MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51837836176f75bd57295071de596b18ec1a1af63681ccfdd69f5dedb0976da3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 11


Intelligence 11 IOCs 3 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51837836176f75bd57295071de596b18ec1a1af63681ccfdd69f5dedb0976da3
SHA3-384 hash: c5deb18e00fea63f639896cfdf38b4a40e2ed5cfb3b77fc94696bc65db32184f74dcf4eac305b29061276a27b8f991be
SHA1 hash: 3fae37e1cae3bdd13ef544b3996bca1077d977f4
MD5 hash: 905632896c45f77778bf0d6955d68c42
humanhash: connecticut-papa-nineteen-bacon
File name:905632896C45F77778BF0D6955D68C42.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:4'827'075 bytes
First seen:2021-08-11 20:40:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xnCvLUBsgCBmJKRc4jXb92cBWoI6iacqw:xELUCgCsAukXbRBWzHqw
Threatray 292 similar samples on MalwareBazaar
TLSH T11C2633113FE5C0BAFB6A75314F882F7965B8CB85372405AFB314C1493F2D86AA52A14F
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://74.119.195.135/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://74.119.195.135/ https://threatfox.abuse.ch/ioc/171652/
http://cleaner-partners.top/decision.php https://threatfox.abuse.ch/ioc/172113/
45.14.49.128:16334 https://threatfox.abuse.ch/ioc/172157/

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/178391/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Deleting a recently created file
Creating a process with a hidden window
Creating a file
Sending a UDP request
Creating a window
Reading critical registry keys
Sending an HTTP POST request
Launching the default Windows debugger (dwwin.exe)
Creating a file in the %AppData% directory
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Launching a process
Unauthorized injection to a recently created process
Blocking the Windows Defender launch
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d821960d-c08a-4ca4-8385-07d1c1f3a7e1
Result
Threat name:
RedLine Socelars Vidar Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/831254
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 463685 Sample: 1OvToCnCzU.exe Startdate: 11/08/2021 Architecture: WINDOWS Score: 100 93 208.95.112.1 TUT-ASUS United States 2->93 95 20.189.173.20 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->95 97 12 other IPs or domains 2->97 113 Antivirus detection for URL or domain 2->113 115 Antivirus detection for dropped file 2->115 117 Multi AV Scanner detection for dropped file 2->117 119 13 other signatures 2->119 11 1OvToCnCzU.exe 8 2->11         started        14 svchost.exe 1 2->14         started        signatures3 process4 file5 61 C:\Users\user\AppData\...\setup_install.exe, PE32 11->61 dropped 63 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 11->63 dropped 65 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 11->65 dropped 67 3 other files (none is malicious) 11->67 dropped 16 setup_install.exe 11 11->16         started        process6 dnsIp7 89 172.67.170.195 CLOUDFLARENETUS United States 16->89 91 127.0.0.1 unknown unknown 16->91 53 C:\Users\user\...\d1013002f91823f1.exe, PE32 16->53 dropped 55 C:\Users\user\...\d1013002f91823f010.exe, PE32 16->55 dropped 57 C:\Users\user\AppData\...\73c5ea81f5117.exe, PE32 16->57 dropped 59 7 other files (2 malicious) 16->59 dropped 20 cmd.exe 1 16->20         started        22 cmd.exe 1 16->22         started        24 cmd.exe 1 16->24         started        26 6 other processes 16->26 file8 process9 process10 28 73c5ea81f5117.exe 20->28         started        33 6190f7acba29203.exe 91 22->33         started        35 4a97b300fe2.exe 24->35         started        37 d1013002f91823f1.exe 2 26->37         started        39 562e5c38e3756.exe 26->39         started        41 c4820dd43af06255.exe 1 4 26->41         started        43 a7ffedbefb5b58d4.exe 4 26->43         started        dnsIp11 99 37.0.10.236 WKD-ASIE Netherlands 28->99 101 37.0.11.8 WKD-ASIE Netherlands 28->101 109 17 other IPs or domains 28->109 69 C:\Users\...\xnBL0510tYCWqcy02E2U2yu8.exe, PE32 28->69 dropped 71 C:\Users\...\nVy5BuvkiR75Lwjs8f3EeH29.exe, PE32 28->71 dropped 73 C:\Users\...\lvE7uuV7vXsxPOef4ink1TTU.exe, PE32 28->73 dropped 77 41 other files (36 malicious) 28->77 dropped 121 Drops PE files to the document folder of the user 28->121 123 Tries to harvest and steal browser information (history, passwords, etc) 28->123 125 Disable Windows Defender real time protection (registry) 28->125 103 74.114.154.18 AUTOMATTICUS Canada 33->103 105 176.123.2.239 ALEXHOSTMD Moldova Republic of 33->105 79 12 other files (none is malicious) 33->79 dropped 127 Detected unpacking (changes PE section rights) 33->127 129 Detected unpacking (overwrites its own PE header) 33->129 131 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->131 133 Tries to steal Crypto Currency Wallets 33->133 135 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 35->135 137 Checks if the current machine is a virtual machine (disk enumeration) 35->137 139 Creates processes via WMI 37->139 45 d1013002f91823f1.exe 37->45         started        107 104.21.92.87 CLOUDFLARENETUS United States 39->107 75 C:\Users\user\AppData\Roaming\8278804.exe, PE32 39->75 dropped 81 3 other files (none is malicious) 39->81 dropped 83 2 other files (none is malicious) 41->83 dropped 49 1cr.exe 41->49         started        85 2 other files (none is malicious) 43->85 dropped file12 signatures13 process14 dnsIp15 111 104.21.70.98 CLOUDFLARENETUS United States 45->111 87 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 45->87 dropped 51 conhost.exe 45->51         started        file16 process17
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/51837836176f75bd57295071de596b18ec1a1af63681ccfdd69f5dedb0976da3/
Threat name:
Win32.Trojan.ArkeiStealer
Create hunting rule
Status:
Malicious
First seen:
2021-08-09 03:40:22 UTC
AV detection:
15 of 27 (55.56%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kgbxqnqxn5232vzjkby54wllddwbugxwg2a4z7owt5o63mexnwrq._file
Verdict:
unknown
Similar samples:
1a263b2603212ff1e492d9e0c718f12601789e27eaaba9a7a7048b4080c08bcb
DiamondFox
1ba812e8f200b18b8f04bf694314c9b5127aa8a3ce5351ac389639fb69d6d528
DiamondFox
39ec80621b9b8fcefe89e543622c4263b7629a1207107bebd239a50124bb7fc7
DiamondFox
44d025d67d73ae1215ba9483971bc5205afd91ef92cb2aed8410ab70e316e53e
DiamondFox
7ca942cc19eb3d9f6bd2e5947eb77af104948ccea1f4b96c87270e91065650c7
DiamondFox
854e5c0dbeb31b0953c41b36dc88fa4e959c00c848fb723dc2f9223aeb5a359a
DiamondFox
91949edb9145bda3b1336a5513c44707a86300ca5a378411c9bf8800b8127db9
DiamondFox
d72dd5663947fc7e1bd8903030b3e2fd551d8d938fdc6417d8513a1c4cc49702
DiamondFox
+ 282 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:39b871ed120e56ecbdc546b8a8a78c4e5516bc1f botnet:706 botnet:7new botnet:916 botnet:937 aspackv2 backdoor evasion infostealer persistence stealer suricata trojan
Link:
https://tria.ge/reports/210811-p1zadxx3vx/
Behaviour
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
Raccoon Stealer Payload
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Malware Config
C2 Extraction:
https://prophefliloc.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
sytareliar.xyz:80
yabelesatg.xyz:80
ceneimarck.xyz:80
https://lenak513.tumblr.com/
Dropper Extraction:
http://91.241.19.52/Api/GetFile2
Unpacked files
SH256 hash:
61494bca647b46aa9c7cfe3530385a7d6f9dc2287c9b0b4fd61dfa701ba7a4ad
MD5 hash:
df2208cc1e06995916314451713aa5b0
SHA1 hash:
ae2d9d9cdbe24556f5359b13767533bbe9c046d1
Link:
https://www.unpac.me/results/c594f86a-8b8a-4095-b17a-ddcbb5b00420/
SH256 hash:
dd5c306519cc94125348f67bd6a533e9ec5fe06a0be2404e7f7175dd150cdeaa
MD5 hash:
12c4e83713e044a173a2a56d0689cc4c
SHA1 hash:
a72587ad2fd0c93a469edb802cfc753bc00f1fff
Link:
https://www.unpac.me/results/c594f86a-8b8a-4095-b17a-ddcbb5b00420/
