MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44d025d67d73ae1215ba9483971bc5205afd91ef92cb2aed8410ab70e316e53e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44d025d67d73ae1215ba9483971bc5205afd91ef92cb2aed8410ab70e316e53e
SHA3-384 hash: 6da79ed67d67e7113d8d85198017f6cc801e2aaf82846ffd33019fb71ccc59d0cfb27eeadbbffa2c9dae4671dc38796e
SHA1 hash: c3bea64c98d7d9ee17b59302cc2463239cc292b1
MD5 hash: 0b75632bf041cac607b9a3043843c757
humanhash: stream-speaker-five-idaho
File name:0b75632bf041cac607b9a3043843c757.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:4'555'371 bytes
First seen:2021-08-11 10:40:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xpCvLUBsgaUwlNJ122nv5eO+VyC5aA80zK7qcL8ho1zIhBP:xCLUCgpwRNnBGwm07NYFhBP
Threatray 286 similar samples on MalwareBazaar
TLSH T16D263310BBE080B5E52223305A8C3B7672ACCF44132915DB7F51DB996BBFC91E51B62E
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://ggc-partners.in/decision.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://ggc-partners.in/decision.php https://threatfox.abuse.ch/ioc/170210/

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/178187/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Connection attempt
Sending a custom TCP request
DNS request
Running batch commands
Sending an HTTP GET request
Deleting a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aae4e453-e664-4f30-a284-fbc5892ff81a
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/830826
Signature
.NET source code contains very large strings
Antivirus detection for dropped file
Antivirus detection for URL or domain
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 463252 Sample: 8sloK2EqDy.exe Startdate: 11/08/2021 Architecture: WINDOWS Score: 100 71 208.95.112.1 TUT-ASUS United States 2->71 73 95.181.179.66 NEOHOST-ASUA Russian Federation 2->73 75 7 other IPs or domains 2->75 95 Antivirus detection for URL or domain 2->95 97 Antivirus detection for dropped file 2->97 99 Multi AV Scanner detection for dropped file 2->99 101 11 other signatures 2->101 9 8sloK2EqDy.exe 8 2->9         started        signatures3 process4 file5 37 C:\Users\user\AppData\...\setup_install.exe, PE32 9->37 dropped 39 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 9->39 dropped 41 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 9->41 dropped 43 3 other files (none is malicious) 9->43 dropped 12 setup_install.exe 11 9->12         started        process6 dnsIp7 91 104.21.54.206 CLOUDFLARENETUS United States 12->91 93 127.0.0.1 unknown unknown 12->93 63 C:\Users\user\AppData\...\8e14eeece3767.exe, PE32+ 12->63 dropped 65 C:\Users\user\AppData\Local\...\5298ab674.exe, PE32 12->65 dropped 67 C:\Users\user\AppData\...\4aa1e8b379159.exe, PE32 12->67 dropped 69 7 other files (4 malicious) 12->69 dropped 16 cmd.exe 1 12->16         started        18 cmd.exe 1 12->18         started        20 cmd.exe 1 12->20         started        22 4 other processes 12->22 file8 process9 process10 24 268b3127b936e01.exe 4 59 16->24         started        29 4a448bcddaa0b3.exe 14 5 18->29         started        31 5298ab674.exe 6 20->31         started        33 0fd5c77ed90f39d5.exe 22->33         started        35 21bcc8456d82.exe 2 22->35         started        dnsIp11 77 37.0.10.236 WKD-ASIE Netherlands 24->77 79 37.0.11.8 WKD-ASIE Netherlands 24->79 87 13 other IPs or domains 24->87 45 C:\Users\...\lnaqXLFUY5XXdR59zjipud4j.exe, PE32 24->45 dropped 47 C:\Users\...