MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3549672c8de23efbeec55aeef7925d4bf778b4683252084e04c7ceb6a50b9393. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3549672c8de23efbeec55aeef7925d4bf778b4683252084e04c7ceb6a50b9393
SHA3-384 hash: a2369ccd4a4c23adcb0eb24f1cee81bc6b2416f88a2c49ead3d5dc393c313796ad401816b3c9ebbf1909bef577ce41ef
SHA1 hash: d150c401bec51556ccce1cbd3ec286a3cd529e62
MD5 hash: a702ea4d44b0cd2e341503175f84b0d2
humanhash: nitrogen-vermont-lake-beryllium
File name:a702ea4d44b0cd2e341503175f84b0d2.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:4'913'079 bytes
First seen:2021-08-31 16:41:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xDCvLUBsgh8CP7qLdpIyyFPLvnRpzrtR7v7+LliHHtJA9vqI0:x4LUCgK/LHIyyRLnv5BylUA930
Threatray 451 similar samples on MalwareBazaar
TLSH T1253633787610C4F6CFC41130AD08AFB7D9E986EC0A318CDF6BD28936CE2E8A75525D19
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://5.181.156.120/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.181.156.120/ https://threatfox.abuse.ch/ioc/203162/

Intelligence

File Origin
# of uploads :
1
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/184264/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a process from a recently created file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Deleting a recently created file
Launching a process
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/39885486-54aa-482f-bab3-819ef9922898
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842823
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 475254 Sample: NfKSHsfT14.exe Startdate: 31/08/2021 Architecture: WINDOWS Score: 100 86 13.107.4.50 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->86 88 194.145.227.161 CLOUDPITDE Ukraine 2->88 90 6 other IPs or domains 2->90 130 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->130 132 Antivirus detection for URL or domain 2->132 134 Multi AV Scanner detection for dropped file 2->134 136 9 other signatures 2->136 10 NfKSHsfT14.exe 17 2->10         started        13 svchost.exe 2->13         started        15 svchost.exe 1 2->15         started        17 svchost.exe 2->17         started        signatures3 process4 file5 66 C:\Users\user\AppData\...\setup_install.exe, PE32 10->66 dropped 68 C:\Users\user\...\Sun04f8908acf578.exe, PE32 10->68 dropped 70 C:\Users\user\...\Sun04e81dddd5eaae.exe, PE32 10->70 dropped 72 12 other files (6 malicious) 10->72 dropped 19 setup_install.exe 1 10->19         started        23 WerFault.exe 13->23         started        process6 dnsIp7 92 sornx.xyz 104.21.43.244, 49721, 80 CLOUDFLARENETUS United States 19->92 94 127.0.0.1 unknown unknown 19->94 140 Performs DNS queries to domains with low reputation 19->140 142 Adds a directory exclusion to Windows Defender 19->142 25 cmd.exe 1 19->25         started        27 cmd.exe 1 19->27         started        29 cmd.exe 1 19->29         started        31 8 other processes 19->31 signatures8 process9 signatures10 34 Sun04e81dddd5eaae.exe 25->34         started        37 Sun049c61917c72f.exe 1 27->37         started        40 Sun04f8908acf578.exe 29->40         started        144 Adds a directory exclusion to Windows Defender 31->144 42 Sun044ca98cbaadf1bb.exe 3 31->42         started        45 Sun040d8629d0.exe 31->45         started        47 Sun0428506817.exe 2 31->47         started        49 4 other processes 31->49 process11 dnsIp12 112 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 34->112 114 Maps a DLL or memory area into another process 34->114 116 Checks if the current machine is a virtual machine (disk enumeration) 34->116 51 explorer.exe 34->51 injected 104 3 other IPs or domains 37->104 118 Multi AV Scanner detection for dropped file 37->118 120 May check the online IP address of the machine 37->120 122 Tries to harvest and steal browser information (history, passwords, etc) 37->122 96 37.0.10.214, 49723, 80 WKD-ASIE Netherlands 40->96 98 37.0.10.237, 49724, 80 WKD-ASIE Netherlands 40->98 106 2 other IPs or domains 40->106 124 Disable Windows Defender real time protection (registry) 40->124 100 a.goatgame.co 104.21.79.144, 443, 49714 CLOUDFLARENETUS United States 42->100 74 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 42->74 dropped 126 Creates processes via WMI 42->126 108 2 other IPs or domains 45->108 128 Detected unpacking (changes PE section rights) 45->128 76 C:\Users\user\AppData\...