MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 640241afe83f23ed74de217149943294fb612ba8a283edb5049c23f059414a8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 640241afe83f23ed74de217149943294fb612ba8a283edb5049c23f059414a8a
SHA3-384 hash: a2d275dc28e2c59ce46e43e8afdc40508655f979d6872b4cef612451ce2cd2c94829776ec54215b0e58e785dc3926414
SHA1 hash: 8cec059ca3eb9b8a77775c021c155f00c9d18395
MD5 hash: 64a534242627bc0dfc8bdb32f49a4d59
humanhash: monkey-maine-hydrogen-moon
File name:64A534242627BC0DFC8BDB32F49A4D59.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:4'960'375 bytes
First seen:2021-09-08 14:16:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:yXmTuJH5FPywbQ/zpgXGfVfhYB726W9B/VIPGbgKVZ1G:yXmqRPYppdfZfVIPEG
Threatray 537 similar samples on MalwareBazaar
TLSH T1503633B5B1658A6AD429C8B3677277EE2EF4C15312826728B3624E8C3F41501FC1FE76
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://185.163.45.90/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.45.90/ https://threatfox.abuse.ch/ioc/218040/

Intelligence

File Origin
# of uploads :
1
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Sharik
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186394/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Dropper.Generickdz-9890302-0
Create hunting rule

