MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b15547e53d7254ec42974dc5a1d7b72cffd722a41114944b5606a845be7b76d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 12


Intelligence 12 IOCs 5 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b15547e53d7254ec42974dc5a1d7b72cffd722a41114944b5606a845be7b76d
SHA3-384 hash: 4c5cc2bbbde11f7ad6ac8cca884e380ae7cea0f516248401d3fdbe522cc446005715194012ca02822db57ee0d463c598
SHA1 hash: 96291cf1ce155f393919965359de528b2d661186
MD5 hash: ad1ca7ff685a17765d86adb4105b7bd7
humanhash: venus-asparagus-earth-high
File name:ad1ca7ff685a17765d86adb4105b7bd7.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:5'988'139 bytes
First seen:2021-08-20 11:35:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:x7CvLUBsgSqm9iwNZOmcJ9sTqEQxvTNDagiE6ixeZKjG/RrkIk8lfYhlB:xALUCghwNZvWDOTBKjgd/lf2H
Threatray 431 similar samples on MalwareBazaar
TLSH T1EF563301F5ECD8F8DAC2B1348EAC2BB689D9F20907BC19DB7791968D3F34951D54222E
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://45.140.147.35/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.140.147.35/ https://threatfox.abuse.ch/ioc/192382/
95.181.172.100:6795 https://threatfox.abuse.ch/ioc/192435/
94.103.83.88:60362 https://threatfox.abuse.ch/ioc/192436/
51.254.68.139:8067 https://threatfox.abuse.ch/ioc/192437/
65.21.141.215:8374 https://threatfox.abuse.ch/ioc/192438/

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ad1ca7ff685a17765d86adb4105b7bd7.exe
Verdict:
No threats detected
Analysis date:
2021-08-20 11:37:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/39f90e56-98d9-4e3a-9231-f8849dfa12fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/180931/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Launching a process
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Reading critical registry keys
Delayed reading of the file
Deleting a recently created file
Searching for analyzing tools
Creating a file
Creating a window
Sending an HTTP GET request
Creating a process with a hidden window
Unauthorized injection to a recently created process
Stealing user critical data
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/70a7119f-f00e-4ee1-a4ac-7bcd5529832f
Result
Threat name:
Cryptbot RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/836377
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Chrome passwords or cookies
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Cryptbot
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 468808 Sample: n7FebMFA3S.exe Startdate: 20/08/2021 Architecture: WINDOWS Score: 100 74 20.189.173.21 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->74 96 Multi AV Scanner detection for domain / URL 2->96 98 Malicious sample detected (through community Yara rule) 2->98 100 Antivirus detection for URL or domain 2->100 102 13 other signatures 2->102 11 n7FebMFA3S.exe 16 2->11         started        signatures3 process4 file5 52 C:\Users\user\AppData\...\setup_install.exe, PE32 11->52 dropped 54 C:\Users\user\...\Sun23f281f9641a0538.exe, PE32 11->54 dropped 56 C:\Users\user\...\Sun23e42c6c4f807.exe, PE32+ 11->56 dropped 58 11 other files (6 malicious) 11->58 dropped 14 setup_install.exe 1 11->14         started        process6 dnsIp7 90 127.0.0.1 unknown unknown 14->90 92 192.168.2.1 unknown unknown 14->92 132 Adds a directory exclusion to Windows Defender 14->132 18 cmd.exe 14->18         started        20 cmd.exe 1 14->20         started        22 cmd.exe 1 14->22         started        24 7 other processes 14->24 signatures8 process9 signatures10 27 Sun236aabe3fc741.exe 18->27         started        32 Sun23f281f9641a0538.exe 20->32         started        34 Sun23ccd14b1f.exe 22->34         started        104 Adds a directory exclusion to Windows Defender 24->104 36 Sun23e42c6c4f807.exe 1 14 24->36         started        38 Sun232280136fb70b5f.exe 24->38         started        40 Sun23678302d9cc50b1.exe 24->40         started        42 3 other processes 24->42 process11 dnsIp12 76 185.233.185.134 YURTEH-ASUA Russian Federation 27->76 78 37.0.10.214 WKD-ASIE Netherlands 27->78 84 14 other IPs or domains 27->84 60 C:\Users\...