MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c
SHA3-384 hash: 6861870449c56ce5577f3bfd691f30eb2bd4547496b7de71b18d17f6a779441599782b2f43e24b91d40f13065cb67eec
SHA1 hash: 499be12d4fe4f30e672601b1ccbfc4f014a8bca8
MD5 hash: 88a990a868eada802839185b6f05c541
humanhash: skylark-neptune-alpha-yankee
File name:88A990A868EADA802839185B6F05C541.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:3'352'282 bytes
First seen:2021-07-20 03:21:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:UbADpNv9MyFximaWtsL4iZ1XxKLv6BzCc:UCxHaHLn3ALiBzCc
Threatray 1'110 similar samples on MalwareBazaar
TLSH T150F52300BDC094B2D1A11D394274DA28A97D7C305F149B9FF3A45A6E8F361C1DB39BAB
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
45.144.29.134:26392

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.144.29.134:26392 https://threatfox.abuse.ch/ioc/161270/

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
88A990A868EADA802839185B6F05C541.exe
Verdict:
Malicious activity
Analysis date:
2021-07-20 03:22:16 UTC
Tags:
autoit evasion
Link:
https://app.any.run/tasks/da8dca05-6ab8-4abe-b688-73222b983606

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ficker
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172680/
Detection(s):
Win.Malware.Clipbanker-9873068-0
Create hunting rule