\Sun0428506817.tmp, PE32 47->76 dropped 54 Sun0428506817.tmp 47->54         started        102 74.114.154.22 AUTOMATTICUS Canada 49->102 78 C:\Users\user\AppData\Local\Temp\2.exe, PE32 49->78 dropped 80 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 49->80 dropped 82 C:\Users\user\AppData\...\jzhang-game.exe, PE32 49->82 dropped 84 6 other files (none is malicious) 49->84 dropped file13 signatures14 process15 dnsIp16 138 Hides that the sample has been downloaded from the Internet (zone.identifier) 51->138 110 the-flash-man.com 66.29.142.79, 49725, 80 ADVANTAGECOMUS United States 54->110 58 C:\Users\user\AppData\Local\...\zab2our.exe, PE32 54->58 dropped 60 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 54->60 dropped 62 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 54->62 dropped 64 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 54->64 dropped file17 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3549672c8de23efbeec55aeef7925d4bf778b4683252084e04c7ceb6a50b9393/
Threat name:
Win32.Trojan.Ditertag
Create hunting rule
Status:
Malicious
First seen:
2021-08-29 06:36:17 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gvewolen4i7px3wfllxppes5jp3xrndigjjaqtqey7hlnjilsojq._file
Verdict:
unknown
Similar samples:
077ac4018bc25a85796c54e06872071d561df272188dde34daca7e5d01e950fd
DiamondFox
0a823cbd6a32a10c927253fa40466c8a3177e487ee7895a8a2e244a9b4c415fc
DiamondFox
186992db0748857e13271f18b519fbf2b6f016bd8d81c3ee952786de798a6dad
DiamondFox
3d7ba99d7b360819146cd6223b2d668e8b1a661023f5b36932860bc84271eecd
DiamondFox
423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110
DiamondFox
568b3a7273ccbb1436e42dd90f0541d7dc0da2a97944381ad0b31d7d437c4908
DiamondFox
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
DiamondFox
987a2417a285a7e885e5acdd635d3e2dfa1cf00bb98b6a39fbc17bc7c3fb4993
DiamondFox
a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409
DiamondFox
bbb1867666dcd3898495a36ebec4d9a00c5c4c519eab587f530f5f5c6d80cb32
DiamondFox
+ 441 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:raccoon family:smokeloader family:vidar botnet:10c753321b3ff323727f510579572aa4c5ea00cb botnet:706 aspackv2 backdoor discovery dropper evasion loader persistence stealer suricata themida trojan
Link:
https://tria.ge/reports/210831-faggt72rz6/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies registry class
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Sets DLL path for service in the registry
Sets service image path in registry
Vidar Stealer
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Windows security bypass
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
Malware Config
C2 Extraction:
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
https://eduarroma.tumblr.com/
Unpacked files
SH256 hash:
2ea36a668d45af10393ee4025a3311df8ebbb112b760437559e37b3770ad017e
MD5 hash:
b87dfc1bcc56ebbe967fbec9b0e86c04
SHA1 hash:
c6c83789d28a1fcd86269f83f1ee66849c68e6e6
Link:
https://www.unpac.me/results/fb90af54-dea2-42bf-8063-5bc36c66ebbb/
SH256 hash:
a18e5d223da775448e2e111101fe1f4ab919be801fd435d3a278718aa5e6ccba
MD5 hash:
0c6cae115465a83f05d3ff391fd009ac
SHA1 hash:
066ea93bb540ae4be0d2e522d4bb59eec74053ad
Link:
https://www.unpac.me/results/fb90af54-dea2-42bf-8063-5bc36c66ebbb/
Parent samples :
7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
fc2e04d392ab5e508fdf6c90ce456bfd0af6def1f10a2074f82df8f58079d5e4
f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
22275b7c5a57111aca919f6bbfae171e5e99f5ef777d1043802deb672f5136a0
d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