\sJEFza15jXMH15g12IfmRCPe.exe, PE32+ 27->60 dropped 62 C:\Users\...\ph_U1g_8JPE5fFdzzcbcN3gn.exe, PE32 27->62 dropped 64 C:\Users\...\lfvbCPWLfeERDi_mCwK4El_B.exe, PE32 27->64 dropped 70 41 other files (37 malicious) 27->70 dropped 106 Drops PE files to the document folder of the user 27->106 108 Disable Windows Defender real time protection (registry) 27->108 80 185.230.143.16 HostingvpsvilleruRU Russian Federation 32->80 110 Query firmware table information (likely to detect VMs) 32->110 112 Tries to detect sandboxes and other dynamic analysis tools (window names) 32->112 130 2 other signatures 32->130 114 Machine Learning detection for dropped file 34->114 116 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 34->116 118 Checks if the current machine is a virtual machine (disk enumeration) 34->118 44 explorer.exe 34->44 injected 86 4 other IPs or domains 36->86 66 C:\Users\user\AppData\...\fastsystem.exe, PE32+ 36->66 dropped 68 C:\Users\user\AppData\...\aaa_011[1].dll, DOS 36->68 dropped 120 Contains functionality to steal Chrome passwords or cookies 36->120 122 Drops PE files to the startup folder 36->122 82 88.99.66.31 HETZNER-ASDE Germany 38->82 124 Detected unpacking (changes PE section rights) 38->124 126 Tries to harvest and steal browser information (history, passwords, etc) 40->126 88 2 other IPs or domains 42->88 128 Creates processes via WMI 42->128 46 Sun235f9cc50c9.exe 42->46         started        file13 signatures14 process15 dnsIp16 94 104.21.70.98 CLOUDFLARENETUS United States 46->94 72 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 46->72 dropped 50 conhost.exe 46->50         started        file17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b15547e53d7254ec42974dc5a1d7b72cffd722a41114944b5606a845be7b76d/
Threat name:
Win32.Trojan.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-08-16 12:08:24 UTC
AV detection:
33 of 46 (71.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hmkvi7st24su5rbjotofuhl3olh724rkieiusrfvmbviiw7hw5wq._file
Verdict:
malicious
Similar samples:
186992db0748857e13271f18b519fbf2b6f016bd8d81c3ee952786de798a6dad
DiamondFox
31452b50fe8475fa4566b814ed702c6910029ff66db45d3dbb21c2e3ed63594f
DiamondFox
423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110
DiamondFox
450b8f11dfa06aee1def7d2b49c29d670406b765e9900efe7d1e8bb1ffff486f
DiamondFox
5e1a4b9ced78b15872e2723b231e3934c4874c6ea28ebf6c983a61f5040b5f96
DiamondFox
663d11c6a687961e8b5cda09b720a9511d972a9ea164cf8c385037a33eea53fa
DiamondFox
6814143c59108c0010bd29365823a38f61062a1978987b4798671334aa496740
DiamondFox
cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1
DiamondFox
+ 421 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:redline family:smokeloader family:vidar botnet:706 botnet:second_7.5k aspackv2 backdoor discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/210820-vbt4d3eyrs/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
CryptBot
CryptBot Payload
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
lysuht78.top
morisc07.top
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
https://lenak513.tumblr.com/
45.14.49.200:27625
Unpacked files
SH256 hash:
a49ae7155dfc48ec360cc92b7f9906232121c46639acaa84690d1c49051574c8
MD5 hash:
158fe1aadf0c738824e913aaf8314035
SHA1 hash:
