MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e825059cdc8c2116ff7737eead0e6482a2cbf0a5790deadd89202a4058765bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 6


Intelligence 6 IOCs 3 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e825059cdc8c2116ff7737eead0e6482a2cbf0a5790deadd89202a4058765bd
SHA3-384 hash: 2fa241706e1aa22ae6a1bc4671f59ff378e4573b8a042043179e13d892c392e0b0d3341698bafa1e450e42fd093f632e
SHA1 hash: 4a65beed86134b677afe991839d3750c0648c9d5
MD5 hash: df18127434df02b89ba3dc6c973ba603
humanhash: beer-alabama-april-queen
File name:4E825059CDC8C2116FF7737EEAD0E6482A2CBF0A5790D.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:15'606'291 bytes
First seen:2021-06-26 16:20:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ff847646487d56f85778df99ff3728a (4 x RedLineStealer, 3 x Nitol, 2 x Gh0stRAT)
ssdeep 393216:cVjSEKSHcI5aYG8UIm8qm8ZQf7ziwSBk6NCJRVaxlq:YxBnYUTSBxCEq
Threatray 7 similar samples on MalwareBazaar
TLSH BDF63302F1E2C835C49A16B1493A43709B7A7C35B774C6F72FE834AA9D243D1A936B4D
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
213.189.218.18:8080

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
213.189.218.18:8080 https://threatfox.abuse.ch/ioc/154004/
http://35.205.249.65/ https://threatfox.abuse.ch/ioc/154052/
101.99.94.204:53346 https://threatfox.abuse.ch/ioc/154223/

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4E825059CDC8C2116FF7737EEAD0E6482A2CBF0A5790D.exe
Verdict:
No threats detected
Analysis date:
2021-06-26 16:22:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/78c6aa6a-2e28-4699-9d2b-7c2b6dec2c25

