b-45c8-81be-4fdb640f2924

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185696/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Launching a process
Deleting a recently created file
Creating a window
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Creating a file in the %AppData% directory
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Sending a UDP request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0b24f30d-0b73-4c65-84cd-c1fe9e2d2d64
Result
Threat name:
BitCoin Miner Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846083
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to steal Chrome passwords or cookies
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected BitCoin Miner
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 478514 Sample: Bxs1wBHcNS.exe Startdate: 06/09/2021 Architecture: WINDOWS Score: 100 99 46.8.29.181 TEAM-HOSTASRU Russian Federation 2->99 101 172.67.193.86 CLOUDFLARENETUS United States 2->101 103 2 other IPs or domains 2->103 151 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->151 153 Antivirus detection for URL or domain 2->153 155 Antivirus detection for dropped file 2->155 157 13 other signatures 2->157 10 Bxs1wBHcNS.exe 15 2->10         started        13 svchost.exe 2->13         started        16 svchost.exe 2->16         started        signatures3 process4 dnsIp5 91 C:\Users\user\AppData\...\setup_install.exe, PE32 10->91 dropped 93 C:\Users\user\...\Mon11f31841cdad6d9.exe, PE32 10->93 dropped 95 C:\Users\user\...\Mon11da3a74a605c9d5d.exe, PE32+ 10->95 dropped 97 10 other files (5 malicious) 10->97 dropped 18 setup_install.exe 1 10->18         started        113 23.211.4.86 AKAMAI-ASUS United States 13->113 file6 process7 dnsIp8 105 hsiens.xyz 172.67.142.91, 49712, 80 CLOUDFLARENETUS United States 18->105 107 127.0.0.1 unknown unknown 18->107 159 Performs DNS queries to domains with low reputation 18->159 161 Adds a directory exclusion to Windows Defender 18->161 22 cmd.exe 18->22         started        24 cmd.exe 1 18->24         started        26 cmd.exe 1 18->26         started        28 6 other processes 18->28 signatures9 process10 signatures11 31 Mon1191c1dd6b4bf8a8.exe 22->31         started        36 Mon117bbc055965aa.exe 24->36         started        38 Mon11da3a74a605c9d5d.exe 1 26->38         started        163 Adds a directory exclusion to Windows Defender 28->163 40 Mon11abd984387abd.exe 28->40         started        42 Mon114a960f05f64d8.exe 2 28->42         started        44 Mon11683f2e7644c1b4f.exe 3 28->44         started        46 2 other processes 28->46 process12 dnsIp13 115 cdn.discordapp.com 162.159.133.233, 443, 49715 CLOUDFLARENETUS United States 31->115 61 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 31->61 dropped 129 Antivirus detection for dropped file 31->129 131 Multi AV Scanner detection for dropped file 31->131 133 Machine Learning detection for dropped file 31->133 48 LzmwAqmV.exe 31->48         started        123 3 other IPs or domains 36->123 63 C:\Users\user\AppData\Roaming\5431477.exe, PE32 36->63 dropped 65 C:\Users\user\AppData\Roaming\7668822.exe, PE32 36->65 dropped 67 C:\Users\user\AppData\Roaming\5025734.exe, PE32 36->67 dropped 73 2 other files (none is malicious) 36->73 dropped 135 Performs DNS queries to domains with low reputation 36->135 52 5431477.exe 36->52         started        54 4908357.exe 36->54         started        125 3 other IPs or domains 38->125 137 May check the online IP address of the machine 38->137 139 Contains functionality to steal Chrome passwords or cookies 38->139 117 37.0.10.214, 49717, 80 WKD-ASIE Netherlands 40->117 127 3 other IPs or domains 40->127 141 Disable Windows Defender real time protection (registry) 40->141 69 C:\Users\user\...