MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2120d92e96ad3e11b8e35cd6cf867e95c31b64d4d4e43c661560b6ab281bd306. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2120d92e96ad3e11b8e35cd6cf867e95c31b64d4d4e43c661560b6ab281bd306
SHA3-384 hash: 9995ed560083980d7cb46c66271d28f8e73221cbca35b1b70532b153b7afb5a000782c6143ef89cd8fcb64afc4d456ae
SHA1 hash: ae4ee80e9d7c315b66fc3e4f62d9ae1d25463ccc
MD5 hash: 4cc2560de1b2a15d3c8b8580154154af
humanhash: twelve-kitten-alanine-missouri
File name:2120D92E96AD3E11B8E35CD6CF867E95C31B64D4D4E43.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:2'548'449 bytes
First seen:2021-08-29 23:35:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 49152:EgBNMZwos3cWf3pyjfoQbdBXPUKwXGEOBRT2Os3ch1MVje8bSO:JBNz7f3UxtsKc5soZe83
Threatray 439 similar samples on MalwareBazaar
TLSH T19CC533240EC0DDA3E5A5583687271EA4F2F4B974A875023BC3B5E59AF446BF2CCB1528
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://5.181.156.252/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.181.156.252/ https://threatfox.abuse.ch/ioc/201911/

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/183335/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Win.Malware.Jaik-9878603-0
Create hunting rule

