MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a
SHA3-384 hash: 4bbdd6a99ab8c4445386f76d2bbffdcf7bf0dcdc176513a488c5fe9ab8cfed0f4a193fb4f449d27cf7a68e09084e33de
SHA1 hash: 73aaa5d6869bd25abb78ba5beb27ec8c5ee71e57
MD5 hash: de4b296cb2891bd1c3ed085ed648a62d
humanhash: ohio-oven-harry-twenty
File name:123rd48.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:592'896 bytes
First seen:2021-01-19 13:45:54 UTC
Last seen:2021-01-27 15:43:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 93e69d54c16c1662027c2b5b59c24620 (1 x DiamondFox)
ssdeep 1536:OCRrntf9VQcunYvNrzVbIwPX1Dsh5tGK7MtJSxrbErzzT832Cmm6gg+hwIktQBZ6:OqBfTQy9U5cYMtL+hwIk+BnqS8ada
Threatray 608 similar samples on MalwareBazaar
TLSH CBC40A7BE714C816D99C03B8A4F3994539E2746D0A7218DEAB360E5C3CA73B43C6DB49
Reporter Anonymous
Tags:DiamondFox exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
123rd48.exe
Verdict:
Malicious activity
Analysis date:
2021-01-19 13:51:27 UTC
Tags:
trojan stealer
Link:
https://app.any.run/tasks/913c3607-5867-4264-ab80-65d2aa67d0e2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112916/
Detection(s):
SecuriteInfo.com.Mal.EncPk-APW.19861.9353.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Sending a UDP request
Creating a file
Creating a process from a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Diamondfox MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/585100
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables Windows Defender (via service or powershell)
Found C&C like URL pattern
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Powershell creates an autostart link
Powershell drops PE file
Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Powershell create lnk in startup
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes or reads registry keys via WMI
Yara detected BrowsingHistoryView browser history reader tool
Yara detected Diamondfox
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 341588 Sample: 123rd48.exe Startdate: 19/01/2021 Architecture: WINDOWS Score: 100 49 cklecriversiounfiern.online 2->49 51 ip.seeip.org 2->51 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 11 other signatures 2->67 10 123rd48.exe 1 2->10         started        signatures3 process4 signatures5 75 Detected unpacking (changes PE section rights) 10->75 77 Detected unpacking (overwrites its own PE header) 10->77 79 Suspicious powershell command line found 10->79 13 powershell.exe 19 10->13         started        process6 file7 37 C:\Users\user\AppData\Local\...\audiodg.exe, PE32 13->37 dropped 39 C:\Users\user\...\audiodg.exe:Zone.Identifier, ASCII 13->39 dropped 81 Powershell creates an autostart link 13->81 83 Powershell drops PE file 13->83 17 audiodg.exe 7 13->17         started        21 conhost.exe 13->21         started        signatures8 process9 dnsIp10 43 cklecriversiounfiern.online 5.101.218.70, 49732, 49733, 49736 KERCHNET-ASMultiserviceNetworksLtdRU Russian Federation 17->43 45 ip.seeip.org 23.128.64.141, 443, 49730, 49758 JOESDATACENTERUS United States 17->45 47 192.168.2.1 unknown unknown 17->47 53 Multi AV Scanner detection for dropped file 17->53 55 Detected unpacking (changes PE section rights) 17->55 57 Detected unpacking (overwrites its own PE header) 17->57 59 8 other signatures 17->59 23 audiodg.exe 17->23         started        26 audiodg.exe 13 17->26         started        28 audiodg.exe 17->28         started        30 2 other processes 17->30 signatures11 process12 file13 69 Tries to steal Instant Messenger accounts or passwords 23->69 71 Tries to steal Mail credentials (via file access) 23->71 73 Tries to harvest and steal browser information (history, passwords, etc) 26->73 41 C:\Users\user\AppData\Roaming\...\audiodg.lnk, MS 30->41 dropped 33 conhost.exe 30->33         started        35 conhost.exe 30->35         started        signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a/
Threat name:
Win32.Trojan.Malrep
Create hunting rule
Status:
Suspicious
First seen:
2021-01-18 18:43:38 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
079a0f977b60a6115bcddb387d8783eeea8cdd7678369c01d0e7b8a6071bf123
DiamondFox
0ac30990fdf9e06367b60690e98803de01f668f8bc6b76c673a9295acb435d16
DiamondFox
1f1bc6a65867b976dd8cdc00b6519b60b4da65af780f1636c447e5ebca91da96
DiamondFox
2289136c68f1e298835aaeaf45d759c7525710627784fe86b509b9c5c9edc14a
DiamondFox
41ec47ce62f13677c0c4576c97e299471072aa9ade05670ad0aefdbbd9187fca
DiamondFox
a4c035de8a4edb11a8cfaef2f2f8326d8909578cf9d5a5534edd4eb9d5a50680
DiamondFox
d7448da27fa5cbe7df2df781ef5763cdcbb31f6e99d756a03fb1ff577e7043a2
DiamondFox
e9fb11df00c7a833b875f7c68fc6d5ee3edeeac7c63d85fc4897f6aef7596f7c
DiamondFox
eea1286b7f160f458a376a7c640b076ac424fa2bdeb8460488715f8989152de2
DiamondFox
f98bb09a67afe83ca7b041488f460d2a8b96224d77f21117d5b0076e04706dd4
DiamondFox
+ 598 additional samples on MalwareBazaar
Result
Malware family:
diamondfox
Create hunting rule
Score:
  10/10
Tags:
family:diamondfox botnet spyware stealer
Link:
https://tria.ge/reports/210119-zcpr9czfxs/
Behaviour
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
DiamondFox payload
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
DiamondFox
Unpacked files
SH256 hash:
c74b37aecb65e45432eb84cb9e9813b711fd7fb03d973ebaa063c85c2f76ae5f
MD5 hash:
3d645cc1dadc58b7aeb8d0d1d9021a8c
SHA1 hash:
8a88a8ba940e6f22708f0bd85ac84786a5d84a66
Link:
https://www.unpac.me/results/33389297-4747-402c-98f9-0f64da9a9cc5/
SH256 hash:
63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a
MD5 hash:
de4b296cb2891bd1c3ed085ed648a62d
SHA1 hash:
73aaa5d6869bd25abb78ba5beb27ec8c5ee71e57
Link:
https://www.unpac.me/results/33389297-4747-402c-98f9-0f64da9a9cc5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DiamondFox

Executable exe 63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/112916/
  
URLhaus
https://urlhaus.abuse.ch/url/971702/
  
Delivery method
Distributed via web download

Comments