\Mon114a960f05f64d8.tmp, PE32 42->69 dropped 56 Mon114a960f05f64d8.tmp 42->56         started        119 a.goatgame.co 104.21.79.144, 443, 49706 CLOUDFLARENETUS United States 44->119 71 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 44->71 dropped 143 Creates processes via WMI 44->143 121 74.114.154.18 AUTOMATTICUS Canada 46->121 59 WerFault.exe 46->59         started        file14 signatures15 process16 dnsIp17 75 C:\Users\user\AppData\Local\...\chrome5.exe, PE32+ 48->75 dropped 77 C:\Users\user\AppData\Local\...\Pubdate.exe, PE32 48->77 dropped 79 C:\Users\user\AppData\...\PBrowFile594.exe, PE32 48->79 dropped 89 6 other files (3 malicious) 48->89 dropped 145 Machine Learning detection for dropped file 48->145 147 Detected unpacking (changes PE section rights) 52->147 149 Tries to harvest and steal browser information (history, passwords, etc) 52->149 81 C:\Users\user\AppData\...\WinHoster.exe, PE32 54->81 dropped 109 the-flash-man.com 56->109 111 best-link-app.com 56->111 83 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 56->83 dropped 85 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 56->85 dropped 87 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 56->87 dropped file18 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/210353e2c687a7e1e94408ca27cf59fbbec44495d75a3e466ae528a1a33a53ea/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-30 19:11:00 UTC
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eebvhywgq6t6d2kebdfcpt2z7o7mirev25nd4rtk4uukdiz2kpva._file
Verdict:
malicious
Similar samples:
051c5d064ba3816e2eb061b2f1b96c8bf3609b038831464596c3a8436d3415eb
DiamondFox
077ac4018bc25a85796c54e06872071d561df272188dde34daca7e5d01e950fd
DiamondFox
0a823cbd6a32a10c927253fa40466c8a3177e487ee7895a8a2e244a9b4c415fc
DiamondFox
3d7ba99d7b360819146cd6223b2d668e8b1a661023f5b36932860bc84271eecd
DiamondFox
423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110
DiamondFox
45c04168fe1e27939f2e08c178279d8c1aca5eba4ed8f6a717eb70b966cc5617
DiamondFox
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
DiamondFox
a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409
DiamondFox
bbb1867666dcd3898495a36ebec4d9a00c5c4c519eab587f530f5f5c6d80cb32
DiamondFox
bf0c11eae9de14227141901dffc7bdbd1ecb9b0a2cb1e675f7d36ce5eff0679e
DiamondFox
+ 498 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:706 botnet:921 aspackv2 evasion infostealer stealer themida trojan
Link:
https://tria.ge/reports/210906-vjkslaeecm/
Behaviour
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
Vidar
Malware Config
C2 Extraction:
https://eduarroma.tumblr.com/
https://romkaxarit.tumblr.com/
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/86449bd1-d7da-46af-a169-1dd591146ea5/
SH256 hash:
5050bc56c683a4dbfda08b43d68973961458fd712164c3792d060153c2bd7027
MD5 hash:
f9210936145be5d696c5c80f8f464a58
SHA1 hash:
4647f8be74272b9a6d6d039fc6bb68aca0c8b49c
Link:
https://www.unpac.me/results/86449bd1-d7da-46af-a169-1dd591146ea5/
SH256 hash:
a18e5d223da775448e2e111101fe1f4ab919be801fd435d3a278718aa5e6ccba
MD5 hash:
0c6cae115465a83f05d3ff391fd009ac
SHA1 hash:
066ea93bb540ae4be0d2e522d4bb59eec74053ad
Link:
https://www.unpac.me/results/86449bd1-d7da-46af-a169-1dd591146ea5/
Parent samples :
7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
fc2e04d392ab5e508fdf6c90ce456bfd0af6def1f10a2074f82df8f58079d5e4
f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
22275b7c5a57111aca919f6bbfae171e5e99f5ef777d1043802deb672f5136a0
d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
