MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5159b4c83cf8d33352adc6f2ef0d7018a4b70810f331cca3a7736e2cc5d137e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5159b4c83cf8d33352adc6f2ef0d7018a4b70810f331cca3a7736e2cc5d137e4
SHA3-384 hash: b58be43fd66d4588eba65a6b8dc9513bcbed80196171200022b652de2c7f749e57e1f2f18d865f99902d7fa411a2cbb4
SHA1 hash: 74565638b416a9676f5f833ccfe60fe5b3f19c86
MD5 hash: 0bf244746a51a022db0bbf39e39f6a5c
humanhash: friend-failed-oranges-fruit
File name:0BF244746A51A022DB0BBF39E39F6A5C.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:3'022'746 bytes
First seen:2021-09-02 00:26:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 49152:xcBVEwJ84vLRaBtIl9mVkoRh4qaaOtYpXtqLlfNRhDGCdlCs/Vz7hWyFu:xvCvLUBsgBHbOt8dqZgs/Vvh/Fu
Threatray 465 similar samples on MalwareBazaar
TLSH T125E533007AD5C1F6EDC11631AD8BABF3D2F5C78902316D833354AA2D573E894E219E6E
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://45.142.215.144/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.142.215.144/ https://threatfox.abuse.ch/ioc/204183/

Intelligence

File Origin
# of uploads :
1
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-08-30 03:12:30 UTC
Tags:
trojan rat redline evasion stealer vidar loader opendir raccoon
Link:
https://app.any.run/tasks/77f2bfe0-c3b7-44b2-a2f9-c955d1f389b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184605/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Connection attempt
Sending a custom TCP request
DNS request
Running batch commands
Launching a process
Sending an HTTP GET request
Creating a window
Deleting a recently created file
Reading critical registry keys
Launching the default Windows debugger (dwwin.exe)
Creating a file
Creating a file in the %AppData% directory
Creating a process with a hidden window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Blocking the Windows Defender launch
Sending an HTTP GET request to an infection source
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9637b3b3-7c72-4106-ad30-b4f21dd0d248
Result
Threat name:
SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/843709
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Chrome passwords or cookies
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Found C&C like URL pattern
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 476140 Sample: seFGGGDFQm.exe Startdate: 02/09/2021 Architecture: WINDOWS Score: 100 115 104.21.77.209 CLOUDFLARENETUS United States 2->115 117 172.67.156.42 CLOUDFLARENETUS United States 2->117 119 2 other IPs or domains 2->119 161 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->161 163 Antivirus detection for URL or domain 2->163 165 Antivirus detection for dropped file 2->165 167 13 other signatures 2->167 11 seFGGGDFQm.exe 16 2->11         started        14 svchost.exe 2->14         started        17 svchost.exe 2->17         started        signatures3 process4 dnsIp5 95 C:\Users\user\AppData\...\setup_install.exe, PE32 11->95 dropped 97 C:\Users\user\AppData\...\Sun23efa36387f0.exe, PE32 11->97 dropped 99 C:\Users\user\...