MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a124399503b90835f8bfc8ae80762e54a0c41d316bdd09b489a9c0b555da162. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 10


Intelligence 10 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a124399503b90835f8bfc8ae80762e54a0c41d316bdd09b489a9c0b555da162
SHA3-384 hash: 6e9affcf34d5dc20d1cb6d5c732f717c7ed91bacd1b1faa8985be9097b132e3a3bd1cbfa6673c2a26958a91638dac38b
SHA1 hash: e8ef6dbacee6e39b708066b5c2b01b0fb50d6060
MD5 hash: a82fed68de2e792442d82f90b4e48e01
humanhash: nevada-skylark-don-missouri
File name:a82fed68de2e792442d82f90b4e48e01.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:1'085'688 bytes
First seen:2021-06-22 13:31:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1dd9e0c90802c146c30db4b322f2aa9e (1 x RedLineStealer, 1 x Adware.FileTour, 1 x DiamondFox)
ssdeep 24576:+Jeo26y1eqAyY6fNC1TORUFwqmS4q9skwfTnRtlPk3:O92NC1TO0dmS4r/Rtlc
Threatray 64 similar samples on MalwareBazaar
TLSH 3B35E041FE8294F3E1A220F451F6AB365D7A653147109AD3D3C45AF54A203F0AB3B7AE
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://cypwua22.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://cypwua22.top/index.php https://threatfox.abuse.ch/ioc/139823/
http://morutv02.top/index.php https://threatfox.abuse.ch/ioc/139824/

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a82fed68de2e792442d82f90b4e48e01.exe
Verdict:
Malicious activity
Analysis date:
2021-06-22 13:33:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/671daccd-6c92-4750-9950-b743babe9976

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167577/
Detection(s):
Win.Dropper.Dropperx-9873711-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a8fbde87-3c62-4442-b95f-ecbccc0545cd
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/805978
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 438389 Sample: IgihksXfN4.exe Startdate: 22/06/2021 Architecture: WINDOWS Score: 68 35 Antivirus detection for URL or domain 2->35 37 Multi AV Scanner detection for submitted file 2->37 8 IgihksXfN4.exe 3 2->8         started        process3 file4 33 C:\Users\user\AppData\Local\Temp\Setup.exe, PE32 8->33 dropped 11 Setup.exe 1 8->11         started        process5 signatures6 39 Multi AV Scanner detection for dropped file 11->39 41 Adds a directory exclusion to Windows Defender 11->41 14 cmd.exe 1 11->14         started        17 cmd.exe 11->17         started        19 cmd.exe 1 11->19         started        process7 signatures8 43 Adds a directory exclusion to Windows Defender 14->43 21 powershell.exe 24 14->21         started        23 conhost.exe 14->23         started        25 conhost.exe 17->25         started        27 powershell.exe 17->27         started        29 powershell.exe 18 19->29         started        31 conhost.exe 19->31         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a124399503b90835f8bfc8ae80762e54a0c41d316bdd09b489a9c0b555da162/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-06-17 08:42:46 UTC
AV detection:
28 of 46 (60.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fijehgkqhoiigx4l7sfoqb3c4vfayqotc265bg2itkoawvk5ufra._file
Verdict:
malicious
Similar samples:
5dc4c9f9b91f1d349aa12569b1c9e792710adbc5d8e200b89f92c920008901fc
DiamondFox
64fa359ee0cc2f6724acd29a0ea27bb086922d80c8d2aa385c03db890d5e8bb3
DiamondFox
70289206a05f5f5a83afa162b4fdbf5cd5d2ebfc9e8615d6d9e42ac839fd4302
DiamondFox
7c84f12d1931043664fde0954a5af1b0e30edd8f7fcc6b33cfe298fc431baa84
DiamondFox
987506b904adf02794b1c51f8b166aa4ea284454607e133ef0d5d003aba64b00
DiamondFox
a75947e7809e5629f8a4119f06834d01c0a09bb2f25c2a1527caf37f685d4292
DiamondFox
af7e5864c9e4b6c0161231a1be5822505ba84eb55e0185693ef5835954c98a21
DiamondFox
cf76d84527415e188f5954b3c7289ad60f3b36ad0aedb913c53cf398243609a9
DiamondFox
e85230a1b9b9c364056b1a2674cb85304cceb0769c6897a45ee498984973da8c
DiamondFox
f22bf1d09f5ae3c0c2ed9c67c9e78f57bc5d053c1f4fb87c317644f4e419e60b
DiamondFox
+ 54 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar infostealer persistence stealer vmprotect
Link:
https://tria.ge/reports/210622-xplkl7cbtj/
Behaviour
Delays execution with timeout.exe
GoLang User-Agent
Kills process with taskkill
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
autoit_exe
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Vidar Stealer
RedLine
Vidar
Unpacked files
SH256 hash:
b42078e78c2d39ae26db6c432918e6584716e4ee6380c9133099438ac02f0322
MD5 hash:
a3b9057bf62950a25d4cc83b31a282b8
SHA1 hash:
2238b646b9792787b4a07354d4c6a0dbaaf31a30
Link:
https://www.unpac.me/results/f26350e0-91c4-450a-8e0b-b66246c787cd/
SH256 hash:
2a124399503b90835f8bfc8ae80762e54a0c41d316bdd09b489a9c0b555da162
MD5 hash:
a82fed68de2e792442d82f90b4e48e01
SHA1 hash:
e8ef6dbacee6e39b708066b5c2b01b0fb50d6060
Link:
https://www.unpac.me/results/f26350e0-91c4-450a-8e0b-b66246c787cd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a124399503b90835f8bfc8ae80762e54a0c41d316bdd09b489a9c0b555da162

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167577/

Comments