MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5774f205b3abcd5adc225b26b5ce546c2e7eb3490d03aa13c15234370dc42e27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5774f205b3abcd5adc225b26b5ce546c2e7eb3490d03aa13c15234370dc42e27
SHA3-384 hash: 4c18019ba58297412fed28158f6f5abce069adaca386fca581b5673c8bd1846e3615b92f29a7d8b81e54a47591c194ef
SHA1 hash: 54cee91fd729023192df5c09366d9b29b244294c
MD5 hash: ecc7c0d1e74e36914d07d8c94fe8212c
humanhash: hawaii-saturn-butter-friend
File name:ECC7C0D1E74E36914D07D8C94FE8212C.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:2'223'936 bytes
First seen:2021-09-07 18:56:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 49152:9gQlUhK+stgjsTuWbAuNC+2cPz7itu7NGrJMznKcYiH:yZVkjucAuNCyAJMdbH
Threatray 529 similar samples on MalwareBazaar
TLSH T111A533166BE296FED83A0D302AE57C410F76790A0D819A6F2B783724BD93F41DCCE251
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://178.23.190.242/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://178.23.190.242/ https://threatfox.abuse.ch/ioc/216953/

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ECC7C0D1E74E36914D07D8C94FE8212C.exe
Verdict:
No threats detected
Analysis date:
2021-09-07 18:58:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/65aa6bf9-42e7-4637-b905-7f0a401875e9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186120/
Detection(s):
Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Dropper.Multiple-9891170-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Modifying a system file
Possible injection to a system process
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Launching a process
Creating a window
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Deleting a recently created file
Sending a UDP request
Creating a file in the Program Files subdirectories
Reading critical registry keys
Moving a file to the Program Files subdirectory
Replacing files
Sending an HTTP POST request
Creating a file in the %AppData% directory
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Setting a single autorun event
Launching a tool to kill processes
Unauthorized injection to a system process
Enabling autorun by creating a file
Malware family:
Mokes
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c146a3c6-8df0-4a5e-b378-44ead3a7dabf
Result
Threat name:
RedLine Vidar Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846874
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates processes via WMI
Detected unpacking (changes PE section rights)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RedLine Stealer
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 479305 Sample: F5ttxmxaO9.exe Startdate: 07/09/2021 Architecture: WINDOWS Score: 100 111 23.35.236.56 ZAYO-6461US United States 2->111 113 208.95.112.1 TUT-ASUS United States 2->113 115 10 other IPs or domains 2->115 131 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->131 133 Antivirus detection for URL or domain 2->133 135 Antivirus detection for dropped file 2->135 137 14 other signatures 2->137 12 F5ttxmxaO9.exe 10 2->12         started        15 svchost.exe 1 2->15         started        signatures3 process4 file5 101 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->101 dropped 17 setup_installer.exe 13 12->17         started        process6 file7 77 C:\Users\user\AppData\...\setup_install.exe, PE32 17->77 dropped 79 C:\Users\user\...\Fri22fc045ba83b2730a.exe, PE32 17->79 dropped 81 C:\Users\user\...