MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ff77816fa6b9e2fdbc630e06a003b09228f39887f8dfea7f8020d9346bd2324. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ff77816fa6b9e2fdbc630e06a003b09228f39887f8dfea7f8020d9346bd2324
SHA3-384 hash: c7aa5d9a71649969c75869e186ee8458da8f39f1561b2d470e9e12ac5316406c461775195f4110aa961a6e4c9720b5dc
SHA1 hash: 1827fabd646f12bef405fef65f5078c4c8809f68
MD5 hash: f50136c9ca26451e33d5b1d09890dad5
humanhash: music-muppet-quiet-neptune
File name:F50136C9CA26451E33D5B1D09890DAD5.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:642'560 bytes
First seen:2021-09-03 08:16:56 UTC
Last seen:2021-09-03 09:35:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1b90ad0d3d7218730afbb0fdc6bdf7ab (2 x DiamondFox)
ssdeep 12288:45FsvCOXAATyffl8gBuDPj6dKw6VafLxVFFDTSVvkVixVVtY7+MSC1ml3dojnGRq:4bs6OwCifdKw6VafLxVFFDTSVvkVixV6
Threatray 127 similar samples on MalwareBazaar
TLSH T10AD47D15B344769ACC7215308951D0E5152BBE39662197B3B7E47F3EEE3E4C38A30AA3
dhash icon c0e09e94b494fe1e (2 x DiamondFox)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://94.158.245.24/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.158.245.24/ https://threatfox.abuse.ch/ioc/215080/