5c80665fe3d244bc1ff203f9e091121dd5086f69
Detections:
win_cryptbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/1db4c8ac-7afc-4553-9de9-43d9768fbcb4/
Parent samples :
450b8f11dfa06aee1def7d2b49c29d670406b765e9900efe7d1e8bb1ffff486f
3b15547e53d7254ec42974dc5a1d7b72cffd722a41114944b5606a845be7b76d
a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
aa9830b26f9c0db4c3da3c04a96199550b57251b56f8c4ccb922b264a24e8de1
44f3c573b5d6d77d97c2ebf5d4a235da5aed3a18eb5b76ea420d262df0f3a826
SH256 hash:
2d6e2e392d2f113ba36f21860d1acfbbd764f171896b011fe235325aa0ebdab0
MD5 hash:
ea68e0ccbd0dec2b638d1c299d4f99f3
SHA1 hash:
4f89cb8e5f65793fc07e1a0f751140ac86cb2f4c
Link:
https://www.unpac.me/results/1db4c8ac-7afc-4553-9de9-43d9768fbcb4/
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Link:
https://www.unpac.me/results/1db4c8ac-7afc-4553-9de9-43d9768fbcb4/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
a19adea0a2b66cfcb23eebd1d1ff9d854eccd4dc65536a45665c149da4ff6265
MD5 hash:
117c7ff5dd9efc0b059f64520f2d4f46
SHA1 hash:
ff07b1fcc58aa62b42d797981e0d953d9f9e0120
Link:
https://www.unpac.me/results/1db4c8ac-7afc-4553-9de9-43d9768fbcb4/
SH256 hash:
dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a
MD5 hash:
c02a029c978f13b753c6b578b1588c75
SHA1 hash:
e125d59451e7f467bfd329a00a506decbcd91d83
Link:
https://www.unpac.me/results/1db4c8ac-7afc-4553-9de9-43d9768fbcb4/
SH256 hash:
aef57f9041d2a72d7f91267da4fb59c5549b64ea5c8d835700017c76a9f5cd5b
MD5 hash:
9316c127482b3b9a18d13a0822f04dc1
SHA1 hash:
9efdd3abbb3cc93367a5d05aa43bc55cf2a8d1a3
Link:
https://www.unpac.me/results/1db4c8ac-7afc-4553-9de9-43d9768fbcb4/
SH256 hash:
c83c6bbdf2a042df0c8343aed3d04a09e2f09b7c97ca13da4e141b2ee6b73e24
MD5 hash:
bd04c2aaa95597b44e601173a12ff67a
SHA1 hash:
6482176bc16a64fe9df5f4615c30dfddc083dcfc
Link:
https://www.unpac.me/results/1db4c8ac-7afc-4553-9de9-43d9768fbcb4/
SH256 hash:
a50330931d6fe0c345193468dffb7f3b67d83baaba22f2faec18bc778434c951
MD5 hash:
28a739d81655c4a5732d99c5119063d1
SHA1 hash:
5e6b42ab8583d63d89e30f87c2406d34b46547bf
Link:
https://www.unpac.me/results/1db4c8ac-7afc-4553-9de9-43d9768fbcb4/
SH256 hash:
558e587a3f0eae11fb9fb06d11e5836517d3cf197d71e8f5e8c1157f46330f41
MD5 hash:
101f2ca187a77736844fab6ad0c2fad0
SHA1 hash:
51c054b11b82caec19e2da0213c9d0c3eefbdf1b
Link:
https://www.unpac.me/results/1db4c8ac-7afc-4553-9de9-43d9768fbcb4/
SH256 hash:
b3e828afd5ca30eb3eeb3aff5727ab295601df787ca5c497f5ad4afe4587d3e9
MD5 hash:
5badcb4fe401eaf7a63eed6a83f06a44
SHA1 hash:
bbf893754b45da12bb2bd85ca63cd5c2ca69db92
Link:
https://www.unpac.me/results/1db4c8ac-7afc-4553-9de9-43d9768fbcb4/
SH256 hash:
758fce26a00ca554eaafb38751618b836fa1f3b9917103c9a666e7823974c929
MD5 hash:
97f3a0063614c81b3ebcc2758c3f3974
SHA1 hash:
fd0a53ca2b4adcfc3f731f97f225cdce7ada7eb9
Link:
https://www.unpac.me/results/1db4c8ac-7afc-4553-9de9-43d9768fbcb4/
SH256 hash:
01368e0ae15cc2569cb19a4885e6eef3104e1dba7d0db835c1c6d4f19d0a4b6e
MD5 hash:
18cb6a39fec8fe2289791639edc569a5
SHA1 hash:
31e54a92fde9ac91896c6e872d7f65d78a5c72ff
Link:
https://www.unpac.me/results/1db4c8ac-7afc-4553-9de9-43d9768fbcb4/
SH256 hash:
3b15547e53d7254ec42974dc5a1d7b72cffd722a41114944b5606a845be7b76d
MD5 hash:
ad1ca7ff685a17765d86adb4105b7bd7
SHA1 hash:
96291cf1ce155f393919965359de528b2d661186
Link:
https://www.unpac.me/results/1db4c8ac-7afc-4553-9de9-43d9768fbcb4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b15547e53d7254ec42974dc5a1d7b72cffd722a41114944b5606a845be7b76d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:MALWARE_Win_MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:win_cryptbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.cryptbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/180931/

Comments