\lVcfrXZs3KVy3FgcgN8eZS0b.exe, PE32 24->47 dropped 49 C:\Users\...\cKjDTPYNXb66115vneaRAnNE.exe, PE32 24->49 dropped 61 37 other files (34 malicious) 24->61 dropped 103 Drops PE files to the document folder of the user 24->103 105 Tries to harvest and steal browser information (history, passwords, etc) 24->105 107 Disable Windows Defender real time protection (registry) 24->107 81 162.159.135.233 CLOUDFLARENETUS United States 29->81 51 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 29->51 dropped 109 Antivirus detection for dropped file 29->109 111 Machine Learning detection for dropped file 29->111 83 88.99.66.31 HETZNER-ASDE Germany 31->83 89 2 other IPs or domains 31->89 85 104.21.92.87 CLOUDFLARENETUS United States 33->85 53 C:\Users\user\AppData\Roaming\8791711.exe, PE32 33->53 dropped 55 C:\Users\user\AppData\Roaming\7849880.exe, PE32 33->55 dropped 57 C:\Users\user\AppData\Roaming\5973476.exe, PE32 33->57 dropped 59 C:\Users\user\AppData\Roaming\1260932.exe, PE32 33->59 dropped file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44d025d67d73ae1215ba9483971bc5205afd91ef92cb2aed8410ab70e316e53e/
Threat name:
Win32.Infostealer.Disbuk
Create hunting rule
Status:
Malicious
First seen:
2021-08-09 17:01:26 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iticlvt5ooxbefn2ssbzog6febnp3eppslfsv3meccvxbyyw4u7a._file
Verdict:
unknown
Similar samples:
1a263b2603212ff1e492d9e0c718f12601789e27eaaba9a7a7048b4080c08bcb
DiamondFox
1ba812e8f200b18b8f04bf694314c9b5127aa8a3ce5351ac389639fb69d6d528
DiamondFox
39ec80621b9b8fcefe89e543622c4263b7629a1207107bebd239a50124bb7fc7
DiamondFox
7ca942cc19eb3d9f6bd2e5947eb77af104948ccea1f4b96c87270e91065650c7
DiamondFox
91949edb9145bda3b1336a5513c44707a86300ca5a378411c9bf8800b8127db9
DiamondFox
aa9b8b79b9b4e0478e85c4ae5b08c15aadea45cac7617de2c298070fd781748e
DiamondFox
d72dd5663947fc7e1bd8903030b3e2fd551d8d938fdc6417d8513a1c4cc49702
DiamondFox
df872b0b7c336241db1a1ff9e83100d6ffb2b898a46c0c7b37a47dcbd002b056
DiamondFox
+ 276 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:39b871ed120e56ecbdc546b8a8a78c4e5516bc1f botnet:706 botnet:937 botnet:installs aspackv2 backdoor evasion infostealer persistence stealer suricata trojan
Link:
https://tria.ge/reports/210811-st4m68aces/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
Raccoon Stealer Payload
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
https://prophefliloc.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
178.32.202.118:43127
https://lenak513.tumblr.com/
Unpacked files
SH256 hash:
6e037f08a0c238f222fa2d717d487896fb12c411129748e6729e5599abc43b13
MD5 hash:
9806f3f87bcb267281009a6fc5c420fa
SHA1 hash:
1e36820c67183d74e9c1f94cfa63863e520b0598
Link:
https://www.unpac.me/results/c494e94b-1f67-4503-b9e5-cb564486deb7/
Parent samples :
549953d5db2a4646740e721e24ec1b7fa57ef6c4d72ffa32752b17d4a65c36e4
2f3cf6f156ce19666bd422299ae5a2055bc1f93dc1ed7330b7305668ef7b3cd5
0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
SH256 hash:
a19adea0a2b66cfcb23eebd1d1ff9d854eccd4dc65536a45665c149da4ff6265
MD5 hash:
117c7ff5dd9efc0b059f64520f2d4f46
SHA1 hash:
ff07b1fcc58aa62b42d797981e0d953d9f9e0120
Link:
https://www.unpac.me/results/c494e94b-1f67-4503-b9e5-cb564486deb7/
SH256 hash:
76fd57122331c7e402c7ab4a48bb9a86529641200f391241e20f31232e5f439b
MD5 hash:
922068b48ff8abb7e513a724443c1f62
SHA1 hash:
fef5db5322dae45dade837d28a2ad1aa159c74b9
Link:
https://www.unpac.me/results/c494e94b-1f67-4503-b9e5-cb564486deb7/