Win.Dropper.Upatre-9890301-1
Create hunting rule

Win.Dropper.Generickdz-9890921-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Deleting a recently created file
Launching a process
Sending a UDP request
Creating a window
Launching the default Windows debugger (dwwin.exe)
Reading critical registry keys
Creating a process with a hidden window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Blocking the Windows Defender launch
Sending an HTTP GET request to an infection source
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b05ebe3-4cf8-445f-851d-7c37a736558d
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/847542
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Chrome passwords or cookies
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 479975 Sample: 9QP9waKMdO.exe Startdate: 08/09/2021 Architecture: WINDOWS Score: 100 91 172.67.176.199 CLOUDFLARENETUS United States 2->91 93 172.67.194.30 CLOUDFLARENETUS United States 2->93 95 2 other IPs or domains 2->95 125 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->125 127 Antivirus detection for URL or domain 2->127 129 Antivirus / Scanner detection for submitted sample 2->129 131 13 other signatures 2->131 11 9QP9waKMdO.exe 10 2->11         started        14 svchost.exe 1 2->14         started        signatures3 process4 file5 71 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->71 dropped 16 setup_installer.exe 17 11->16         started        process6 file7 53 C:\Users\user\AppData\...\setup_install.exe, PE32 16->53 dropped 55 C:\Users\user\...\Sun04f8c94eea9cb9.exe, PE32 16->55 dropped 57 C:\Users\user\AppData\...\Sun04dac6d7a0.exe, PE32 16->57 dropped 59 12 other files (7 malicious) 16->59 dropped 19 setup_install.exe 1 16->19         started        process8 dnsIp9 97 hsiens.xyz 172.67.142.91, 49746, 80 CLOUDFLARENETUS United States 19->97 99 127.0.0.1 unknown unknown 19->99 133 Performs DNS queries to domains with low reputation 19->133 135 Adds a directory exclusion to Windows Defender 19->135 23 cmd.exe 19->23         started        25 cmd.exe 1 19->25         started        27 cmd.exe 1 19->27         started        29 7 other processes 19->29 signatures10 process11 signatures12 32 Sun043e60205beb4f.exe 23->32         started        36 Sun047089ae5093c14.exe 25->36         started        38 Sun041024b30f4a0.exe 1 27->38         started        137 Adds a directory exclusion to Windows Defender 29->137 40 Sun04637c853e.exe 29->40         started        43 Sun045118d0261f811cc.exe 3 29->43         started        45 Sun043bec3ec581a9.exe 12 29->45         started        47 2 other processes 29->47 process13 dnsIp14 73 45.144.225.236, 49748, 49757, 80 DEDIPATH-LLCUS Netherlands 32->73 75 37.0.10.214, 49747, 80 WKD-ASIE Netherlands 32->75 83 2 other IPs or domains 32->83 101 Multi AV Scanner detection for dropped file 32->101 103 May check the online IP address of the machine 32->103 105 Machine Learning detection for dropped file 32->105 107 Disable Windows Defender real time protection (registry) 32->107 109 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 36->109 111 Maps a DLL or memory area into another process 36->111 113 Checks if the current machine is a virtual machine (disk enumeration) 36->113 85 3 other IPs or domains 38->85 115 Contains functionality to steal Chrome passwords or cookies 38->115 117 Tries to harvest and steal browser information (history, passwords, etc) 38->117 67 C:\Users\user\AppData\...\Sun04637c853e.tmp, PE32 40->67 dropped 119 Antivirus detection for dropped file 40->119 49 Sun04637c853e.tmp 40->49         started        77 a.goatgame.co 172.67.146.70, 443, 49738, 49741 CLOUDFLARENETUS United States 43->77 69 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 43->69 dropped 121 Creates processes via WMI 43->121 79 74.114.154.22 AUTOMATTICUS Canada 45->79 81 88.99.66.31 HETZNER-ASDE Germany 47->81 123 Detected unpacking (changes PE section rights) 47->123 file15 signatures16 process17 dnsIp18 87 the-flash-man.com 49->87 89 best-link-app.com 49->89 61 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 49->61 dropped 63 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 49->63 dropped 65 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 49->65 dropped file19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/640241afe83f23ed74de217149943294fb612ba8a283edb5049c23f059414a8a/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-09-06 00:48:00 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mqbedl7ih4r625g6efyutfbsst5wck5iukb63nietqr7awkbjkfa._file
Verdict:
malicious
Similar samples:
3febf03463e0e65ef9d0fc4e8a38f01dd7c6dfee10258876981539b7a319a620
DiamondFox
4f4c2c9bdfef8a8cfbe2c8f84bf12cc86f26f59d54c277dab39f4c5e92948708
DiamondFox
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
DiamondFox
5bbc833edf2e7c061fd34fe1aba85ff56746dbe0875eafcc945c264ac45193ae
DiamondFox
6bd2d5f2630ce91d3d93d5a686d0ea381b6efa2b25d0dbd0f509a17f7ed3788d
DiamondFox
6e67e541d5801d97cb6fc3ec483b7b9dc302506c0f3a1ef0942ea3f7126e9e87
DiamondFox
76c9ba959cb30c682c744ec265b3ae18fa5f92250cdc153139fb83835ca17356
DiamondFox
bf0c11eae9de14227141901dffc7bdbd1ecb9b0a2cb1e675f7d36ce5eff0679e
DiamondFox
+ 527 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:redline family:smokeloader family:vidar botnet:706 aspackv2 backdoor dropper infostealer loader stealer suricata themida trojan
Link:
https://tria.ge/reports/210908-rk7rzahgfp/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Looks up external IP address via web service