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

MiscreantPunch.SingleXOR.EXE.7.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.BackDoor.IRC.Bot.4560.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/101b17e7-9a4a-4386-8f1f-c6e325a31b73
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808479
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 440890 Sample: 4E825059CDC8C2116FF7737EEAD... Startdate: 26/06/2021 Architecture: WINDOWS Score: 100 137 wsgeoip.lavasoft.com 2->137 139 webcompanion.com 2->139 141 4 other IPs or domains 2->141 196 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->196 198 Antivirus detection for URL or domain 2->198 200 Multi AV Scanner detection for submitted file 2->200 202 4 other signatures 2->202 15 4E825059CDC8C2116FF7737EEAD0E6482A2CBF0A5790D.exe 4 2->15         started        18 svchost.exe 2->18         started        20 svchost.exe 2->20         started        23 7 other processes 2->23 signatures3 process4 dnsIp5 125 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 15->125 dropped 127 C:\Users\user\AppData\Local\...\irsetup.exe, PE32 15->127 dropped 25 irsetup.exe 15 15->25         started        29 WerFault.exe 18->29         started        32 WerFault.exe 18->32         started        34 WerFault.exe 18->34         started        36 WerFault.exe 18->36         started        143 127.0.0.1 unknown unknown 20->143 file6 process7 dnsIp8 157 a-13.1fichier.com 5.39.224.13, 443, 49723 DSTORAGEFR France 25->157 159 1fichier.com 5.39.224.140, 443, 49721 DSTORAGEFR France 25->159 161 2 other IPs or domains 25->161 111 C:\Users\user\AppData\...MYGRBGLUUEGS.exe, PE32 25->111 dropped 38 EMYGRBGLUUEGS.exe 4 25->38         started        210 Tries to evade analysis by execution special instruction which cause usermode exception 29->210 file9 signatures10 process11 file12 97 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 38->97 dropped 99 C:\Users\user\AppData\Local\...\irsetup.exe, PE32 38->99 dropped 41 irsetup.exe 33 38->41         started        process13 dnsIp14 163 ip-api.com 208.95.112.1, 49728, 80 TUT-ASUS United States 41->163 165 www.findmemolite.com 46.101.214.246 DIGITALOCEAN-ASNUS Netherlands 41->165 167 4 other IPs or domains 41->167 113 C:\Users\user\AppData\Local\Temp\pLab.exe, PE32 41->113 dropped 45 pLab.exe 2 41->45         started        48 WcInstaller.exe 41->48         started        50 maskvpn.exe 41->50         started        52 installerapp.exe 41->52         started        file15 process16 file17 115 C:\Users\user\AppData\Local\Temp\...\pLab.tmp, PE32 45->115 dropped 54 pLab.tmp 3 19 45->54         started        58 WebCompanionInstaller.exe 48->58         started        process18 dnsIp19 145 idowload.com 185.227.110.219, 49734, 49737, 80 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 54->145 101 C:\Users\user\AppData\...\bargawiou  (.exe, PE32 54->101 dropped 103 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 54->103 dropped 105 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 54->105 dropped 107 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 54->107 dropped 61 bargawiou  (.exe 20 20 54->61         started        147 wc-update-service.lavasoft.com 64.18.87.82 MTOCA Canada 58->147 149 wcdownloadercdn.lavasoft.com 104.18.87.101 CLOUDFLARENETUS United States 58->149 151 flow.lavasoft.com 104.18.88.101 CLOUDFLARENETUS United States 58->151 204 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 58->204 206 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 58->206 208 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 58->208 file20 signatures21 process22 dnsIp23 184 rep.pe-wok.biz 61->184 186 iplogger.org 88.99.66.31, 443, 49742 HETZNER-ASDE Germany 61->186 188 4 other IPs or domains 61->188 117 C:\Users\user\AppData\...\Duqymaezheku.exe, PE32 61->117 dropped 119 C:\Users\user\AppData\...\ZHibijatobu.exe, PE32 61->119 dropped 121 C:\Program Files (x86)\...\Tesherivuru.exe, PE32 61->121 dropped 123 4 other files (3 malicious) 61->123 dropped 65 Duqymaezheku.exe 61->65         started        69 ZHibijatobu.exe 61->69         started        71 prolab.exe 61->71         started        file24 process25 dnsIp26 129 connectini.net 65->129 190 Detected unpacking (overwrites its own PE header) 65->190 192 Machine Learning detection for dropped file 65->192 74 iexplore.exe 65->74         started        77 iexplore.exe 65->77         started        79 iexplore.exe 65->79         started        84 19 other processes 65->84 131 egsa.pw 111.90.146.149 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 69->131 133 142.44.224.16 OVHFR Canada 69->133 135 4 other IPs or domains 69->135 194 Antivirus detection for dropped file 69->194 109 C:\Users\user\AppData\Local\...\prolab.tmp, PE32 71->109 dropped 81 prolab.tmp 71->81         started        file27 signatures28 process29 dnsIp30 169 www.directdexchange.com 74->169 171 directdexchange.com 74->171 178 2 other IPs or domains 77->178 173 www.directdexchange.com 79->173 180 2 other IPs or domains 79->180 89 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 81->89 dropped 91 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 81->91 dropped 93 C:\Program Files (x86)\...\is-U1GGR.tmp, PE32 81->93 dropped 95 8 other files (none is malicious) 81->95 dropped 175 www.profitabletrustednetwork.com 84->175 182 6 other IPs or domains 84->182 86 iexplore.exe 84->86         started        file31 212 Performs DNS queries to domains with low reputation 175->212 signatures32 process33 dnsIp34 153 192.243.59.13, 443, 49748, 49749 ADVANCEDHOSTERS-ASNL Dominica 86->153 155 www.profitabletrustednetwork.com 86->155
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e825059cdc8c2116ff7737eead0e6482a2cbf0a5790deadd89202a4058765bd/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-06-23 22:51:00 UTC
AV detection:
10 of 29 (34.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j2bfawonzdbbc37xon7ovuhgjavczpykk6in5loysibkibmhmw6q._file
Verdict:
unknown
Similar samples:
1d452b5f3e5d2b6623d0ca35793dfc051e1bf8b237e360906ed055e819235604
DiamondFox
3e5b7cb8978e88eb98d9079326d7c929eb12701f0040e6e2ec29fb5470022cf0
DiamondFox
47c57530b5b6de027182a6e4fed09bdae9e57cebc090fb52ce948d72e75ca663
DiamondFox
5c393e03afee6dff3591edb1b4461a4f0228cd1c8fe969f87d083a96406e85ee
DiamondFox
9aa78623c847c8344516bc815b9c055db994d9ee28c59a0102e1024b9706dbce
DiamondFox
d3c87bbd2121958c5beb20738999cf1d6938237d92fd98d19ba0bda2effde25a
DiamondFox
fb6eae45c38c680a2580247feed29592f40ab479339244c58b7f3397e773fbcd
DiamondFox
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210626-ve83za89lj/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
9c6aef2cac800bb6fdfa08c653a1d2a80ca99e5892285beb233dc6852fd62385
MD5 hash:
4228b3ec23563d205eb0a74c1dade602
SHA1 hash:
4cb78b53dedff0a43248996241026d1510441980
Link:
https://www.unpac.me/results/7ac81679-0cc8-400d-aba5-121323211a29/
SH256 hash:
c3f051fdc89bba65156a1f0b0c6bcd9dd7950ff851ed8338e842ad1d89534c48
MD5 hash:
6e8174db90c85a6c871510c2ec49c3f9
SHA1 hash:
01d1ea3fceaae1eef1034e230c1924eba645a7ee
Link:
https://www.unpac.me/results/7ac81679-0cc8-400d-aba5-121323211a29/
SH256 hash:
4e825059cdc8c2116ff7737eead0e6482a2cbf0a5790deadd89202a4058765bd
MD5 hash:
df18127434df02b89ba3dc6c973ba603
SHA1 hash:
4a65beed86134b677afe991839d3750c0648c9d5
Link:
https://www.unpac.me/results/7ac81679-0cc8-400d-aba5-121323211a29/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e825059cdc8c2116ff7737eead0e6482a2cbf0a5790deadd89202a4058765bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ponmocup
Create hunting rule
Author:Danny Heppener, Fox-IT
Description:Ponmocup plugin detection (memory)
Reference:https://foxitsecurity.files.wordpress.com/2015/12/foxit-whitepaper_ponmocup_1_1.pdf
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments