MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55b8c3a1997416f5c6c04663ef6f6bd2e1712ba24162f330ee31b3ec1c6864e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 10


Intelligence 10 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55b8c3a1997416f5c6c04663ef6f6bd2e1712ba24162f330ee31b3ec1c6864e9
SHA3-384 hash: 4d263702632808eac820a8c6f648375cc0553658adc33b6d90b595429c87e8dd96d06d6f7e55e57e1ccc149f610d473c
SHA1 hash: 0379f24a192e1819c070dca64d35b9d3fd67735c
MD5 hash: b111b18faad3cf644558f0a84ebea9b6
humanhash: maine-bravo-wolfram-lima
File name:B111B18FAAD3CF644558F0A84EBEA9B6.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:3'438'433 bytes
First seen:2021-08-14 13:51:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:yIerf7geeTrrowTBsgay6LVIP45iL4abjao1D4Ztc:yIerf7geerowTBj14ObjtGZtc
Threatray 336 similar samples on MalwareBazaar
TLSH T1D5F5331970678D53F9A1A4F156121373B832E3021F61770A71B0E30AB92BE07D66EBD7
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://45.153.230.19/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.153.230.19/ https://threatfox.abuse.ch/ioc/185490/
135.181.123.52:52101 https://threatfox.abuse.ch/ioc/186204/

Intelligence

File Origin
# of uploads :
1
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
B111B18FAAD3CF644558F0A84EBEA9B6.exe
Verdict:
No threats detected
Analysis date:
2021-08-14 13:54:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/85adc69e-655e-4e21-a5ba-6e66054d077d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179239/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Jaik-9885385-0
Create hunting rule