Win.Packed.SmokeLoader-9880490-1
Create hunting rule

Win.Malware.Zenlod-9882704-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Moving a recently created file
Connection attempt
Sending a custom TCP request
Running batch commands
Sending an HTTP GET request
Deleting a recently created file
Sending a UDP request
Malware family:
Chapak
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d4af2a40-b644-4cfd-b236-43302c8c124c
Result
Threat name:
Backstage Stealer SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841154
Signature
.NET source code contains very large strings
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Backstage Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 473585 Sample: 2120D92E96AD3E11B8E35CD6CF8... Startdate: 30/08/2021 Architecture: WINDOWS Score: 100 103 20.189.173.22 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->103 105 google.vrthcobj.com 2->105 151 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->151 153 Antivirus detection for URL or domain 2->153 155 Multi AV Scanner detection for dropped file 2->155 157 11 other signatures 2->157 12 2120D92E96AD3E11B8E35CD6CF867E95C31B64D4D4E43.exe 10 2->12         started        signatures3 process4 file5 81 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->81 dropped 15 setup_installer.exe 14 12->15         started        process6 file7 83 C:\Users\user\AppData\...\setup_install.exe, PE32 15->83 dropped 85 C:\Users\user\AppData\Local\...\sahiba_2.txt, PE32 15->85 dropped 87 C:\Users\user\AppData\Local\...\sahiba_6.txt, PE32+ 15->87 dropped 89 9 other files (none is malicious) 15->89 dropped 18 setup_install.exe 1 15->18         started        process8 dnsIp9 107 razino.xyz 192.64.119.193, 49706, 80 NAMECHEAP-NETUS United States 18->107 109 127.0.0.1 unknown unknown 18->109 73 C:\Users\user\AppData\...\sahiba_6.exe (copy), PE32+ 18->73 dropped 75 C:\Users\user\AppData\...\sahiba_5.exe (copy), PE32 18->75 dropped 77 C:\Users\user\AppData\...\sahiba_2.exe (copy), PE32 18->77 dropped 79 3 other files (1 malicious) 18->79 dropped 159 Detected unpacking (changes PE section rights) 18->159 161 Performs DNS queries to domains with low reputation 18->161 23 cmd.exe 1 18->23         started        25 cmd.exe 1 18->25         started        27 cmd.exe 1 18->27         started        29 5 other processes 18->29 file10 signatures11 process12 process13 31 sahiba_5.exe 4 55 23->31         started        36 sahiba_2.exe 1 25->36         started        38 sahiba_6.exe 27->38         started        40 sahiba_1.exe 2 29->40         started        42 sahiba_4.exe 14 2 29->42         started        44 sahiba_3.exe 12 29->44         started        dnsIp14 117 136.144.41.201 WORLDSTREAMNL Netherlands 31->117 119 37.0.10.214 WKD-ASIE Netherlands 31->119 125 11 other IPs or domains 31->125 55 C:\Users\...\wclSunxQBi2Z5deCaGCD17qX.exe, PE32 31->55 dropped 57 C:\Users\...\wJmc3MtZbNNkCFv_w4Bd0d67.exe, PE32 31->57 dropped 59 C:\Users\...\upKkbBpnE42kUO_utJnbtODU.exe, PE32 31->59 dropped 71 37 other files (33 malicious) 31->71 dropped 135 Drops PE files to the document folder of the user 31->135 137 May check the online IP address of the machine 31->137 139 Disable Windows Defender real time protection (registry) 31->139 61 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 36->61 dropped 141 DLL reload attack detected 36->141 143 Detected unpacking (changes PE section rights) 36->143 145 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 36->145 149 4 other signatures 36->149 46 explorer.exe 36->46 injected 121 ip-api.com 208.95.112.1, 49712, 80 TUT-ASUS United States 38->121 127 3 other IPs or domains 38->127 63 C:\Users\user\Pictures\background.png, DOS 38->63 dropped 65 C:\Users\user\AppData\Local\Temp\22222.exe, PE32 38->65 dropped 67 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 38->67 dropped 69 C:\Users\user\AppData\...\aaa_v003[1].dll, DOS 38->69 dropped 147 Creates processes via WMI 40->147 51 sahiba_1.exe 40->51         started        129 2 other IPs or domains 42->129 123 sslamlssa1.tumblr.com 74.114.154.18, 443, 49711 AUTOMATTICUS Canada 44->123 file15 signatures16 process17 dnsIp18 111 193.142.59.152 HOSTSLICK-GERMANYNL Netherlands 46->111 113 95.181.163.88 RACKTECHRU Russian Federation 46->113 115 2 other IPs or domains 46->115 91 C:\Users\user\AppData\Roaming\ivhchtt, PE32 46->91 dropped 93 C:\Users\user\AppData\Local\Temp8A1.exe, PE32 46->93 dropped 95 C:\Users\user\AppData\Local\Temp\A27E.exe, PE32 46->95 dropped 131 System process connects to network (likely due to code injection or exploit) 46->131 133 Hides that the sample has been downloaded from the Internet (zone.identifier) 46->133 97 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 51->97 dropped 99 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 51->99 dropped 101 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 51->101 dropped 53 conhost.exe 51->53         started        file19 signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2120d92e96ad3e11b8e35cd6cf867e95c31b64d4d4e43c661560b6ab281bd306/
Threat name:
Win32.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2021-07-17 09:38:57 UTC
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eeqnsluwvu7bdohdltlm7bt6sxbrwzgu2tsdyzqvmc3kwka32mda._file
Verdict:
unknown
Similar samples:
208660089575dbef9e473ae2b2556e5492e8739376d39e1f5575ca65d33892f7
DiamondFox
2aafe51ed875d14265117e71337eaf72d2d22f8055ad43356062efbde0eb6f4a
DiamondFox
4927f0b88f61a54fb9c8d14081cd5a80c6c6f358e8431af76fda5a5366d81aa8
DiamondFox
5d10fa7657f41f17d508c1dbb3f63b5b2ad6deea2f47e747b118345a56ab6cdc
DiamondFox
a80595d5777175cd4da514edb06d38676888daf62608369b816b2f11b6aa9cc2
DiamondFox
+ 429 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline family:smokeloader family:vidar botnet:933 botnet:hello botnet:norman aspackv2 backdoor evasion infostealer stealer suricata themida trojan
Link:
https://tria.ge/reports/210829-yt1ygmyt4x/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
Vidar Stealer
Amadey
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
https://sslamlssa1.tumblr.com/
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
80.66.87.33:36976
45.14.49.184:25321
185.215.113.206/k8FppT/index.php
Unpacked files
SH256 hash:
fef028c6eca2d0addeb19dacedcc97cd34f73a4ab8056ddc287dd86551b5c707
MD5 hash:
cfcd04cb50a5d48b368c76a353a8b58a
SHA1 hash:
7d76e8474b4b70d4f8e62653361c7b451a8f2fd2
Link:
https://www.unpac.me/results/14f0aee1-80ac-4554-9f34-bafa769ce065/
Parent samples :
0ca57f85e88001edd67dff84428375de282f0f92e5bef2daed1c03ad2fa7612e
70e50de48c85c25259cf5247205792b0eb339ca700867c2a9a3ecfa7c4fca156
6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8
67cd381d1702cb66cc450e13b1e8a27a3ff8c6713af8a925945b1cb449247578
ca6b067a980f478a2829c6d326936c449f284e93bf64201bfecf0015937b09e9
afac7896cf21983233c533eeaec870610856969d98218b0ffdfa11c6f57a8420
deaf22c4cadd171ef59fc8e6299d26bd4679b965d24097a48e1cf8f283a0eb89
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4
SH256 hash:
89a0227ef833a2742f7dd46be36e61b178a8b47846fd3cf557c8b9991b7cfb67
MD5 hash:
55bf2bbdd87ec3ac709c6a247f4a28b4
SHA1 hash:
6df7d9af3a7b2da1c91aff955a4c5aadbe2d13cb
Link:
https://www.unpac.me/results/14f0aee1-80ac-4554-9f34-bafa769ce065/
Parent samples :
5e440e04f382464db10245c9f730d64d839368ef763bb564deadcacafb24e32b
ab479d019576efd4dd391e0bf3fc1bedb10367e1ece7157d609a283873a43645
ef0c34580084f9855c1e5c3fa9d902688d400baabc7366c8da9ba3d4b708da49
ec306f0a108c77a02ab48c5c85296c4b3b7d4b690245f9dd8a67df774b641cf8
e3135f01a3b76a91bb1082fd5b53259fe2d59eb6ab550fcc6fa6c866412920f8
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
d0037be72720bb05c0207342411a883b883c8f4a371c6c7e6bacd9cff5615df7
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4
e026bc9a0b7ac31a86cdbbd88e2b2be5236ba81b469723007c8b3c1d9461198f
e461562a06f4c2cea8cc91d9fc6fd75f393b79030d6463169f71b0ff2f6b7ded
8f8b341230323b995c1cde1d534031092bfddb56411dac43d155e5366681e1c7
SH256 hash:
5268cca4349b3545dab2b081382f4bc9be611409ad66ff930513a988b50ef4f7
MD5 hash:
a35ea53d4d3c3fa3c8a8280fd3337e3c
SHA1 hash:
56b39a7e7e88c61cba4061f374c4318aa3ab6374
Link:
https://www.unpac.me/results/14f0aee1-80ac-4554-9f34-bafa769ce065/
SH256 hash:
755a4266245c52bcd0328044c8a0908b2daafbad140cee06830b991493f21f60
MD5 hash:
6765fe4e4be8c4daf3763706a58f42d0
SHA1 hash:
cebb504bfc3097a95d40016f01123b275c97d58c
Link:
https://www.unpac.me/results/14f0aee1-80ac-4554-9f34-bafa769ce065/
SH256 hash:
d90a03e850735fa12f2209a57191524ffc9c2f321a65ee7f3b51e083eb59b80f
MD5 hash:
f5ba66ed9cc96376d02e02bbfc59f460
SHA1 hash:
9d6393ea4739724156dd0cfacc5cb8db2e52f32c
Link:
https://www.unpac.me/results/14f0aee1-80ac-4554-9f34-bafa769ce065/
SH256 hash:
c74c9c2d40c80354085dbf23e04f6ec921771ed2c79219ab6b111d4548cab8ee
MD5 hash:
252c22d80beca6eebb74d8f82deee613
SHA1 hash:
9694378d34d187071fb120f5dc275754c107eefe
Link:
https://www.unpac.me/results/14f0aee1-80ac-4554-9f34-bafa769ce065/
SH256 hash:
53379b36716f384e530dae9ec883c459d0c12f0260116614a0482ded7d9b5ba9
MD5 hash:
ec149486075982428b9d394c1a5375fd
SHA1 hash:
63c94ed4abc8aff9001293045bc4d8ce549a47b8
Link:
https://www.unpac.me/results/14f0aee1-80ac-4554-9f34-bafa769ce065/
Parent samples :
e3135f01a3b76a91bb1082fd5b53259fe2d59eb6ab550fcc6fa6c866412920f8
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
SH256 hash:
58fdbc7fa5dcb065ead1482f645206112070142a161eea5a56699759c8ae1a37
MD5 hash:
a84db0371ae7ba4a77b2e66d4935359b
SHA1 hash:
5dd7e46895061f4ba2fbd8c37f6df24e448bae35
Link:
https://www.unpac.me/results/14f0aee1-80ac-4554-9f34-bafa769ce065/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/14f0aee1-80ac-4554-9f34-bafa769ce065/
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/14f0aee1-80ac-4554-9f34-bafa769ce065/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/14f0aee1-80ac-4554-9f34-bafa769ce065/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/14f0aee1-80ac-4554-9f34-bafa769ce065/
SH256 hash:
ccbd4ecbfe57a3a12e19a5f5b1b3010343738697a3e8319c74baf32d9eb2ae42
MD5 hash:
0fda74703d61cf10820c1250611dc835
SHA1 hash:
7f0f95f18b623d4670d0786766c086ad22c78f1a
Link:
https://www.unpac.me/results/14f0aee1-80ac-4554-9f34-bafa769ce065/
SH256 hash:
2120d92e96ad3e11b8e35cd6cf867e95c31b64d4d4e43c661560b6ab281bd306
MD5 hash:
4cc2560de1b2a15d3c8b8580154154af
SHA1 hash:
ae4ee80e9d7c315b66fc3e4f62d9ae1d25463ccc
Link:
https://www.unpac.me/results/14f0aee1-80ac-4554-9f34-bafa769ce065/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2120d92e96ad3e11b8e35cd6cf867e95c31b64d4d4e43c661560b6ab281bd306

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/183335/

Comments