0a7d966e66cbd260c909de1d79038c86a071f2f10a810f5890a150b67c4fd954
1b4c7144874551beb52bc3e864822c0b803d0967531addf9612f61898cf2394d
090f1369dc856e37b73969d22799341b1d328a235470ee608d3e32dd34df7022
4879803b6326f27bb8b68448fe7394b2358c2eeb25ec2c4c6a176313d003c29a
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
ada6977abf5caa24a75f0db17220267f6b05f11ed949757e8fc8beab3c720fc1
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
1e47b0a87b714febf0f805a2c319a150cc8bd58d738669c76c975a64d40130ab
MD5 hash:
6cbca955ae2bb778cf9de6cef5d114a7
SHA1 hash:
527feb36a0cbd2c348df1862bb2d4516ed9bad6f
Link:
https://www.unpac.me/results/fb90af54-dea2-42bf-8063-5bc36c66ebbb/
SH256 hash:
55054d2759b51535443c389a00a1ec83d54180000f9844e06b728d672fc1fc92
MD5 hash:
5fb3d69dee86b794ec68a643ed77cfae
SHA1 hash:
fe778093d7bf24ae42656ad93eb67054ef6b3953
Link:
https://www.unpac.me/results/fb90af54-dea2-42bf-8063-5bc36c66ebbb/
SH256 hash:
835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3
MD5 hash:
6961557695f34a53cf8224be7c265fbe
SHA1 hash:
f52d34d0b1dbd181f2acb21f42d875d514afb6f7
Link:
https://www.unpac.me/results/fb90af54-dea2-42bf-8063-5bc36c66ebbb/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/fb90af54-dea2-42bf-8063-5bc36c66ebbb/
SH256 hash:
33e31fae4de09ecada1ddde8b35d44fe9433c4fd18c44c9aebbe7d72c099e78c
MD5 hash:
7ab1fcf37a8af6e16d66b2348befde06
SHA1 hash:
769b81997d0fe5ef7c75205476965b750384f38f
Link:
https://www.unpac.me/results/fb90af54-dea2-42bf-8063-5bc36c66ebbb/
SH256 hash:
dd596267a1790c00b351459e3176ebb7a87ecb67195e83aacbe92cc79be6f3a0
MD5 hash:
2d9ab7df6a2d93de9d9f15677ed198f0
SHA1 hash:
72d22eb788f2687dfe9eefdf1dc668de9e775697
Link:
https://www.unpac.me/results/fb90af54-dea2-42bf-8063-5bc36c66ebbb/
SH256 hash:
24da4be8c1d9ca77f30cfea2e4fa4113d2be3497a1efba8c2465605dccf20166
MD5 hash:
698f103458a664e57eae14b914673934
SHA1 hash:
71f6f414b92fc5daf178e5b0d49a24fd4890439b
Link:
https://www.unpac.me/results/fb90af54-dea2-42bf-8063-5bc36c66ebbb/
SH256 hash:
45eec0c18a11f1ed14bee0a1e5074c508d85f0c14057bae41e313eb7fc97cf88
MD5 hash:
7f38299454560350de065ebc4b8a57d2
SHA1 hash:
61f518b653dbe3ee4433bf4e21148ffea054e165
Link:
https://www.unpac.me/results/fb90af54-dea2-42bf-8063-5bc36c66ebbb/
SH256 hash:
172b58474af9b90e38134864a67ff67f785057e7595489985934c5f2d5c1e8ad
MD5 hash:
bee3a3b4c71a4bafb2e76dd0635576db
SHA1 hash:
07db54e14e8e8058819a78af20fdf7488e27e3c7
Link:
https://www.unpac.me/results/fb90af54-dea2-42bf-8063-5bc36c66ebbb/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/fb90af54-dea2-42bf-8063-5bc36c66ebbb/
SH256 hash:
fd3e0cd723eecf064a1bb723d7262d4019e3f97b248d6ada898308c1fc5d2fee
MD5 hash:
8fdd71fcefe34470ed33d2853d011233
SHA1 hash:
843ed420878c7c1cfa5b91fa6d49425dec0c76f7
Link:
https://www.unpac.me/results/fb90af54-dea2-42bf-8063-5bc36c66ebbb/
SH256 hash:
30aa1c02503bcd11216e6ce427864bc76d26085e3f4a168b4d23e9fe8feb8022
MD5 hash:
7a37d97ac9ccb4d54a3458f6626c7776
SHA1 hash:
0f77043c96b9edade2e8c3454ee5af52812030a1
Link:
https://www.unpac.me/results/fb90af54-dea2-42bf-8063-5bc36c66ebbb/
SH256 hash:
b3ccf5ebc2b057364ccc7f314294e7b634c20b96b44720e9b57ff0464d2a0ddb
MD5 hash:
304e1ff57ab75cb9cfe713d469b2b67c
SHA1 hash:
bfa21aa0b4979d087995f7cb529d5472709c3dce
Link:
https://www.unpac.me/results/fb90af54-dea2-42bf-8063-5bc36c66ebbb/
SH256 hash:
212df7c1d3eead1afbdf108d23869c350ec215139a81ee97379d938e6ffa7514
MD5 hash:
9f5f75dfe26b1aa372c337a4263bc0ca
SHA1 hash:
282d57307f3931b01962875c1f3909c1fa95ff30
Link:
https://www.unpac.me/results/fb90af54-dea2-42bf-8063-5bc36c66ebbb/
SH256 hash:
3549672c8de23efbeec55aeef7925d4bf778b4683252084e04c7ceb6a50b9393
MD5 hash:
a702ea4d44b0cd2e341503175f84b0d2
SHA1 hash:
d150c401bec51556ccce1cbd3ec286a3cd529e62
Link:
https://www.unpac.me/results/fb90af54-dea2-42bf-8063-5bc36c66ebbb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3549672c8de2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3549672c8de23efbeec55aeef7925d4bf778b4683252084e04c7ceb6a50b9393

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/184264/

Comments