0a7d966e66cbd260c909de1d79038c86a071f2f10a810f5890a150b67c4fd954
1b4c7144874551beb52bc3e864822c0b803d0967531addf9612f61898cf2394d
090f1369dc856e37b73969d22799341b1d328a235470ee608d3e32dd34df7022
4879803b6326f27bb8b68448fe7394b2358c2eeb25ec2c4c6a176313d003c29a
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
ada6977abf5caa24a75f0db17220267f6b05f11ed949757e8fc8beab3c720fc1
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3
MD5 hash:
6961557695f34a53cf8224be7c265fbe
SHA1 hash:
f52d34d0b1dbd181f2acb21f42d875d514afb6f7
Link:
https://www.unpac.me/results/86449bd1-d7da-46af-a169-1dd591146ea5/
SH256 hash:
ae25cb941f3026c1da3db95f689d4dc493580c5900adcb856e62ece1fc591598
MD5 hash:
e7d138a960df98a500620432b4d32cc0
SHA1 hash:
b03ed11d72da94a70dd0a35cf0fa5dff2ea248e0
Link:
https://www.unpac.me/results/86449bd1-d7da-46af-a169-1dd591146ea5/
SH256 hash:
917b3371f26fb81b3d322279e6763b556cf54b0fa6e24a5a56a797b43d8ea63f
MD5 hash:
6de78ce38f2105301aba51d4b729a647
SHA1 hash:
8d7038ad88f88ca4902215ca16e8217109caaf7d
Link:
https://www.unpac.me/results/86449bd1-d7da-46af-a169-1dd591146ea5/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/86449bd1-d7da-46af-a169-1dd591146ea5/
SH256 hash:
ad79f67a23d19c2e2f311dce18c6ca955109f78f2d2ecc57df442e042000d95b
MD5 hash:
3ffd447da24ab9489318cfc74f075544
SHA1 hash:
85245383ecb05366d5b595f43532b2360068f856
Link:
https://www.unpac.me/results/86449bd1-d7da-46af-a169-1dd591146ea5/
SH256 hash:
85c0574b48df124cb351cf102246e547a82619fbf7521d0bc515828b480aeb49
MD5 hash:
5dbebf819f64fc4691f2168c520160ea
SHA1 hash:
74d9e9ad214b51e6ffefb661b31f3f1c592867c1
Link:
https://www.unpac.me/results/86449bd1-d7da-46af-a169-1dd591146ea5/
SH256 hash:
7df0b5b088a31bdc67ec27021db2d5989d6fc94b687a8c9ca2e99d37d48bcf7c
MD5 hash:
73b349cee038050c112cb9baade84a05
SHA1 hash:
6efb55d022314386d28dd1d3fa03d475f0ddf3fc
Link:
https://www.unpac.me/results/86449bd1-d7da-46af-a169-1dd591146ea5/
SH256 hash:
9f49d2110ce857ad6bc5a59870ee37d02651dd381820320827a7477082836f3e
MD5 hash:
aba80c623dd45ad9f26e1474cece96af
SHA1 hash:
462562d51999490104300abd8999d25c03f359c7
Link:
https://www.unpac.me/results/86449bd1-d7da-46af-a169-1dd591146ea5/
SH256 hash:
e89feb1cd1ca3f04626fdc3b2c43443992bcb83376c0efe56d02715c42e09ff5
MD5 hash:
2e10ed25410867adbcf1695bae8b7f8e
SHA1 hash:
5fb71e01f4fa2de3c90f147de93968520b0b06ff
Link:
https://www.unpac.me/results/86449bd1-d7da-46af-a169-1dd591146ea5/
SH256 hash:
b0a3afe38bb9675806cd710cda0c307ed2dace76e9d44c814d4d54b27a2a6187
MD5 hash:
92f19718f8b649621ea5f35f201598d9
SHA1 hash:
bbdfbba17531a71ee2cbd2c40c2f452e58fcd9c3
Link:
https://www.unpac.me/results/86449bd1-d7da-46af-a169-1dd591146ea5/
SH256 hash:
b5dc48b57e2e849e4752eaac97379db3875a1169dfbb4ce34a8e7e7847e5c5b2
MD5 hash:
2be8c243944aa74d8cfa4005407dc1d4
SHA1 hash:
082df90a919f43075f44fb82557a82819504c6cf
Link:
https://www.unpac.me/results/86449bd1-d7da-46af-a169-1dd591146ea5/
SH256 hash:
d39f6979087992809656adb9c34dee575c3bcda37823754257d7701cd8e601ea
MD5 hash:
72c1d9f65d37a0f1a94b7f5abaa5cf6a
SHA1 hash:
efeb84cf76481ab83250cc4f0f0bd573afc875e5
Link:
https://www.unpac.me/results/86449bd1-d7da-46af-a169-1dd591146ea5/
SH256 hash:
210353e2c687a7e1e94408ca27cf59fbbec44495d75a3e466ae528a1a33a53ea
MD5 hash:
e4af1c73101f2ab9f89d04a11986c58a
SHA1 hash:
a6711c9fffe5f192d9e01445ad261ef74b601cfc
Link:
https://www.unpac.me/results/86449bd1-d7da-46af-a169-1dd591146ea5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/210353e2c687/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/210353e2c687a7e1e94408ca27cf59fbbec44495d75a3e466ae528a1a33a53ea

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185696/

Comments