SH256 hash:
e51763543ade893e7423ed3f589fbe73f84ee2fb41f612cbfcbf61cf6e45d471
MD5 hash:
4352aeaf791c3bc2c18c3b00f53fd6e2
SHA1 hash:
3d3a3722e9b3811bf9b1fdf00a4f290a9396630a
Link:
https://www.unpac.me/results/c494e94b-1f67-4503-b9e5-cb564486deb7/
SH256 hash:
0cfeb696a1e79a5933429e77f1d32b5d95fafbbd7053955a7ade9c0de264a904
MD5 hash:
2354ad9552eb7a2b129b6397be8fdcf1
SHA1 hash:
20218e9b1dc221230e279cdc1e33e012d38a7aeb
Link:
https://www.unpac.me/results/c494e94b-1f67-4503-b9e5-cb564486deb7/
SH256 hash:
b151ffd0f57b21600a05bb28c5d1f047f423bba9750985ab6c3ffba7a33fa0ff
MD5 hash:
fcd4dda266868b9fe615a1f46767a9be
SHA1 hash:
f5d26b20ebdcd2f48ebbccff80b882ea2fa48e8c
Link:
https://www.unpac.me/results/c494e94b-1f67-4503-b9e5-cb564486deb7/
SH256 hash:
dc5bbf1ea15c5235185184007d3e6183c7aaeb51e6684fbd106489af3255a378
MD5 hash:
af56f5ab7528e0b768f5ea3adcb1be45
SHA1 hash:
eaf7aefb8a730a15094f96cf8e4edd3eff37d8a1
Link:
https://www.unpac.me/results/c494e94b-1f67-4503-b9e5-cb564486deb7/
SH256 hash:
1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
MD5 hash:
0965da18bfbf19bafb1c414882e19081
SHA1 hash:
e4556bac206f74d3a3d3f637e594507c30707240
Link:
https://www.unpac.me/results/c494e94b-1f67-4503-b9e5-cb564486deb7/
SH256 hash:
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
MD5 hash:
3263859df4866bf393d46f06f331a08f
SHA1 hash:
5b4665de13c9727a502f4d11afb800b075929d6c
Link:
https://www.unpac.me/results/c494e94b-1f67-4503-b9e5-cb564486deb7/
SH256 hash:
11917ed1e22f8b13c571a292c33b44a46763b5e9f6b5929fa68474743b5ec771
MD5 hash:
7110d2ae1095ce9a0e1e90883978b502
SHA1 hash:
f75db33612a682916cdf8aa4f1044906db265505
Link:
https://www.unpac.me/results/c494e94b-1f67-4503-b9e5-cb564486deb7/
SH256 hash:
700b72f9d21735d4dc945d70b7b9d70b4a635e9557ae23c82cd685e310ff7190
MD5 hash:
416c465716d20ddcb62f2335213973f4
SHA1 hash:
e2113fee21808c73e22c1aab5ee3390a41497923
Link:
https://www.unpac.me/results/c494e94b-1f67-4503-b9e5-cb564486deb7/
SH256 hash:
7c32f0061642c910c8277dada6330e92afdd3f0c7398f0bcf6c473a9916c5fdd
MD5 hash:
626d401b1b804b8ebab9ef660766bec6
SHA1 hash:
c3ff55b1afa7be2ce871a85bbf114474b8bd409b
Link:
https://www.unpac.me/results/c494e94b-1f67-4503-b9e5-cb564486deb7/
SH256 hash:
a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71
MD5 hash:
7aaf005f77eea53dc227734db8d7090b
SHA1 hash:
b6be1dde4cf73bbf0d47c9e07734e96b3442ed59
Link:
https://www.unpac.me/results/c494e94b-1f67-4503-b9e5-cb564486deb7/
SH256 hash:
381175bf6efdb7507922020d665213604a7896369239e35977f34359e3af65b3
MD5 hash:
6f1bc577738a64ce05d371b95a5d40b2
SHA1 hash:
db0cc12d56c9ea2daa3fbd0bb050546fc16b04cb
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/c494e94b-1f67-4503-b9e5-cb564486deb7/
SH256 hash:
67c05dd0161afd1a19bcb6163930f640484b5bc85090aedb147c0125371d1c07
MD5 hash:
651f2175becf38277c6c92812eab8449
SHA1 hash:
eaadbd09fc01ebfed35c0212be2270b37386a40f
Link:
https://www.unpac.me/results/c494e94b-1f67-4503-b9e5-cb564486deb7/
SH256 hash:
44d025d67d73ae1215ba9483971bc5205afd91ef92cb2aed8410ab70e316e53e
MD5 hash:
0b75632bf041cac607b9a3043843c757
SHA1 hash:
c3bea64c98d7d9ee17b59302cc2463239cc292b1
Link:
https://www.unpac.me/results/c494e94b-1f67-4503-b9e5-cb564486deb7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/44d025d67d73/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/44d025d67d73ae1215ba9483971bc5205afd91ef92cb2aed8410ab70e316e53e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/178187/

Comments