Intelligence

File Origin
# of uploads :
2
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
F50136C9CA26451E33D5B1D09890DAD5.exe
Verdict:
No threats detected
Analysis date:
2021-09-03 08:19:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3b5bf592-15a6-47fa-91cd-dd1c608393eb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185074/
Detection(s):
SecuriteInfo.com.Variant.Zusy.398335.2889.7405.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Deleting a recently created file
Reading critical registry keys
Sending an HTTP GET request
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a window
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Launching a process
Delayed reading of the file
Creating a file in the Program Files subdirectories
Searching for analyzing tools
Moving a file to the Program Files subdirectory
Running batch commands
Connection attempt to an infection source
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending an HTTP GET request to an infection source
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/26925ad0-268b-4e2b-ada9-bd16dff2078f
Result
Threat name:
Vidar Glupteba Metasploit RedLine SmokeL
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/844638
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Detected Info Stealer Vidar
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May modify the system service descriptor table (often done to hook functions)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Glupteba
Yara detected Metasploit Payload
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 477065 Sample: OrTzQl1ZBa.exe Startdate: 03/09/2021 Architecture: WINDOWS Score: 100 69 142.250.203.110 GOOGLEUS United States 2->69 71 142.250.203.97 GOOGLEUS United States 2->71 73 4 other IPs or domains 2->73 81 Antivirus detection for URL or domain 2->81 83 Antivirus detection for dropped file 2->83 85 Multi AV Scanner detection for dropped file 2->85 87 15 other signatures 2->87 8 OrTzQl1ZBa.exe 4 62 2->8         started        signatures3 process4 dnsIp5 75 37.0.10.214 WKD-ASIE Netherlands 8->75 77 37.0.10.237 WKD-ASIE Netherlands 8->77 79 12 other IPs or domains 8->79 33 C:\Users\...\xqDNRFg3mtQLZ3_HOtmrAYS6.exe, PE32 8->33 dropped 35 C:\Users\...\xEqKQTEG5yeWKMXKrhnfhkwk.exe, PE32+ 8->35 dropped 37 C:\Users\...\m6xcZDT_3Empi6gpg1NjlchM.exe, PE32 8->37 dropped 39 40 other files (27 malicious) 8->39 dropped 95 Drops PE files to the document folder of the user 8->95 97 Creates HTML files with .exe extension (expired dropper behavior) 8->97 99 Disable Windows Defender real time protection (registry) 8->99 13 0AyRgi1EyCaFamB92Jjh3MXa.exe 8->13         started        17 xqDNRFg3mtQLZ3_HOtmrAYS6.exe 67 8->17         started        20 gN2nBavNiedtOxvsRClaFK8T.exe 8->20         started        22 19 other processes 8->22 file6 signatures7 process8 dnsIp9 41 C:\ProgramData\...\screenshot.jpg, JPEG 13->41 dropped 43 C:\ProgramData\...\information.txt, ISO-8859 13->43 dropped 53 9 other files (none is malicious) 13->53 dropped 101 Detected unpacking (changes PE section rights) 13->101 103 Detected Info Stealer Vidar 13->103 105 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->105 107 Tries to harvest and steal browser information (history, passwords, etc) 13->107 59 49.12.198.69 HETZNER-ASDE Germany 17->59 61 74.114.154.18 AUTOMATTICUS Canada 17->61 45 C:\ProgramData\...\screenshot.jpg, JPEG 17->45 dropped 55 5 other files (1 malicious) 17->55 dropped 109 Tries to steal Crypto Currency Wallets 17->109 111 Query firmware table information (likely to detect VMs) 20->111 113 Tries to detect sandboxes and other dynamic analysis tools (window names) 20->113 115 Hides threads from debuggers 20->115 117 Tries to detect sandboxes / dynamic malware analysis system (registry check) 20->117 63 208.95.112.1 TUT-ASUS United States 22->63 65 149.154.167.99 TELEGRAMRU United Kingdom 22->65 67 3 other IPs or domains 22->67 47 C:\Users\...\J77cmUgJX0OQi4nZtiqUPG2L.exe, PE32 22->47 dropped 49 C:\...\PowerControl_Svc.exe, PE32 22->49 dropped 51 C:\Program Files (x86)\...\md8_8eus.exe, PE32 22->51 dropped 57 6 other files (2 malicious) 22->57 dropped 119 Drops PE files to the document folder of the user 22->119 121 Sample uses process hollowing technique 22->121 123 Injects a PE file into a foreign processes 22->123 24 OeuXiURXVAvRZmvpOau4Uxx5.exe 22->24         started        27 conhost.exe 22->27         started        29 conhost.exe 22->29         started        31 2 other processes 22->31 file10 signatures11 process12 signatures13 89 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 24->89 91 Maps a DLL or memory area into another process 24->91 93 Checks if the current machine is a virtual machine (disk enumeration) 24->93
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2ff77816fa6b9e2fdbc630e06a003b09228f39887f8dfea7f8020d9346bd2324/
Threat name:
Win32.Infostealer.Tepfer
Create hunting rule
Status:
Malicious
First seen:
2021-08-18 01:22:39 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f73xqfx2nopc7w6ggdqguab3beri6omip6g75j7yaigzgrv5emsa._file
Verdict:
malicious
Similar samples:
11adb6fd4fbcb8fe68033ff2bc3b8cc45b980c573f7c58be291383d5b95d6e41
DiamondFox
1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031
DiamondFox
1cf6570844a3a440ad731d0c72ed9bd8369f2cfb44243a952942f91097767776
DiamondFox
2cc5f31570047becc5e77581e2f640afba8d6904c6be61105603d60d01c181d0
DiamondFox
719838a1192ae6b53966159da56635e7a05754eb017f2538ca3f82c580543280
DiamondFox
935099f2160f2dd5fec6a63ea02c81d80c0b2cbf712b0e48b386a81078a627dd
DiamondFox
9453ddc4bebb87a937e3d53d38c56814907b2862496142ccdb568f48caf2d467
DiamondFox
ba15a8b7d1ecc6348ee4806b0903afdf5917a595a909ce529e85cacd197c6e77
DiamondFox
d2d90f02ccd7c3fd1b46d667081529a1af8172e4a51feda461c8d250081c3548
DiamondFox
fff25302774366cdb466fa0e4015f9c7de93fd0192585a3cab2e2f51b635047c
DiamondFox
+ 117 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:vidar botnet:02_09_fat botnet:1 botnet:937 botnet:norman3 botnet:test backdoor evasion infostealer stealer themida trojan
Link:
https://tria.ge/reports/210903-j6q3cacgd8/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Vidar
Malware Config
C2 Extraction:
185.215.113.104:18754
45.14.49.184:28743
37.0.8.88:44263
https://romkaxarit.tumblr.com/
45.14.49.169:22411
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
Unpacked files
SH256 hash:
2ff77816fa6b9e2fdbc630e06a003b09228f39887f8dfea7f8020d9346bd2324
MD5 hash:
f50136c9ca26451e33d5b1d09890dad5
SHA1 hash:
1827fabd646f12bef405fef65f5078c4c8809f68
Link:
https://www.unpac.me/results/e5ca57c7-7de3-4b9f-bbaf-86eea4a22b6b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2ff77816fa6b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ff77816fa6b9e2fdbc630e06a003b09228f39887f8dfea7f8020d9346bd2324

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185074/

Comments