\Fri22a50299249a2ecb.exe, PE32 17->81 dropped 83 8 other files (3 malicious) 17->83 dropped 20 setup_install.exe 1 17->20         started        process8 dnsIp9 117 hsiens.xyz 104.21.87.76, 49706, 80 CLOUDFLARENETUS United States 20->117 119 127.0.0.1 unknown unknown 20->119 149 Performs DNS queries to domains with low reputation 20->149 151 Adds a directory exclusion to Windows Defender 20->151 24 cmd.exe 1 20->24         started        26 cmd.exe 20->26         started        28 cmd.exe 1 20->28         started        30 6 other processes 20->30 signatures10 process11 signatures12 33 Fri2288d350ca9.exe 14 5 24->33         started        38 Fri223c16842efe.exe 26->38         started        40 Fri2284aa8f458.exe 4 28->40         started        153 Adds a directory exclusion to Windows Defender 30->153 42 Fri22a50299249a2ecb.exe 30->42         started        44 Fri22fc045ba83b2730a.exe 30->44         started        46 powershell.exe 25 30->46         started        process13 dnsIp14 103 cdn.discordapp.com 162.159.129.233, 443, 49701 CLOUDFLARENETUS United States 33->103 85 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 33->85 dropped 139 Antivirus detection for dropped file 33->139 141 Multi AV Scanner detection for dropped file 33->141 143 Machine Learning detection for dropped file 33->143 48 LzmwAqmV.exe 33->48         started        87 C:\Users\user\AppData\...\Fri223c16842efe.tmp, PE32 38->87 dropped 52 Fri223c16842efe.tmp 38->52         started        105 a.goatgame.co 104.21.79.144, 443, 49707 CLOUDFLARENETUS United States 40->105 89 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 40->89 dropped 145 Creates processes via WMI 40->145 107 romkaxarit.tumblr.com 74.114.154.18, 443, 49710 AUTOMATTICUS Canada 42->107 109 88.99.66.31 HETZNER-ASDE Germany 44->109 147 Detected unpacking (changes PE section rights) 44->147 file15 signatures16 process17 dnsIp18 61 C:\Users\user\AppData\Local\...\Pubdate.exe, PE32 48->61 dropped 63 C:\Users\user\AppData\Local\...\Chrome 5.exe, PE32+ 48->63 dropped 65 C:\Users\user\AppData\Local\...\BearVpn 3.exe, PE32 48->65 dropped 75 6 other files (2 malicious) 48->75 dropped 129 Machine Learning detection for dropped file 48->129 55 Chrome 5.exe 48->55         started        121 safialinks.com 162.0.213.132, 49711, 80 ACPCA Canada 52->121 67 C:\Users\user\AppData\Local\...\zab2our.exe, PE32 52->67 dropped 69 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 52->69 dropped 71 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 52->71 dropped 73 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 52->73 dropped 58 zab2our.exe 52->58         started        file19 signatures20 process21 dnsIp22 91 C:\Users\user\AppData\...\services64.exe, PE32+ 55->91 dropped 123 173.222.108.210 AKAMAI-ASN1EU United States 58->123 125 162.0.210.44 ACPCA Canada 58->125 127 162.0.220.187 ACPCA Canada 58->127 93 C:\Users\user\AppData\...\SHaelimuxake.exe, PE32 58->93 dropped 95 C:\Users\user\AppData\...\Qaecefycotu.exe, PE32 58->95 dropped 97 C:\Program Files (x86)\...\Lashexexida.exe, PE32 58->97 dropped 99 4 other files (3 malicious) 58->99 dropped file23
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5774f205b3abcd5adc225b26b5ce546c2e7eb3490d03aa13c15234370dc42e27/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-09-03 23:38:41 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k52pebntvpgvvxbclmtlltsunqxh5m2jbub2ue6bki2dodoefytq._file
Verdict:
unknown
Similar samples:
3febf03463e0e65ef9d0fc4e8a38f01dd7c6dfee10258876981539b7a319a620
DiamondFox
4f4c2c9bdfef8a8cfbe2c8f84bf12cc86f26f59d54c277dab39f4c5e92948708
DiamondFox
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
DiamondFox
5bbc833edf2e7c061fd34fe1aba85ff56746dbe0875eafcc945c264ac45193ae
DiamondFox
6bd2d5f2630ce91d3d93d5a686d0ea381b6efa2b25d0dbd0f509a17f7ed3788d
DiamondFox
6e67e541d5801d97cb6fc3ec483b7b9dc302506c0f3a1ef0942ea3f7126e9e87
DiamondFox
76c9ba959cb30c682c744ec265b3ae18fa5f92250cdc153139fb83835ca17356
DiamondFox
bf0c11eae9de14227141901dffc7bdbd1ecb9b0a2cb1e675f7d36ce5eff0679e
DiamondFox
+ 519 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar family:xmrig botnet:706 botnet:pub aspackv2 discovery evasion infostealer miner persistence spyware stealer
Link:
https://tria.ge/reports/210907-xlxlaadbe8/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Checks for common network interception software
Vidar Stealer
XMRig Miner Payload