Loads dropped DLL
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Glupteba
Glupteba Payload
MetaSploit
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Vidar
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Win32/Tnega Activity (GET)
Malware Config
C2 Extraction:
https://eduarroma.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Unpacked files
SH256 hash:
a18e5d223da775448e2e111101fe1f4ab919be801fd435d3a278718aa5e6ccba
MD5 hash:
0c6cae115465a83f05d3ff391fd009ac
SHA1 hash:
066ea93bb540ae4be0d2e522d4bb59eec74053ad
Link:
https://www.unpac.me/results/7f81e16c-8337-41f8-8fcc-81d10f37197c/
Parent samples :
7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
fc2e04d392ab5e508fdf6c90ce456bfd0af6def1f10a2074f82df8f58079d5e4
f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
22275b7c5a57111aca919f6bbfae171e5e99f5ef777d1043802deb672f5136a0
d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
0a7d966e66cbd260c909de1d79038c86a071f2f10a810f5890a150b67c4fd954
1b4c7144874551beb52bc3e864822c0b803d0967531addf9612f61898cf2394d
090f1369dc856e37b73969d22799341b1d328a235470ee608d3e32dd34df7022
4879803b6326f27bb8b68448fe7394b2358c2eeb25ec2c4c6a176313d003c29a
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
ada6977abf5caa24a75f0db17220267f6b05f11ed949757e8fc8beab3c720fc1
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3
MD5 hash:
6961557695f34a53cf8224be7c265fbe
SHA1 hash:
f52d34d0b1dbd181f2acb21f42d875d514afb6f7
Link:
https://www.unpac.me/results/7f81e16c-8337-41f8-8fcc-81d10f37197c/
SH256 hash:
64ffc8a9ef49470c23de2952972cf796f9a081f902e0b35f7bdc270a9784f06a
MD5 hash:
5f61cabf346884d12876eaefad9da7ba
SHA1 hash:
f18ea2dfe4e3e5e3a803c5d08945a1200ed84130
Link:
https://www.unpac.me/results/7f81e16c-8337-41f8-8fcc-81d10f37197c/
Parent samples :
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
SH256 hash:
de776a861c0437152110af6c8587371652700b593aba04570845b1f43354d48e
MD5 hash:
5760f92ffa3e901f79ba5a228da4ffb4
SHA1 hash:
c835255267fbeffd5acfe441a970b1b9ad57f9ae
Link:
https://www.unpac.me/results/7f81e16c-8337-41f8-8fcc-81d10f37197c/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/7f81e16c-8337-41f8-8fcc-81d10f37197c/
SH256 hash:
b5864940981481cef770a0a09268cb5aaf63a86d32fa7ff980dc22a72f855697
MD5 hash:
f2a75bdb477dbc61a40c582493f91599
SHA1 hash:
822664f9040b7a38cf64a943973196e7b418e936
Link:
https://www.unpac.me/results/7f81e16c-8337-41f8-8fcc-81d10f37197c/
SH256 hash:
24da4be8c1d9ca77f30cfea2e4fa4113d2be3497a1efba8c2465605dccf20166
MD5 hash:
698f103458a664e57eae14b914673934
SHA1 hash:
71f6f414b92fc5daf178e5b0d49a24fd4890439b
Link:
https://www.unpac.me/results/7f81e16c-8337-41f8-8fcc-81d10f37197c/
SH256 hash:
eb97bd9ab0539b21f0be447002d004efeec3133811022f73516cb7627f3b5fc1
MD5 hash:
ab73cc413405209fcf52577c34c2c8a3
SHA1 hash:
6bb120fa23e1198528f251efe74bdd27f67c47d2
Link:
https://www.unpac.me/results/7f81e16c-8337-41f8-8fcc-81d10f37197c/
SH256 hash:
603c61184bc21390d64d8fe234f3b5928bb38384bd382aa0466980909b7ed60b
MD5 hash:
427aa284f4b287435f555b948ea061ce
SHA1 hash:
3d087b25e1fedf107abb78c337b965a9bdea8c1d
Link:
https://www.unpac.me/results/7f81e16c-8337-41f8-8fcc-81d10f37197c/
SH256 hash:
9791a7cf7065aefbb1b011c11e9f4de289cbea1133bb21c6f5b8016a883a4ee9
MD5 hash:
be4e6f7c03e32f970bc232e50ef94a12
SHA1 hash:
023f5aa8d4ac88edee4133dc192515fee662b0e2
Link:
https://www.unpac.me/results/7f81e16c-8337-41f8-8fcc-81d10f37197c/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/7f81e16c-8337-41f8-8fcc-81d10f37197c/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/7f81e16c-8337-41f8-8fcc-81d10f37197c/
SH256 hash:
aafc69d03ed7357afe5ace72217e769a49791b0d275fe5e432180903cce805be
MD5 hash:
5491cf213d898b6e6b0addbd4dc4f073
SHA1 hash:
138528e384217d5cecf44cb12fc29a8d77bbfbd6
Link:
https://www.unpac.me/results/7f81e16c-8337-41f8-8fcc-81d10f37197c/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/7f81e16c-8337-41f8-8fcc-81d10f37197c/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
535b0b47ef16c03f8950899bdc7b4bb1f70d3c8874af5539af55d8990a5e8258
MD5 hash:
8e68f120af11fc80a15e0e6e0501de2e
SHA1 hash:
821601a6929829b6a61d2b4bff3c1358216d4d2f
Link:
https://www.unpac.me/results/7f81e16c-8337-41f8-8fcc-81d10f37197c/
SH256 hash:
5b63b5a7605fbe9579b7fa7e9e3ec7a99cd3886f092bcf6a346ed3c6261e44b8
MD5 hash:
e844660db8141a9ff417039887aa6d8f
SHA1 hash:
7dd4855fb3f79ad1deb92196e2697d7eb5693509
Link:
https://www.unpac.me/results/7f81e16c-8337-41f8-8fcc-81d10f37197c/
SH256 hash:
9bc945b4179b62e79e99577026ef26a031fe5c4e7b482b452f400223dfabc083
MD5 hash:
18f463dae16e014765154a79582eb6dd
SHA1 hash:
1b2fd5805511bf02653cb8b4e8c8d04bda4425a0
Link:
https://www.unpac.me/results/7f81e16c-8337-41f8-8fcc-81d10f37197c/
SH256 hash:
cc3cd527f8d48f8656232dee7bc7ea3b86da0fb6839da898f80bab1ce69dc02c
MD5 hash:
4824e447ae5f30665213e9eaa38aa99b
SHA1 hash:
cff6d2fbe128d0cebf582df36b1f95ac2dbc0e82
Link:
https://www.unpac.me/results/7f81e16c-8337-41f8-8fcc-81d10f37197c/
SH256 hash:
640241afe83f23ed74de217149943294fb612ba8a283edb5049c23f059414a8a
MD5 hash:
64a534242627bc0dfc8bdb32f49a4d59
SHA1 hash:
8cec059ca3eb9b8a77775c021c155f00c9d18395
Link:
https://www.unpac.me/results/7f81e16c-8337-41f8-8fcc-81d10f37197c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/640241afe83f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/640241afe83f23ed74de217149943294fb612ba8a283edb5049c23f059414a8a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/186394/

Comments