MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d0215d15cc28fd783808e7fe1103cff029e1a1caa1370057c6e5cf9c00d1b2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d0215d15cc28fd783808e7fe1103cff029e1a1caa1370057c6e5cf9c00d1b2a
SHA3-384 hash: b290e24110d994810d741f45447b712a52c70bb9ea55c8446a5a777a9c8f42e52ce3569a7821b3cdafc20df9778b5fae
SHA1 hash: 9a8f6eb079f6f1c8421a0f78bb5387b061d843b8
MD5 hash: 0d9f7ef9fc85315c134a06c483f0a694
humanhash: high-saturn-green-football
File name:7zS.sfx.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:1'557'610 bytes
First seen:2021-08-10 10:47:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 24576:xcVkKSGXCeomdCFDWHp/7F82Py2nNEPY/RQ5DsvLwcaBhdZIl9mTqUf+HDpFWndF:xcBNCpZgu2PyONEwJ84vLRaBtIl9mTiw
Threatray 279 similar samples on MalwareBazaar
TLSH T1B57523617BD184FAE58551315E4C6F72A2B9C39C0E320ADB77D4CB0E5F3C8A1C12AE69
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter madjack_red
Tags:DiamondFox exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7zS.sfx.exe
Verdict:
No threats detected
Analysis date:
2021-08-10 10:48:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b37b2454-ca95-45ed-9736-3e537c239e76

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177895/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Win.Dropper.Chapak-9884592-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Moving a file to the %temp% subdirectory
Connection attempt
Sending a custom TCP request
DNS request
Running batch commands
Sending an HTTP GET request
Deleting a recently created file
Creating a file
Sending an HTTP POST request
Reading critical registry keys
Creating a process with a hidden window
Sending a UDP request
Creating a window
Delayed reading of the file
Creating a file in the Program Files subdirectories
Connection attempt to an infection source
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Searching for analyzing tools
Sending a TCP request to an infection source
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Query of malicious DNS domain
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f43fec85-0163-4ca5-ae82-14b4ce4bc09a
Result
Threat name:
Backstage Stealer Glupteba Metasploit Re
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/830076
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Renames NTDLL to bypass HIPS
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Backstage Stealer
Yara detected Glupteba
Yara detected Metasploit Payload
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 462507 Sample: 7zS.sfx.exe Startdate: 10/08/2021 Architecture: WINDOWS Score: 100 100 142.250.74.193 GOOGLEUS United States 2->100 102 216.58.212.174 GOOGLEUS United States 2->102 104 7 other IPs or domains 2->104 120 Multi AV Scanner detection for domain / URL 2->120 122 Antivirus detection for URL or domain 2->122 124 Antivirus detection for dropped file 2->124 126 16 other signatures 2->126 10 7zS.sfx.exe 10 2->10         started        13 svchost.exe 1 2->13         started        signatures3 process4 file5 68 C:\Users\user\AppData\...\setup_install.exe, PE32 10->68 dropped 70 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 10->70 dropped 72 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 10->72 dropped 74 5 other files (none is malicious) 10->74 dropped 15 setup_install.exe 1 10->15         started        process6 dnsIp7 112 8.8.8.8 GOOGLEUS United States 15->112 114 104.21.19.116 CLOUDFLARENETUS United States 15->114 116 127.0.0.1 unknown unknown 15->116 46 C:\Users\user\...\karotima_2.exe (copy), PE32 15->46 dropped 48 C:\Users\user\...\karotima_1.exe (copy), PE32 15->48 dropped 118 Detected unpacking (changes PE section rights) 15->118 20 cmd.exe 1 15->20         started        22 cmd.exe 1 15->22         started        24 conhost.exe 15->24         started        file8 signatures9 process10 process11 26 karotima_1.exe 4 57 20->26         started        31 karotima_2.exe 1 22->31         started        dnsIp12 106 37.0.10.236 WKD-ASIE Netherlands 26->106 108 37.0.11.8 WKD-ASIE Netherlands 26->108 110 13 other IPs or domains 26->110 76 C:\Users\...\yux7a3BedPaaqderDUqPbW2P.exe, PE32 26->76 dropped 78 C:\Users\...\vJiHlhbsxHbfoYF41FfoxYTa.exe, PE32 26->78 dropped 80 C:\Users\...\usndatt9y3DNMgGEmu9EqIl1.exe, PE32 26->80 dropped 84 33 other files (29 malicious) 26->84 dropped 148 Drops PE files to the document folder of the user 26->148 150 Creates HTML files with .exe extension (expired dropper behavior) 26->150 152 Disable Windows Defender real time protection (registry) 26->152 33 LgF6w32eJYgfACw8gNnl2gmB.exe 26->33         started        38 dLCr3rZFQIbK0zL1f2ViVOz6.exe 26->38         started        40 EnRb4nAztWaUQ8oAU6OBtsuN.exe 20 10 26->40         started        44 5 other processes 26->44 82 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 31->82 dropped 154 DLL reload attack detected 31->154 156 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 31->156 158 Renames NTDLL to bypass HIPS 31->158 160 Checks if the current machine is a virtual machine (disk enumeration) 31->160 42 explorer.exe 9 14 31->42 injected file13 signatures14 process15 dnsIp16 86 116.203.127.162 HETZNER-ASDE Germany 33->86 88 74.114.154.18 AUTOMATTICUS Canada 33->88 50 C:\Users\user\AppData\...