MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 618969df2d98c660836fc0c94f95d93c8c561f19f106c56eca3f5aa9930cbba8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 618969df2d98c660836fc0c94f95d93c8c561f19f106c56eca3f5aa9930cbba8
SHA3-384 hash: 55242877cf7a5ab57868bdf5b64775993aab38f52d4c71f67c9ac2881a03aee87aad60251d1829d1100ea782a794436d
SHA1 hash: 0e717c6fc62ece11a17919ce1f1cc5cdc1bc711e
MD5 hash: 478c7cd1d366a77444568d45f252abeb
humanhash: fourteen-ten-magnesium-mike
File name:478C7CD1D366A77444568D45F252ABEB.bin
Download: download sample
Signature DiamondFox
Create hunting rule
File size:3'090'794 bytes
First seen:2021-09-09 04:20:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 49152:9gIxFNiOIkvx2ldpBGld+BvTljVvDq88tnuiRLAKDw8rE6xjHgCF8jv4IGKctXug:ycnIkElbBGld+fFqNcKRxlASSvLGKMXd
Threatray 539 similar samples on MalwareBazaar
TLSH T133E53338CA47B66FEBF39478E5857A1D6C3371613C60076E3DE0675E3836827498A632
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter JAMESWT_WT
Tags:DiamondFox exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186480/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Sending a custom TCP request
Sending a UDP request
Searching for the window
Running batch commands
Connection attempt
DNS request
Sending an HTTP GET request
Deleting a recently created file
Launching a process
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eb4cc107-4388-4b5c-941f-35c5288a9e9e
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/847819
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 480253 Sample: QHWJPV5j56.bin Startdate: 09/09/2021 Architecture: WINDOWS Score: 100 102 104.21.64.202 CLOUDFLARENETUS United States 2->102 104 google.vrthcobj.com 2->104 132 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->132 134 Antivirus detection for URL or domain 2->134 136 Multi AV Scanner detection for submitted file 2->136 138 14 other signatures 2->138 12 QHWJPV5j56.exe 10 2->12         started        15 svchost.exe 1 2->15         started        17 svchost.exe 2->17         started        signatures3 process4 file5 100 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->100 dropped 19 setup_installer.exe 17 12->19         started        process6 file7 62 C:\Users\user\AppData\...\setup_install.exe, PE32 19->62 dropped 64 C:\Users\user\...\Mon23fdeac222bf0c6d.exe, PE32 19->64 dropped 66 C:\Users\user\...\Mon23f7a44a23bc7.exe, PE32 19->66 dropped 68 12 other files (4 malicious) 19->68 dropped 22 setup_install.exe 1 19->22         started        process8 dnsIp9 120 hsiens.xyz 104.21.87.76, 49760, 80 CLOUDFLARENETUS United States 22->120 122 127.0.0.1 unknown unknown 22->122 162 Performs DNS queries to domains with low reputation 22->162 164 Adds a directory exclusion to Windows Defender 22->164 26 cmd.exe 1 22->26         started        28 cmd.exe 22->28         started        30 cmd.exe 1 22->30         started        32 8 other processes 22->32 signatures10 process11 signatures12 35 Mon2313143945.exe 71 26->35         started        40 Mon2310124f65.exe 28->40         started        42 Mon2339edf58bddc71d.exe 2 30->42         started        130 Adds a directory exclusion to Windows Defender 32->130 44 Mon23f7a44a23bc7.exe 32->44         started        46 Mon23125dbbd055c928.exe 32->46         started        48 Mon23fdeac222bf0c6d.exe 32->48         started        50 4 other processes 32->50 process13 dnsIp14 112 2 other IPs or domains 35->112 70 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 35->70 dropped 72 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 35->72 dropped 86 10 other files (none is malicious) 35->86 dropped 140 Detected unpacking (changes PE section rights) 35->140 142 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->142 144 Tries to harvest and steal browser information (history, passwords, etc) 35->144 146 Tries to steal Crypto Currency Wallets 35->146 148 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 40->148 150 Maps a DLL or memory area into another process 40->150 152 Checks if the current machine is a virtual machine (disk enumeration) 40->152 52 explorer.exe 40->52 injected 74 C:\Users\user\...\Mon2339edf58bddc71d.tmp, PE32 42->74 dropped 54 Mon2339edf58bddc71d.tmp 42->54         started        106 startupmart.bar 104.21.37.182, 443, 49767, 49769 CLOUDFLARENETUS United States 44->106 114 2 other IPs or domains 44->114 76 C:\Users\user\AppData\Roaming\6531965.exe, PE32 44->76 dropped 78 C:\Users\user\AppData\Roaming\4263267.exe, PE32 44->78 dropped 80 C:\Users\user\AppData\Roaming\1593763.exe, PE32 44->80 dropped 154 Performs DNS queries to domains with low reputation 44->154 116 2 other IPs or domains 46->116 82 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 46->82 dropped 156 Creates processes via WMI 46->156 108 iplogger.org 88.99.66.31, 443, 49768 HETZNER-ASDE Germany 48->108 110 www.listincode.com 144.202.76.47, 443, 49764 AS-CHOOPAUS United States 48->110 158 May check the online IP address of the machine 48->158 118 2 other IPs or domains 50->118 84 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 50->84 dropped 160 Sample uses process hollowing technique 50->160 file15 signatures16 process17 dnsIp18 124 safialinks.com 162.0.213.132, 49759, 80 ACPCA Canada 54->124 88 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 54->88 dropped 90 C:\Users\user\AppData\Local\...\el34zAN.exe, PE32 54->90 dropped 92 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 54->92 dropped 94 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 54->94 dropped 58 el34zAN.exe 54->58         started        file19 process20 dnsIp21 126 162.0.210.44 ACPCA Canada 58->126 128 162.0.220.187 ACPCA Canada 58->128 96 C:\...\Pavylexywe.exe.config, Unknown 58->96 dropped 98 C:\Program Files (x86)\...\Pavylexywe.exe, Unknown 58->98 dropped file22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/618969df2d98c660836fc0c94f95d93c8c561f19f106c56eca3f5aa9930cbba8/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-07 04:41:45 UTC
File Type:
PE (Exe)
Extracted files:
99
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mgewtxzntddgba3pydeu7fozhsgfmhyz6edmk3wkh5nkteymxoua._file
Verdict:
unknown
Similar samples:
32f6b938399aa2d2ac58336d83a4fcdb5aab622c91e019969a78fc041af75339
DiamondFox
3febf03463e0e65ef9d0fc4e8a38f01dd7c6dfee10258876981539b7a319a620
DiamondFox
4f4c2c9bdfef8a8cfbe2c8f84bf12cc86f26f59d54c277dab39f4c5e92948708
DiamondFox
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
DiamondFox
5bbc833edf2e7c061fd34fe1aba85ff56746dbe0875eafcc945c264ac45193ae
DiamondFox
6e67e541d5801d97cb6fc3ec483b7b9dc302506c0f3a1ef0942ea3f7126e9e87
DiamondFox
76c9ba959cb30c682c744ec265b3ae18fa5f92250cdc153139fb83835ca17356
DiamondFox
90aa6a7c770f2c0f49596731c80fda7d044802dea9e905ff999b39cda5428407
DiamondFox
bf0c11eae9de14227141901dffc7bdbd1ecb9b0a2cb1e675f7d36ce5eff0679e
DiamondFox
+ 529 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:lyla aspackv2 backdoor dropper evasion infostealer loader persistence stealer themida trojan
Link:
https://tria.ge/reports/210909-eym89sfed7/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Glupteba
Glupteba Payload
MetaSploit
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
Malware Config
C2 Extraction:
https://gheorghip.tumblr.com/
95.181.172.207:56915
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Dropper Extraction:
http://shellloader.com/welcome
Unpacked files
SH256 hash:
17c6394f4256e6ec014b98d078dcfae89bfff431bb5fd17e95d5858b50ca1659
MD5 hash:
2927aaa5f942c2fb3f781d0ed30fb6ab
SHA1 hash:
19c566defbc40d60e909cd4635a840a042b119b3
Link:
https://www.unpac.me/results/17ad8049-bdb3-498d-bf01-d4f6d45eeb86/
SH256 hash:
30ced67922952319f405dec8f04efd805135b8e44f800efe0adbf5b4f2609e9c
MD5 hash:
38ffbb461006fcd43d0c8c4dda5138aa
SHA1 hash:
1e91d3235146b6b4ce2b21674b159f773a042434
Link:
https://www.unpac.me/results/17ad8049-bdb3-498d-bf01-d4f6d45eeb86/
SH256 hash:
84100c09249deb297e6b7ec1e94538f9652731b961d056d529535f0efaa428cc
MD5 hash:
9da2c27249e707cec3b2b3f83f492ebf
SHA1 hash:
f856e47afc6f8663e0a9366d08078bfeb8431dc3
Link:
https://www.unpac.me/results/17ad8049-bdb3-498d-bf01-d4f6d45eeb86/
SH256 hash:
15df8e8a7cb1721007ab652250097818fa0a0fffe2555c55708209549e0e5303
MD5 hash:
467c1658e917bb61952551b9651c83d4
SHA1 hash:
ce6c8dc12a8eb3caf2cd299517f6e51421947701
Link:
https://www.unpac.me/results/17ad8049-bdb3-498d-bf01-d4f6d45eeb86/
SH256 hash:
2dce5c731606b28b105a8decd2693d5337614daaf89f865c68beecbaab32aee8
MD5 hash:
d9e00f4dd290760ee3ec0937f33906c2
SHA1 hash:
cc2494df568cf9750f0f716fe1f481d7096a149f
Link:
https://www.unpac.me/results/17ad8049-bdb3-498d-bf01-d4f6d45eeb86/
SH256 hash:
a7514c2def80de84ee00d3b8a00a1f3f88339e40037a6e9b95c63bd153ef88e1
MD5 hash:
2efb72dc358498b5378aaec9df90501c
SHA1 hash:
6b81f83d705f4c1006cf8b1af3637acace95dee0
Link:
https://www.unpac.me/results/17ad8049-bdb3-498d-bf01-d4f6d45eeb86/
SH256 hash:
19cc59201156045e27d4aa2a929954b2a50ffa485eb32c2f0aefb379107060cf
MD5 hash:
00a470c8036d4dc4b8e669dd30ea903b
SHA1 hash:
31366dafb9260aa6fa732077ccc785bd6d428048
Link:
https://www.unpac.me/results/17ad8049-bdb3-498d-bf01-d4f6d45eeb86/
SH256 hash:
6b0ddfbb10284c0820c6170bdfe54b4de0f96fb8c166f1af9ce8588b0acfc3f4
MD5 hash:
b31e38ae5eba7dca3f49a6b86d15a695
SHA1 hash:
041c85ba8a54ba0094c8a51fbe2f1ac48bffc740
Link:
https://www.unpac.me/results/17ad8049-bdb3-498d-bf01-d4f6d45eeb86/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/17ad8049-bdb3-498d-bf01-d4f6d45eeb86/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/17ad8049-bdb3-498d-bf01-d4f6d45eeb86/
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
Link:
https://www.unpac.me/results/17ad8049-bdb3-498d-bf01-d4f6d45eeb86/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/17ad8049-bdb3-498d-bf01-d4f6d45eeb86/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
57c0974db11a84b305dd07a49d3569a42f8d19fc42b659ef9d5755c40ee87537
MD5 hash:
ba669dedf1c507c40a5932ca77a6ae72
SHA1 hash:
83582af8c00c6ebf0bd71aecc2f6fa67ecd127a4
Link:
https://www.unpac.me/results/17ad8049-bdb3-498d-bf01-d4f6d45eeb86/
SH256 hash:
6b79ef1199870c82405ff48fbd0b01ad895567a19b9f54a71fffe7f92cde5f8c
MD5 hash:
07dd051fbe0d3e0fdde9b8347f4ea66e
SHA1 hash:
198a6f11ef0815347c475d2f65eed933fb295ce6
Link:
https://www.unpac.me/results/17ad8049-bdb3-498d-bf01-d4f6d45eeb86/
SH256 hash:
44631ac27bcbdd902841cc89ccb3653ddb179c29d85c6f538f7eeeecfb43482c
MD5 hash:
a24246c8f351b556919709c9a8ee0c30
SHA1 hash:
e984f0240977ba00fb30ca233390615f2a00b4c3
Link:
https://www.unpac.me/results/17ad8049-bdb3-498d-bf01-d4f6d45eeb86/
SH256 hash:
7c7b28b96695dc80ce198878c31bdf2aec57b129ed57d9e27df40ea500c3a723
MD5 hash:
24f2ba6835701c4763279910486d3c39
SHA1 hash:
4e689dc81264e1f18a4d7db700b7f5f6ae4a1b4c
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/17ad8049-bdb3-498d-bf01-d4f6d45eeb86/
SH256 hash:
26d5e0944c041123c60234a46e15a083ba2b476a9fd717d803a33bad446c6386
MD5 hash:
77573ff87971ce5fab7a496de22916dc
SHA1 hash:
10c6c39f8ef30ac620563069e81e06b4c4cdfcf7
Link:
https://www.unpac.me/results/17ad8049-bdb3-498d-bf01-d4f6d45eeb86/
SH256 hash:
618969df2d98c660836fc0c94f95d93c8c561f19f106c56eca3f5aa9930cbba8
MD5 hash:
478c7cd1d366a77444568d45f252abeb
SHA1 hash:
0e717c6fc62ece11a17919ce1f1cc5cdc1bc711e
Link:
https://www.unpac.me/results/17ad8049-bdb3-498d-bf01-d4f6d45eeb86/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/618969df2d98/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/618969df2d98c660836fc0c94f95d93c8c561f19f106c56eca3f5aa9930cbba8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/186480/

Comments