\Sun23ee708f142bd3.exe, PE32+ 11->99 dropped 101 11 other files (6 malicious) 11->101 dropped 19 setup_install.exe 1 11->19         started        139 23.211.4.86 AKAMAI-ASUS United States 14->139 file6 process7 dnsIp8 121 sornx.xyz 172.67.190.165, 49709, 80 CLOUDFLARENETUS United States 19->121 123 127.0.0.1 unknown unknown 19->123 177 Performs DNS queries to domains with low reputation 19->177 179 Adds a directory exclusion to Windows Defender 19->179 23 cmd.exe 1 19->23         started        25 cmd.exe 19->25         started        27 cmd.exe 1 19->27         started        29 7 other processes 19->29 signatures9 process10 signatures11 32 Sun237fedff1799a.exe 23->32         started        35 Sun2376f81b8330.exe 25->35         started        39 Sun23ee708f142bd3.exe 1 27->39         started        181 Adds a directory exclusion to Windows Defender 29->181 41 Sun23999661e44.exe 29->41         started        43 Sun23309eda7d63ab.exe 29->43         started        45 Sun233417360a.exe 29->45         started        47 3 other processes 29->47 process12 dnsIp13 141 Multi AV Scanner detection for dropped file 32->141 143 Detected unpacking (changes PE section rights) 32->143 145 Machine Learning detection for dropped file 32->145 159 4 other signatures 32->159 49 explorer.exe 32->49 injected 81 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 35->81 dropped 147 Antivirus detection for dropped file 35->147 54 LzmwAqmV.exe 35->54         started        125 ip-api.com 208.95.112.1, 49703, 80 TUT-ASUS United States 39->125 131 2 other IPs or domains 39->131 149 May check the online IP address of the machine 39->149 151 Contains functionality to steal Chrome passwords or cookies 39->151 153 Tries to harvest and steal browser information (history, passwords, etc) 39->153 127 37.0.10.237, 49712, 49721, 80 WKD-ASIE Netherlands 41->127 129 37.0.10.214, 49711, 80 WKD-ASIE Netherlands 41->129 133 2 other IPs or domains 41->133 155 Disable Windows Defender real time protection (registry) 41->155 135 2 other IPs or domains 43->135 83 C:\Users\user\AppData\Roaming\8059770.exe, PE32 43->83 dropped 85 C:\Users\user\AppData\Roaming\6017798.exe, PE32 43->85 dropped 87 C:\Users\user\AppData\Roaming\5163540.exe, PE32 43->87 dropped 93 2 other files (none is malicious) 43->93 dropped 89 C:\Users\user\AppData\...\Sun233417360a.tmp, PE32 45->89 dropped 56 Sun233417360a.tmp 45->56         started        137 2 other IPs or domains 47->137 91 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 47->91 dropped 157 Creates processes via WMI 47->157 58 WerFault.exe 47->58         started        file14 signatures15 process16 dnsIp17 105 193.142.59.117 HOSTSLICK-GERMANYNL Netherlands 49->105 107 187.156.151.25 UninetSAdeCVMX Mexico 49->107 109 31.166.141.166 MOBILY-ASEtihadEtisalatCompanyMobilySA Saudi Arabia 49->109 63 C:\Users\user\AppData\Roaming\afeicva, PE32 49->63 dropped 65 C:\Users\user\AppData\Local\Temp\F5F3.exe, PE32 49->65 dropped 67 C:\Users\user\AppData\Local\Temp\3D00.exe, PE32 49->67 dropped 169 System process connects to network (likely due to code injection or exploit) 49->169 171 Benign windows process drops PE files 49->171 173 Hides that the sample has been downloaded from the Internet (zone.identifier) 49->173 69 C:\Users\user\AppData\...\PBrowFile594.exe, PE32 54->69 dropped 71 C:\Users\user\AppData\Local\...\Chrome 5.exe, PE32+ 54->71 dropped 73 C:\Users\user\AppData\Local\...