\softokn3[1].dll, PE32 33->50 dropped 52 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 33->52 dropped 54 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 33->54 dropped 64 9 other files (none is malicious) 33->64 dropped 128 Detected unpacking (changes PE section rights) 33->128 130 Detected unpacking (overwrites its own PE header) 33->130 132 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->132 134 Tries to harvest and steal browser information (history, passwords, etc) 33->134 56 C:\Users\...\dLCr3rZFQIbK0zL1f2ViVOz6.exe, PE32 38->56 dropped 136 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 38->136 138 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 38->138 140 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 38->140 90 141.8.192.58 SPRINTHOSTRU Russian Federation 40->90 92 77.220.213.35 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 40->92 94 172.67.75.172 CLOUDFLARENETUS United States 40->94 142 Tries to steal Crypto Currency Wallets 40->142 96 208.95.112.1 TUT-ASUS United States 44->96 98 2 other IPs or domains 44->98 58 C:\Users\user\AppData\Roaming\6313556.exe, PE32 44->58 dropped 60 C:\Users\user\AppData\Roaming\4613993.exe, PE32 44->60 dropped 62 C:\Users\user\AppData\Roaming\1289475.exe, PE32 44->62 dropped 66 3 other files (none is malicious) 44->66 dropped 144 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 44->144 146 Checks if the current machine is a virtual machine (disk enumeration) 44->146 file17 signatures18
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5d0215d15cc28fd783808e7fe1103cff029e1a1caa1370057c6e5cf9c00d1b2a/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-08-03 16:12:54 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lubbluk4ykh5pa4arz76ceb474bj4gq4vijxabl4nzoptqandmva._file
Verdict:
unknown
Similar samples:
1a263b2603212ff1e492d9e0c718f12601789e27eaaba9a7a7048b4080c08bcb
DiamondFox
4927f0b88f61a54fb9c8d14081cd5a80c6c6f358e8431af76fda5a5366d81aa8
DiamondFox
5d10fa7657f41f17d508c1dbb3f63b5b2ad6deea2f47e747b118345a56ab6cdc
DiamondFox
6430e35390b94f25e609d8dc2edadd8f6b0b30bec768ce894c67028de438ab13
DiamondFox
6538789051b9ca8da7b851a2c775d0468d547d9fddb6a32433f4b1e5fe9a6ece
DiamondFox
9674d5eec506800988ac7469acafaab10d6c879c83aba6ccb023935de5cd2a0e
DiamondFox
d74a07eeb26faeed4799f582bcb3c22ba985cc7bf21685d3b6e37aa694a72d97
DiamondFox
+ 269 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:redline family:smokeloader family:vidar botnet:61k_combo botnet:916 botnet:937 botnet:forinstalls2 aspackv2 backdoor discovery dropper evasion infostealer loader stealer suricata themida trojan vmprotect
Link:
https://tria.ge/reports/210810-5exm35ffre/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
Vidar Stealer
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Vidar
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Possible Dridex Download URI Struct with no referer
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
45.14.49.117:14251
77.220.213.35:52349
https://lenak513.tumblr.com/
Unpacked files
SH256 hash:
5da0d850941091855ce3a6f48447d2873452443282751fe376c104ef65a45efa
MD5 hash:
5df4d842ec44f8e63168ecb7cafd7e42
SHA1 hash:
cba084a866650d9a06d7dd1873f26ad3ba483163
Link:
https://www.unpac.me/results/88b745ee-bb02-4dad-bb36-8343f2b376d3/
Parent samples :
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779
c82a55fdd3caeb95db17754e3ba270ec93a7eb3c9997f9f9c6f02de0e17bacec
SH256 hash:
16ebbf885657b3f0915505583d6b278e3b2532a0f12e46b37480387475d17a80
MD5 hash:
ebc6e08ca83a855af8ee412425adc7b6
SHA1 hash:
ab074a777194fea215d3149dfcf170f923f29523
Link:
https://www.unpac.me/results/88b745ee-bb02-4dad-bb36-8343f2b376d3/
SH256 hash:
42c8eec62a8744104e562a733b00eb669bde519ea39a3888f5206d707232854a
MD5 hash:
6e60dc40e0845b9b8e2ea48cff92a82e
SHA1 hash:
8a8465748c412c9804a11629a69d33b1922fbe65
Link:
https://www.unpac.me/results/88b745ee-bb02-4dad-bb36-8343f2b376d3/
SH256 hash:
c9d5525b2f2b76087121039ee1c23ed35508e60f653479722ec64ea3a064878e
MD5 hash:
9108ad5775c76cccbb4eadf02de24f5d
SHA1 hash:
82996bc4f72b3234536d0b58630d5d26bcf904b0
Link:
https://www.unpac.me/results/88b745ee-bb02-4dad-bb36-8343f2b376d3/
Parent samples :
e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779
c82a55fdd3caeb95db17754e3ba270ec93a7eb3c9997f9f9c6f02de0e17bacec
SH256 hash:
2e0aa0a227693edef6ce35a322f29e7cfb0fd70f7185c5d90b2c12a57d2de5a0
MD5 hash:
c3bac186bfd7f36006a39463d9570689
SHA1 hash:
78d35588ab0e487ab62677145d4cc3a45d5122da
Link:
https://www.unpac.me/results/88b745ee-bb02-4dad-bb36-8343f2b376d3/
SH256 hash:
5d0215d15cc28fd783808e7fe1103cff029e1a1caa1370057c6e5cf9c00d1b2a
MD5 hash:
0d9f7ef9fc85315c134a06c483f0a694
SHA1 hash:
9a8f6eb079f6f1c8421a0f78bb5387b061d843b8
Link:
https://www.unpac.me/results/88b745ee-bb02-4dad-bb36-8343f2b376d3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5d0215d15cc2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5d0215d15cc28fd783808e7fe1103cff029e1a1caa1370057c6e5cf9c00d1b2a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/177895/

Comments