Win.Malware.Jaik-9885386-0
Create hunting rule

Win.Malware.Jaik-9885388-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Creating a file
Sending a UDP request
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Deleting a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a88cfaef-d2eb-4aab-aa8d-a79ee860bcc6
Result
Threat name:
Raccoon RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832904
Signature
.NET source code contains very large strings
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sample is protected by VMProtect
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Costura Assembly Loader
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 465332 Sample: BaBOHOc4Y8.exe Startdate: 14/08/2021 Architecture: WINDOWS Score: 100 118 208.95.112.1 TUT-ASUS United States 2->118 120 45.153.230.19 TEAM-HOSTASRU Russian Federation 2->120 122 9 other IPs or domains 2->122 130 Antivirus detection for URL or domain 2->130 132 Multi AV Scanner detection for dropped file 2->132 134 Multi AV Scanner detection for submitted file 2->134 136 12 other signatures 2->136 11 BaBOHOc4Y8.exe 10 2->11         started        14 svchost.exe 1 2->14         started        16 svchost.exe 2->16         started        signatures3 process4 file5 102 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->102 dropped 18 setup_installer.exe 8 11->18         started        process6 file7 58 C:\Users\user\AppData\...\setup_install.exe, PE32 18->58 dropped 60 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 18->60 dropped 62 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 18->62 dropped 64 3 other files (none is malicious) 18->64 dropped 21 setup_install.exe 8 18->21         started        process8 dnsIp9 124 172.67.170.195 CLOUDFLARENETUS United States 21->124 126 127.0.0.1 unknown unknown 21->126 94 C:\Users\user\...\efd22e6e99d7ee86.exe, PE32 21->94 dropped 96 C:\Users\user\AppData\Local\...\c98f61652.exe, PE32 21->96 dropped 98 C:\Users\user\AppData\...\626c1e3ded0b288.exe, PE32 21->98 dropped 100 4 other files (2 malicious) 21->100 dropped 25 cmd.exe 1 21->25         started        27 cmd.exe 21->27         started        29 cmd.exe 21->29         started        31 6 other processes 21->31 file10 process11 process12 33 01a389215e4.exe 4 69 25->33         started        38 efd22e6e99d7ee86.exe 27->38         started        40 626c1e3ded0b288.exe 29->40         started        42 6eee9f336da6fcf1.exe 14 5 31->42         started        44 c98f61652.exe 31->44         started        46 1a693a205739887.exe 31->46         started        48 9e27a03aab64665.exe 12 31->48         started        dnsIp13 104 37.0.10.236 WKD-ASIE Netherlands 33->104 106 37.0.11.8 WKD-ASIE Netherlands 33->106 114 12 other IPs or domains 33->114 66 C:\Users\...\zNIb4t9Nl_VzoFEr5dcvgZhN.exe, PE32 33->66 dropped 68 C:\Users\...\vCuXfayZ6dYpf4k2t2cjq_fh.exe, PE32 33->68 dropped 70 C:\Users\...\rnz6WhvZUrMAoulP8uehrldf.exe, PE32 33->70 dropped 80 45 other files (32 malicious) 33->80 dropped 138 Drops PE files to the document folder of the user 33->138 140 Creates HTML files with .exe extension (expired dropper behavior) 33->140 142 Tries to harvest and steal browser information (history, passwords, etc) 33->142 144 Disable Windows Defender real time protection (registry) 33->144 108 186.2.171.3 DDOS-GUARDCORPBZ Belize 38->108 72 C:\Users\user\...\efd22e6e99d7ee86.exe, PE32 38->72 dropped 110 104.21.92.87 CLOUDFLARENETUS United States 40->110 74 C:\Users\user\AppData\Roaming\7430486.exe, PE32 40->74 dropped 76 C:\Users\user\AppData\Roaming\6136666.exe, PE32 40->76 dropped 82 2 other files (none is malicious) 40->82 dropped 146 Detected unpacking (changes PE section rights) 40->146 148 Detected unpacking (overwrites its own PE header) 40->148 116 2 other IPs or domains 42->116 78 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 42->78 dropped 50 LzmwAqmV.exe 42->50         started        150 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 44->150 152 Checks if the current machine is a virtual machine (disk enumeration) 44->152 53 explorer.exe 44->53 injected 112 192.168.2.1 unknown unknown 46->112 154 Creates processes via WMI 46->154 55 1a693a205739887.exe 46->55         started        file14 signatures15 process16 dnsIp17 84 C:\Users\user\AppData\Local\Temp\7.exe, PE32 50->84 dropped 86 C:\Users\user\AppData\Local\Temp\2.exe, PE32 50->86 dropped 88 C:\Users\user\AppData\Local\...\Chrome 5.exe, PE32+ 50->88 dropped 92 7 other files (none is malicious) 50->92 dropped 128 172.67.222.125 CLOUDFLARENETUS United States 55->128 90 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 55->90 dropped file18
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/55b8c3a1997416f5c6c04663ef6f6bd2e1712ba24162f330ee31b3ec1c6864e9/
Threat name:
Win32.Infostealer.Passteal
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 12:40:03 UTC
AV detection:
23 of 46 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kw4mhimzoqlplrwaizr6633l2lqxck5cifrpgmhoggz6yhdimtuq._file