\BearVpn 3.exe, PE32 54->73 dropped 77 5 other files (2 malicious) 54->77 dropped 175 Machine Learning detection for dropped file 54->175 60 Chrome 5.exe 54->60         started        111 the-flash-man.com 56->111 113 best-link-app.com 56->113 75 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 56->75 dropped 79 2 other files (none is malicious) 56->79 dropped file18 signatures19 process20 file21 103 C:\Users\user\AppData\...\services64.exe, PE32+ 60->103 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5159b4c83cf8d33352adc6f2ef0d7018a4b70810f331cca3a7736e2cc5d137e4/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-08-30 03:31:50 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kfm3jsb47djtguvny3zo6dlqdcslocaq6my4zi5honxczrorg7sa._file
Verdict:
unknown
Similar samples:
077ac4018bc25a85796c54e06872071d561df272188dde34daca7e5d01e950fd
DiamondFox
0a823cbd6a32a10c927253fa40466c8a3177e487ee7895a8a2e244a9b4c415fc
DiamondFox
186992db0748857e13271f18b519fbf2b6f016bd8d81c3ee952786de798a6dad
DiamondFox
3d7ba99d7b360819146cd6223b2d668e8b1a661023f5b36932860bc84271eecd
DiamondFox
423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110
DiamondFox
45c04168fe1e27939f2e08c178279d8c1aca5eba4ed8f6a717eb70b966cc5617
DiamondFox
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
DiamondFox
987a2417a285a7e885e5acdd635d3e2dfa1cf00bb98b6a39fbc17bc7c3fb4993
DiamondFox
a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409
DiamondFox
bbb1867666dcd3898495a36ebec4d9a00c5c4c519eab587f530f5f5c6d80cb32
DiamondFox
+ 455 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:vidar botnet:706 aspackv2 backdoor infostealer stealer trojan
Link:
https://tria.ge/reports/210902-1hgekgdpfs/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Script User-Agent
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
RedLine Payload
SmokeLoader
Vidar
Process spawned unexpected child process
RedLine
Malware Config
C2 Extraction:
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
https://eduarroma.tumblr.com/
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/c0748607-1e7e-4a31-80c9-4a6c3715d36f/
SH256 hash:
424eb094b40901ea9e2a8b53ce7ee29c9b9c2401cc85447a9117723d63789cbe
MD5 hash:
9846c1e317e308f46a807bf0ccd2f085
SHA1 hash:
23d85d7d9da727e048dd1c0349b35d2299f26d77
Link:
https://www.unpac.me/results/c0748607-1e7e-4a31-80c9-4a6c3715d36f/
SH256 hash:
a18e5d223da775448e2e111101fe1f4ab919be801fd435d3a278718aa5e6ccba
MD5 hash:
0c6cae115465a83f05d3ff391fd009ac
SHA1 hash:
066ea93bb540ae4be0d2e522d4bb59eec74053ad
Link:
https://www.unpac.me/results/c0748607-1e7e-4a31-80c9-4a6c3715d36f/
Parent samples :
7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
fc2e04d392ab5e508fdf6c90ce456bfd0af6def1f10a2074f82df8f58079d5e4
f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
22275b7c5a57111aca919f6bbfae171e5e99f5ef777d1043802deb672f5136a0
d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
0a7d966e66cbd260c909de1d79038c86a071f2f10a810f5890a150b67c4fd954
1b4c7144874551beb52bc3e864822c0b803d0967531addf9612f61898cf2394d
090f1369dc856e37b73969d22799341b1d328a235470ee608d3e32dd34df7022
4879803b6326f27bb8b68448fe7394b2358c2eeb25ec2c4c6a176313d003c29a
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
ada6977abf5caa24a75f0db17220267f6b05f11ed949757e8fc8beab3c720fc1
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
1e47b0a87b714febf0f805a2c319a150cc8bd58d738669c76c975a64d40130ab
MD5 hash:
6cbca955ae2bb778cf9de6cef5d114a7
SHA1 hash:
527feb36a0cbd2c348df1862bb2d4516ed9bad6f
Link:
https://www.unpac.me/results/c0748607-1e7e-4a31-80c9-4a6c3715d36f/
SH256 hash:
835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3
MD5 hash:
6961557695f34a53cf8224be7c265fbe
SHA1 hash:
f52d34d0b1dbd181f2acb21f42d875d514afb6f7
Link:
https://www.unpac.me/results/c0748607-1e7e-4a31-80c9-4a6c3715d36f/
SH256 hash:
be6e4a38c35e0beefe0e8f9d87864c6fcb674ca2a074085c32901a5f354734fc
MD5 hash:
eb054ff50db7cff9d6ac9ae24a095245
SHA1 hash:
f09955621b4dceb9c093eae5fb177d536b72f03f
Link:
https://www.unpac.me/results/c0748607-1e7e-4a31-80c9-4a6c3715d36f/
SH256 hash:
1b9d29f4887cb5ec2f7980f3b51fccf0eb699bf81361b31342e9a895cc362c8d
MD5 hash:
abea1f518f0b3957a1755eae02698ca3
SHA1 hash:
b3130e09832595c47cfb06a883388fabdd5bc488
Link:
https://www.unpac.me/results/c0748607-1e7e-4a31-80c9-4a6c3715d36f/
SH256 hash:
ae25cb941f3026c1da3db95f689d4dc493580c5900adcb856e62ece1fc591598
MD5 hash:
e7d138a960df98a500620432b4d32cc0
SHA1 hash:
b03ed11d72da94a70dd0a35cf0fa5dff2ea248e0
Link:
https://www.unpac.me/results/c0748607-1e7e-4a31-80c9-4a6c3715d36f/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/c0748607-1e7e-4a31-80c9-4a6c3715d36f/
SH256 hash:
ee4d7bdf6f8f819f38277222cecaf2d6713d67cfbce08fcb4af63e1fdff6ad78
MD5 hash:
126c749830baa7f03ab371dcd0019a2f
SHA1 hash:
63d0220296434fd1df64f6888b78e65122135225
Link:
https://www.unpac.me/results/c0748607-1e7e-4a31-80c9-4a6c3715d36f/
SH256 hash:
c9239f16017b4a5cc520bf598c75d82fa1b576755e7a7c066c070f3a25d7cdff
MD5 hash:
5fa488d3cdc00f9561894984f83f18b3
SHA1 hash:
43ab80672ea67f135ebe54eb75e8d33978eef755
Link:
https://www.unpac.me/results/c0748607-1e7e-4a31-80c9-4a6c3715d36f/
SH256 hash:
24ae9827420e3b6a86d0dc9bbc827aee0a425865975e82c32669bb90de3b2e1a
MD5 hash:
9938d83c7afa2a1924ada84f90ea32a9
SHA1 hash:
20c7199a01818f9bf7b1bd90f56369976e28ec02
Link:
https://www.unpac.me/results/c0748607-1e7e-4a31-80c9-4a6c3715d36f/
SH256 hash:
6a42ffb1dc8f03cef767314efb392d65a8d83284409f9fee6283e6e397042614
MD5 hash:
513e9aa65b7e6a584ed8cd14e6ef5e99
SHA1 hash:
baf8f9f071ac6b4406a8a98222349296a48d9394
Link:
https://www.unpac.me/results/c0748607-1e7e-4a31-80c9-4a6c3715d36f/
SH256 hash:
01f4873c0d3f9bd13da5740aafffa91788d86ceea4675cacc65fd1c82b541423
MD5 hash:
3bc82166a8a32131b791c4c252ec2684
SHA1 hash:
4f13ddc57407d6dc098537daf617c4acc1a2628a
Link:
https://www.unpac.me/results/c0748607-1e7e-4a31-80c9-4a6c3715d36f/
SH256 hash:
a8fb66c3441c33b93050fbb9521cd56bae2774af754c49c110168dab86d0fa71
MD5 hash:
2eaac9d366675dc3fa265b4ed7eeb09c
SHA1 hash:
56e766dfe6a3dcc04b17bc0bfcbb0420c4e0e5c1
Link:
https://www.unpac.me/results/c0748607-1e7e-4a31-80c9-4a6c3715d36f/
SH256 hash:
b3c917afe65e619725c324ce71eeb82c23f71333de8eea96dc6b9803163c3197
MD5 hash:
9c6244a54aefa6a2045127191f096536
SHA1 hash:
482ebdf5352b9091977341fd9f6d977f0a3bec8f
Link:
https://www.unpac.me/results/c0748607-1e7e-4a31-80c9-4a6c3715d36f/
SH256 hash:
5159b4c83cf8d33352adc6f2ef0d7018a4b70810f331cca3a7736e2cc5d137e4
MD5 hash:
0bf244746a51a022db0bbf39e39f6a5c
SHA1 hash:
74565638b416a9676f5f833ccfe60fe5b3f19c86
Link:
https://www.unpac.me/results/c0748607-1e7e-4a31-80c9-4a6c3715d36f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5159b4c83cf8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5159b4c83cf8d33352adc6f2ef0d7018a4b70810f331cca3a7736e2cc5d137e4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/184605/

Comments