Win.Malware.Generic-9873526-0
Create hunting rule

Win.Malware.Clipbanker-9874840-0
Create hunting rule

Win.Malware.Qshell-9875653-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Chapak
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8ca09706-bdae-4a92-8850-7758976174c3
Result
Threat name:
RedLine SmokeLoader Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818636
Signature
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Renames NTDLL to bypass HIPS
Sample is protected by VMProtect
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 451047 Sample: Cx9ER7vYGi.exe Startdate: 20/07/2021 Architecture: WINDOWS Score: 100 115 Antivirus detection for URL or domain 2->115 117 Multi AV Scanner detection for dropped file 2->117 119 Multi AV Scanner detection for submitted file 2->119 121 10 other signatures 2->121 8 Cx9ER7vYGi.exe 1 27 2->8         started        process3 file4 61 C:\Users\user\Desktop\pub2.exe, PE32 8->61 dropped 63 C:\Users\user\Desktop\jg3_3uag.exe, PE32 8->63 dropped 65 C:\Users\user\Desktop\Install.exe, PE32 8->65 dropped 67 4 other files (2 malicious) 8->67 dropped 11 Info.exe 8->11         started        16 pub2.exe 8->16         started        18 jg3_3uag.exe 8->18         started        20 5 other processes 8->20 process5 dnsIp6 99 136.144.41.201 WORLDSTREAMNL Netherlands 11->99 101 37.0.11.41 WKD-ASIE Netherlands 11->101 109 12 other IPs or domains 11->109 69 C:\Users\...\u994S8OoHJu6T7gzGAzDR7ZT.exe, PE32 11->69 dropped 71 C:\Users\...\tD0WIgeraZOXHjk295FtrHG0.exe, PE32 11->71 dropped 73 C:\Users\...\sHNZ_Qd60hzp7eHQ5_DoX0dF.exe, PE32 11->73 dropped 83 35 other files (24 malicious) 11->83 dropped 123 Drops PE files to the document folder of the user 11->123 125 Disable Windows Defender real time protection (registry) 11->125 22 muP4mgRS4H3VJIW3ClMhB_jQ.exe 11->22         started        26 SKrxXhsMrvfYPb7ztVjmHrgc.exe 11->26         started        28 u994S8OoHJu6T7gzGAzDR7ZT.exe 11->28         started        39 2 other processes 11->39 75 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 16->75 dropped 127 DLL reload attack detected 16->127 129 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 16->129 131 Renames NTDLL to bypass HIPS 16->131 137 2 other signatures 16->137 30 explorer.exe 16->30 injected 103 101.36.107.74 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 18->103 77 C:\Users\user\Documents\...\jg3_3uag.exe, PE32 18->77 dropped 133 Tries to harvest and steal browser information (history, passwords, etc) 18->133 105 172.67.201.250 CLOUDFLARENETUS United States 20->105 107 144.202.76.47 AS-CHOOPAUS United States 20->107 111 2 other IPs or domains 20->111 79 C:\Users\user\AppData\Local\Temp\...\File.exe, PE32 20->79 dropped 81 C:\Users\user\AppData\Local\...\temp-index, PDP-11 20->81 dropped 135 Creates processes via WMI 20->135 32 File.exe 1 18 20->32         started        35 chrome.exe 20->35         started        37 Folder.exe 20->37         started        41 3 other processes 20->41 file7 signatures8 process9 dnsIp10 85 208.95.112.1 TUT-ASUS United States 22->85 95 2 other IPs or domains 22->95 47 C:\Users\user\AppData\Local\Temp\22222.exe, PE32 22->47 dropped 49 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 22->49 dropped 51 C:\Users\user\AppData\...\aaa_v004[1].dll, DOS 22->51 dropped 87 92.53.96.150 TIMEWEB-ASRU Russian Federation 32->87 89 8.8.8.8 GOOGLEUS United States 32->89 113 Binary is likely a compiled AutoIt script file 32->113 91 88.99.66.31 HETZNER-ASDE Germany 35->91 97 15 other IPs or domains 35->97 53 C:\Users\user\AppData\Local\...\Cookies, SQLite 35->53 dropped 55 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 37->55 dropped 57 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 37->57 dropped 59 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 37->59 dropped 43 conhost.exe 37->43         started        93 13.88.21.125 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 41->93 45 chrome.exe 41->45         started        file11 signatures12 process13
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c/
Threat name:
Win32.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2021-07-17 03:40:42 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i5feoo7un7n7wwutisjxm5gbivoxmttuylgyrew2pvm7nd723voa._file
Verdict:
malicious
Similar samples:
09abe799d30cdceab1600a1421583b1d7a5d3a9b14fb89e7dfa8d4ca4e5c85ac
DiamondFox
1a1d8823b35b8c0d8dfcebe065520a07fe105589893262976fce4122317c55b8
DiamondFox
245df5e6eb13e960dc2cd57d5ee69c8cee7bd93edc1733cfec479711dac7c777
DiamondFox
2d1d2cd3f3cbce923d3db88aa44212210da57e9e032e2ff4a1766fe51ff1255e
DiamondFox