Verdict:
unknown
Similar samples:
205b3ed8bb5aaa874ef73d4a47206b16a42397e7d77422936dfa6eb39f038ab6
DiamondFox
486d5231a35dc4e4cb3417a1353c300298824a9df98890a100c596e7c1186aa5
DiamondFox
6bc9c4e5a88eaa95550d066ff02f0d45b6bd2a93fbcb72b562c6c65ce06bb900
DiamondFox
82e531dd4163ca5716a8b2f3feb188fc7fdbf8cac0270aa76664925fdd5124e2
DiamondFox
c5528f76191477d30f3d6451d82bf0015d9a3706565fddd37e87130635f3182c
DiamondFox
cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1
DiamondFox
cfdcbcca4f75f287d6389cda895571530ddb9a2bbdf54cce52c1c65e969ac0a3
DiamondFox
+ 326 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:vidar botnet:706 botnet:916 botnet:93d3ccba4a3cbd5e268873fc1760b2335272e198 aspackv2 backdoor evasion infostealer persistence spyware stealer suricata trojan vmprotect
Link:
https://tria.ge/reports/210814-1vs8x5tgga/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Vidar
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
https://lenak513.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Unpacked files
SH256 hash:
df6d674013ce24f66df320faf829d720fda51294f673ab12e6ca660d4f5a0d93
MD5 hash:
ed22a008628e35cdaa23b15d6cc1fac7
SHA1 hash:
7a05e54bd591efa7e2b53112f76ec74effdb59c0
Link:
https://www.unpac.me/results/3e561bde-39d1-4a1f-b4eb-e4d48e0de2c1/
SH256 hash:
c3f668640e10b6eb17e155cf7f564c54af57b2719ea5f97ce4bd6cbab92bad7f
MD5 hash:
4ea74e00b361ebbe8f5e06d7a104c697
SHA1 hash:
115fb2bb0ca9aeeb597fc3259371a4f77678322b
Link:
https://www.unpac.me/results/3e561bde-39d1-4a1f-b4eb-e4d48e0de2c1/
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Link:
https://www.unpac.me/results/3e561bde-39d1-4a1f-b4eb-e4d48e0de2c1/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9
MD5 hash:
4955a27a03f35933fdbd801f425b6c58
SHA1 hash:
97f3b8f33fd1a49cf9db5a246d996047beef3c12
Link:
https://www.unpac.me/results/3e561bde-39d1-4a1f-b4eb-e4d48e0de2c1/
Parent samples :
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
269d2ae2661789f8929d934a7f7e44b6d6fa2e2fc3799fd53b44988aed906b1f
SH256 hash:
f2c65e1f03278ed9fbe8fecd7cbdeae8b9769fdb91f2ea9163dba2e5a4a166ac
MD5 hash:
bf81245bb4e15ef6e62cb768d6a6a94b
SHA1 hash:
2d61ec4a18405867f66c606727e18e2bb779bc09
Link:
https://www.unpac.me/results/3e561bde-39d1-4a1f-b4eb-e4d48e0de2c1/
SH256 hash:
1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
MD5 hash:
0965da18bfbf19bafb1c414882e19081
SHA1 hash:
e4556bac206f74d3a3d3f637e594507c30707240
Link:
https://www.unpac.me/results/3e561bde-39d1-4a1f-b4eb-e4d48e0de2c1/
SH256 hash:
38783231ccacb73543d658b3acd6d834b5c9bf8ff2b4fdc6c16c73b7707433d4
MD5 hash:
3d82323e7a84a2692208024901cd2857
SHA1 hash:
9b38ba7bac414ef48ef506f4270ddec9fcdf3a3c
Link:
https://www.unpac.me/results/3e561bde-39d1-4a1f-b4eb-e4d48e0de2c1/
SH256 hash:
ec2f50a7156383b9d3ea50429c2f2c15e2857045b3b3ac0c7e2947c6489eceb6
MD5 hash:
80a85c4bf6c8500431c195eecb769363
SHA1 hash:
72245724f8e7ceafb4ca53c41818f2c1e6a9d4cb
Link:
https://www.unpac.me/results/3e561bde-39d1-4a1f-b4eb-e4d48e0de2c1/
SH256 hash:
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
MD5 hash:
c0d18a829910babf695b4fdaea21a047
SHA1 hash:
236a19746fe1a1063ebe077c8a0553566f92ef0f
Link:
https://www.unpac.me/results/3e561bde-39d1-4a1f-b4eb-e4d48e0de2c1/
SH256 hash:
d51591aeef90efc08f8ed00c1ecd558f3b2e2c70e82a2c08445c91f8b2e73417
MD5 hash:
595b31311fb733b5dd6f738917797a11
SHA1 hash:
bf6593100440d43ee577acf45e8762a342efa46b
Link:
https://www.unpac.me/results/3e561bde-39d1-4a1f-b4eb-e4d48e0de2c1/
SH256 hash:
d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6
MD5 hash:
5b8639f453da7c204942d918b40181de
SHA1 hash:
2daed225238a9b1fe2359133e6d8e7e85e7d6995
Link:
https://www.unpac.me/results/3e561bde-39d1-4a1f-b4eb-e4d48e0de2c1/
SH256 hash:
a5ea28b67b8552820e0a111d9b37945e31839b63a8e5abbb5ef010914786c390
MD5 hash:
9710e966466df1f2fb41aa913f4aa425
SHA1 hash:
04e0d06d4fd33bcc9d37ccd2c5595824e19a6d4c
Link:
https://www.unpac.me/results/3e561bde-39d1-4a1f-b4eb-e4d48e0de2c1/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/3e561bde-39d1-4a1f-b4eb-e4d48e0de2c1/
SH256 hash:
dce5efe83443c8f2051142d3dd3d3630157acd1cda84c0f31690d49e96d60ac2
MD5 hash:
e3ccfe357807cfd51284d5fbf53f7e81
SHA1 hash:
5332457f5578d3a00a20b1b4cae9f3efcfc08fa6
Link:
https://www.unpac.me/results/3e561bde-39d1-4a1f-b4eb-e4d48e0de2c1/
SH256 hash:
6e4936f1d3befe9350fbfd4df101800fa01bed445292523e9154bdcb78f5e764
MD5 hash:
5d1e72be096dd85da37d4705b83f8f8a
SHA1 hash:
21fe063abd1907c0cad1e41934c31c91e50cd7cf
Link:
https://www.unpac.me/results/3e561bde-39d1-4a1f-b4eb-e4d48e0de2c1/
SH256 hash:
55b8c3a1997416f5c6c04663ef6f6bd2e1712ba24162f330ee31b3ec1c6864e9
MD5 hash:
b111b18faad3cf644558f0a84ebea9b6
SHA1 hash:
0379f24a192e1819c070dca64d35b9d3fd67735c
Link:
https://www.unpac.me/results/3e561bde-39d1-4a1f-b4eb-e4d48e0de2c1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/55b8c3a19974/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/55b8c3a1997416f5c6c04663ef6f6bd2e1712ba24162f330ee31b3ec1c6864e9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179239/

Comments