Process spawned unexpected child process
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
xmrig
Malware Config
C2 Extraction:
https://romkaxarit.tumblr.com/
193.56.146.78:51487
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/01751e8f-df17-49c8-958c-6d265b236990/
SH256 hash:
36d36bf735b2ab1079c6ca72d24f1491d47c122804046f1c7f86f544d09b01cc
MD5 hash:
71cf2841f2e39282e1051510082c4b35
SHA1 hash:
b67839763b177433c86ff9eaaa703c5607d3a843
Detections:
win_oski_g0
Create hunting rule
Link:
https://www.unpac.me/results/01751e8f-df17-49c8-958c-6d265b236990/
Parent samples :
baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15
bfdb06e19260107f468834d5601f7f295ca82b31966be48f856011d9dba1f5b7
d0ed9b5279618e628f62a80cd1abdd208bdd3899cb6865b51591478ca03e46c6
5774f205b3abcd5adc225b26b5ce546c2e7eb3490d03aa13c15234370dc42e27
cd7445464e18fd8260e6a924e0795c9b09696eb2dbc7dd9f62794b6530ecca9d
SH256 hash:
e198edcb4ef8222caaeaf8895ef247133b5a972960f7f77c5c2cefa4e5a07888
MD5 hash:
b07c598589308a5c5baf11bea2a0c78b
SHA1 hash:
00f3d36fe9abefd9fa011c21fd35840e2488c93d
Link:
https://www.unpac.me/results/01751e8f-df17-49c8-958c-6d265b236990/
SH256 hash:
606d3d9365f40fee12e9fc577ae5bf4cd42d502f4758320cdab01b53a7e0d4b8
MD5 hash:
51894ed4e7fec456b08027e2e6620386
SHA1 hash:
bbffdd90f9a5644086006734e03c15ac28db1ae9
Link:
https://www.unpac.me/results/01751e8f-df17-49c8-958c-6d265b236990/
SH256 hash:
062121d1ce2bc24b6fffa56da9ce44c54866ef995d9c31697db5a61ad90e6ad3
MD5 hash:
d22636263edab17dd68ff50f856a1ce0
SHA1 hash:
b693893b46eec9ba44812284ca3c8ef6b0111e3a
Link:
https://www.unpac.me/results/01751e8f-df17-49c8-958c-6d265b236990/
SH256 hash:
b9ae73b5bbafa9c4907ea6f783bd52bb1446b0d19ff26174b9453f467e4dbf70
MD5 hash:
87e9dd59201739365b2d3dd4a884aa35
SHA1 hash:
a05af00715244236db008731c1e7e1a515cfa776
Link:
https://www.unpac.me/results/01751e8f-df17-49c8-958c-6d265b236990/
SH256 hash:
d69b746ad21bba44c63458a99adef60ad2fff18027bd6dd6005b092064ea0825
MD5 hash:
2f58e087e1b174262b10dfeeb54c682c
SHA1 hash:
9b17d4ca6ffd9b1e3bc4213eee582c07074bcb92
Link:
https://www.unpac.me/results/01751e8f-df17-49c8-958c-6d265b236990/
SH256 hash:
71e8ed3b3df8fb1581ad3b309a9f2d543e26019fad260979ff3357bf0c5ca536
MD5 hash:
8a579cfba465a90b4083e58ff026ade7
SHA1 hash:
35e460c0f2cb1a8cc568217ce711f46613fe0a55
Link:
https://www.unpac.me/results/01751e8f-df17-49c8-958c-6d265b236990/
SH256 hash:
9dc77ea1abd72256c2cf906cf433610f48661779a1416b8546d4f9af09f26a5a
MD5 hash:
14d77d404de21055cfaa98fd20623c72
SHA1 hash:
0f32b94e597b1a42e0f5ba36fc8b25c1ee0ef21b
Link:
https://www.unpac.me/results/01751e8f-df17-49c8-958c-6d265b236990/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/01751e8f-df17-49c8-958c-6d265b236990/
SH256 hash:
1512c8b7560ccc5b04f5ef5598256f04fcb5936ae0d5bf741fc063aa05396865
MD5 hash:
d88eb7b88955a5f0f55806f29f15d02c
SHA1 hash:
0da7c37dc1cbe8ceb5eea244354d419bd4a14158
Link:
https://www.unpac.me/results/01751e8f-df17-49c8-958c-6d265b236990/
SH256 hash:
c9bab89bf9158217c12570e71a98e4f9132bc16f787c22e6722c26c75c667df2
MD5 hash:
00be03baa5446870c26e3f67a2b3553b
SHA1 hash:
23016c591e1467e030aee076d5c577b8456b3c86
Link:
https://www.unpac.me/results/01751e8f-df17-49c8-958c-6d265b236990/
SH256 hash:
1321680791e400ebb02428458a07686ddb9b18fdf380bf966596b1f16967efd5
MD5 hash:
90321fc76f522792e84c8b6bc26cb834
SHA1 hash:
e1739e46481ff74b5f6b2a485bed56d2f333f40e
Link:
https://www.unpac.me/results/01751e8f-df17-49c8-958c-6d265b236990/
SH256 hash:
5774f205b3abcd5adc225b26b5ce546c2e7eb3490d03aa13c15234370dc42e27
MD5 hash:
ecc7c0d1e74e36914d07d8c94fe8212c
SHA1 hash:
54cee91fd729023192df5c09366d9b29b244294c
Link:
https://www.unpac.me/results/01751e8f-df17-49c8-958c-6d265b236990/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5774f205b3ab/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5774f205b3abcd5adc225b26b5ce546c2e7eb3490d03aa13c15234370dc42e27

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/186120/

Comments