SH256 hash:
6e037f08a0c238f222fa2d717d487896fb12c411129748e6729e5599abc43b13
MD5 hash:
9806f3f87bcb267281009a6fc5c420fa
SHA1 hash:
1e36820c67183d74e9c1f94cfa63863e520b0598
Link:
https://www.unpac.me/results/c594f86a-8b8a-4095-b17a-ddcbb5b00420/
Parent samples :
549953d5db2a4646740e721e24ec1b7fa57ef6c4d72ffa32752b17d4a65c36e4
2f3cf6f156ce19666bd422299ae5a2055bc1f93dc1ed7330b7305668ef7b3cd5
0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
SH256 hash:
207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9
MD5 hash:
4955a27a03f35933fdbd801f425b6c58
SHA1 hash:
97f3b8f33fd1a49cf9db5a246d996047beef3c12
Link:
https://www.unpac.me/results/c594f86a-8b8a-4095-b17a-ddcbb5b00420/
Parent samples :
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
SH256 hash:
1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
MD5 hash:
0965da18bfbf19bafb1c414882e19081
SHA1 hash:
e4556bac206f74d3a3d3f637e594507c30707240
Link:
https://www.unpac.me/results/c594f86a-8b8a-4095-b17a-ddcbb5b00420/
SH256 hash:
c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
MD5 hash:
13a289feeb15827860a55bbc5e5d498f
SHA1 hash:
e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
Link:
https://www.unpac.me/results/c594f86a-8b8a-4095-b17a-ddcbb5b00420/
SH256 hash:
06030da840a347ea27a63e121d955a7dbb7804cdc53ac3faeb6434cc7d9762d5
MD5 hash:
0195ea9f10f37a77b8c099b3b2d0781a
SHA1 hash:
ca4c25f190257655b98da15cc24437cb8de4f899
Link:
https://www.unpac.me/results/c594f86a-8b8a-4095-b17a-ddcbb5b00420/
SH256 hash:
491c0381f3bbfd8febbb103cd4b1bc1277658bc82b5f8c6e6b91d4a959a6eb36
MD5 hash:
c78e3bf22ca9a8ac67910edab1e85b26
SHA1 hash:
51d9ca3c00a951b2205aa943e915e43fd37a8a45
Link:
https://www.unpac.me/results/c594f86a-8b8a-4095-b17a-ddcbb5b00420/
SH256 hash:
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
MD5 hash:
c0d18a829910babf695b4fdaea21a047
SHA1 hash:
236a19746fe1a1063ebe077c8a0553566f92ef0f
Link:
https://www.unpac.me/results/c594f86a-8b8a-4095-b17a-ddcbb5b00420/
SH256 hash:
a7abe50505fc2fd6a920828b3cad0d45756d5c645dbed69f1fbabb006a78f9ec
MD5 hash:
c94637bcd99414ea70328b46a9ae9a97
SHA1 hash:
f6cc4ffa67c2092e7535921d716db695cd4a7222
Link:
https://www.unpac.me/results/c594f86a-8b8a-4095-b17a-ddcbb5b00420/
SH256 hash:
a8f780a26dc30786517786c23e1e5f89c637957d605149b40a26e0074bc317b7
MD5 hash:
600723bbd0c2f8233bcea5de5595a3ad
SHA1 hash:
f2fc55bbc278ef6b27ad2657136e397056ba5208
Link:
https://www.unpac.me/results/c594f86a-8b8a-4095-b17a-ddcbb5b00420/
SH256 hash:
a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71
MD5 hash:
7aaf005f77eea53dc227734db8d7090b
SHA1 hash:
b6be1dde4cf73bbf0d47c9e07734e96b3442ed59
Link:
https://www.unpac.me/results/c594f86a-8b8a-4095-b17a-ddcbb5b00420/
SH256 hash:
26204b012d5933247064883affafe424d290fb1fe2ecdfcf4ff98f196c2c5fae
MD5 hash:
97921525a4326b5b02238e7633eff41f
SHA1 hash:
1ab1c2a2109edef8fd2b36a5a2613c9543650e08
Link:
https://www.unpac.me/results/c594f86a-8b8a-4095-b17a-ddcbb5b00420/
SH256 hash:
3b7dc18bf757cb4bb6339b80827a0ff208b6a61744dc39b9d0baca4758e584b5
MD5 hash:
07595ab37fbc831ede4b1c193b8edb31
SHA1 hash:
35172685de9433c233e2fd7ac6b7edf53beae1b9
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/c594f86a-8b8a-4095-b17a-ddcbb5b00420/
SH256 hash:
bda07dbc224d11e05c3f53a5e33eb92f29f5cb0703c8d9946665359866759b3b
MD5 hash:
8e74ac2ac87d5d86fdd1df32b0701c8d
SHA1 hash:
cf7558f62fc42dd750a8e2b29986fa977114f795
Link:
https://www.unpac.me/results/c594f86a-8b8a-4095-b17a-ddcbb5b00420/
SH256 hash:
51837836176f75bd57295071de596b18ec1a1af63681ccfdd69f5dedb0976da3
MD5 hash:
905632896c45f77778bf0d6955d68c42
SHA1 hash:
3fae37e1cae3bdd13ef544b3996bca1077d977f4
Link:
https://www.unpac.me/results/c594f86a-8b8a-4095-b17a-ddcbb5b00420/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51837836176f75bd57295071de596b18ec1a1af63681ccfdd69f5dedb0976da3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/178391/

Comments