384b35bfb6d07dda3ea948bb9aa47a3024822ff40d21a13932381d6386643acc
DiamondFox
53379b36716f384e530dae9ec883c459d0c12f0260116614a0482ded7d9b5ba9
DiamondFox
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0
DiamondFox
adb98685d3d6a8fa5e90b6fd9d458601d874718d5815f8aab66728ba9d067440
DiamondFox
eddbfe52ba633950c388e0303d5a04453f9ba9e3a3cdc60f9a1355707cd209e6
DiamondFox
f2fcd49dd7ce2e64415e73f5276e813e90d53dea18f5fba68e1c8b55e0c1f631
DiamondFox
+ 1'100 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:fickerstealer family:glupteba family:metasploit family:redline family:smokeloader family:socelars family:vidar botnet:865 botnet:oboze_new_serv botnet:sel17 backdoor discovery dropper evasion infostealer loader spyware stealer themida trojan vmprotect
Link:
https://tria.ge/reports/210720-sen3xmvaae/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
NTFS ADS
Runs .reg file with regedit
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
autoit_exe
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
Vidar Stealer
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Fickerstealer
Glupteba
Malware Config
C2 Extraction:
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
https://sslamlssa1.tumblr.com/
37.0.8.225:80
dwarimlari.xyz:80
86.106.181.209:18845
Unpacked files
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/9f4fa9ae-4d16-40e2-aafd-dc4c6fa44906/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/9f4fa9ae-4d16-40e2-aafd-dc4c6fa44906/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/9f4fa9ae-4d16-40e2-aafd-dc4c6fa44906/
SH256 hash:
6b47cdab0328059d8edc5f6a8700ff47b95904f0d5ffd3071475922da632cb47
MD5 hash:
28dec7fa05b13908a0d80048d7554be8
SHA1 hash:
7a122fa8d5cf43465070c481e88efc9c40f37cde
Link:
https://www.unpac.me/results/9f4fa9ae-4d16-40e2-aafd-dc4c6fa44906/
SH256 hash:
5559c74bb425c1803ff900ce51643d0453809b9a30584773bad518384f684087
MD5 hash:
5d3d5f41f5fd5d33ebcc5ed4ca0e64ff
SHA1 hash:
4a3967a8982cff6998ba599acd050b12d95c6baf
Link:
https://www.unpac.me/results/9f4fa9ae-4d16-40e2-aafd-dc4c6fa44906/
SH256 hash:
3d67bae1a41794a00e7374e41087f29efb893257d0dac5218f571b46cc1040fa
MD5 hash:
2d8176c32761820c08580daa8434214a
SHA1 hash:
204e4038f0466b6f4b1b687fb647b851160cc1ae
Link:
https://www.unpac.me/results/9f4fa9ae-4d16-40e2-aafd-dc4c6fa44906/
SH256 hash:
cfd194f108cff6e87ec78a7d49ee564d40b58172b9c557ee3f65e096fef2dac2
MD5 hash:
4f95dccb0a5ac7930246517a04eee926
SHA1 hash:
4977c1da4b849b736fe5b9635a16a70408ca5a15
Link:
https://www.unpac.me/results/9f4fa9ae-4d16-40e2-aafd-dc4c6fa44906/
SH256 hash:
67cdc7c5de5e46229adc831dc6fd3053d996ecf02e94706b6b6ae1b0ed976f2c
MD5 hash:
555b5b60b2dcc53e71e6d9ba8302c4b9
SHA1 hash:
550326b1226629a867d4606ad0c98c4ef9596b47
Link:
https://www.unpac.me/results/9f4fa9ae-4d16-40e2-aafd-dc4c6fa44906/
Parent samples :
e47bfa7b58706edeeaf73664039c10cb1ff7a517d833c0b28751b835bdc68cf7
32ac0624a534a2c40fb8eba41e80bb1d31b99cd118d42208c89229079699f783
SH256 hash:
a5abe23c51a32940b54e2ae81a7086c4c70caa55abf20adeb8215210aedb5d52
MD5 hash:
c1bb7f4a08e1e3c58c5b4d3e03525182
SHA1 hash:
5e9a24e33908e39c44dfbf964f0996a3827ebfeb
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/9f4fa9ae-4d16-40e2-aafd-dc4c6fa44906/
Parent samples :
09abe799d30cdceab1600a1421583b1d7a5d3a9b14fb89e7dfa8d4ca4e5c85ac
474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c
2ec6c6341ff83005a6515d942976d2092549312d419a29e59d0efb15d65749bf
SH256 hash:
6c8bfff3ff9e3e8cffe4bcc85f4fb85b22b1ea3b55d2eaf8aa9bbdf1a03b1590
MD5 hash:
42b2bfbcc3a6604340b2f903553491a8
SHA1 hash:
28b011ab748f1cebde62a6f18eb9c270c43a81a3
Link:
https://www.unpac.me/results/9f4fa9ae-4d16-40e2-aafd-dc4c6fa44906/
SH256 hash:
1ec77b5978ad2379d0dc7d18541a5a1ced973f25c1b034e9ff55ce55a9fbd69f
MD5 hash:
9fb4dcd47eece99ded29498459601fb4
SHA1 hash:
e6152d48da1a726d98d19b1c6409b2ca8f073a80
Link:
https://www.unpac.me/results/9f4fa9ae-4d16-40e2-aafd-dc4c6fa44906/
SH256 hash:
6fbacc398d723637193a4a03345c3e9c07539a319647a81e7357e123c37c7a0a
MD5 hash:
3df6132c8ad49021bd58133fd0658858
SHA1 hash:
1f711121d916782b0a59bb9fe813d0ba9f066092
Link:
https://www.unpac.me/results/9f4fa9ae-4d16-40e2-aafd-dc4c6fa44906/
SH256 hash:
bd947eeb649887f8a67027da8753348ed3ef63441ca5893df875fbd5b72cfe62
MD5 hash:
04c9247b0d89407862f2134fd5b47ff2
SHA1 hash:
9fe8134bd39615875645515287c7ebc20a54fa02
Link:
https://www.unpac.me/results/9f4fa9ae-4d16-40e2-aafd-dc4c6fa44906/
SH256 hash:
474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c
MD5 hash:
88a990a868eada802839185b6f05c541
SHA1 hash:
499be12d4fe4f30e672601b1ccbfc4f014a8bca8
Link:
https://www.unpac.me/results/9f4fa9ae-4d16-40e2-aafd-dc4c6fa44906/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172680/

Comments