MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65624215e9613e4922c32eb184b75ea1334a6a2fa32d45ef535918ef7b9a9eca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65624215e9613e4922c32eb184b75ea1334a6a2fa32d45ef535918ef7b9a9eca
SHA3-384 hash: 6490d2be4c150d381ab09aeb63326de32bf9c100c102a8048f632f16e13745d8881cda7f70e1432f15b8353f219e2a23
SHA1 hash: ad6d23e0da5e05cac857111ce376d8cf6b46930a
MD5 hash: e51038570d307a474c11dad48a5503c2
humanhash: pip-potato-blue-fix
File name:E51038570D307A474C11DAD48A5503C2.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:4'558'907 bytes
First seen:2021-08-12 08:51:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xmCvLUBsgyLBZwCOMWjybulF9e+9SYQKYQddJopOQAj1xS:xPLUCgyt2CP2F97QsJoUrS
Threatray 296 similar samples on MalwareBazaar
TLSH T1892633107B8481F9F9132031DA842BBE6A6CCB9116395CD73B52C18E5B3FD93E62B91D
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
45.14.49.128:16334

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.14.49.128:16334 https://threatfox.abuse.ch/ioc/172157/

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
E51038570D307A474C11DAD48A5503C2.exe
Verdict:
No threats detected
Analysis date:
2021-08-12 08:54:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4d50dcd7-c6c7-4d5c-a7b0-7331af0c1bdd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/178554/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Deleting a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eb8e005c-b7a6-4794-8a60-1c0848fae1ee
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/831582
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 464014 Sample: 3xtsHD5bZW.exe Startdate: 12/08/2021 Architecture: WINDOWS Score: 100 71 13.89.179.12 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->71 73 116.203.127.162 HETZNER-ASDE Germany 2->73 75 8 other IPs or domains 2->75 95 Antivirus detection for URL or domain 2->95 97 Antivirus detection for dropped file 2->97 99 Multi AV Scanner detection for dropped file 2->99 101 12 other signatures 2->101 9 3xtsHD5bZW.exe 8 2->9         started        signatures3 process4 file5 37 C:\Users\user\AppData\...\setup_install.exe, PE32 9->37 dropped 39 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 9->39 dropped 41 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 9->41 dropped 43 3 other files (none is malicious) 9->43 dropped 12 setup_install.exe 11 9->12         started        process6 dnsIp7 91 172.67.186.33 CLOUDFLARENETUS United States 12->91 93 127.0.0.1 unknown unknown 12->93 63 C:\Users\user\AppData\...\e39b4f027dbfff1.exe, PE32 12->63 dropped 65 C:\Users\user\AppData\...\8b2ad6130623.exe, PE32+ 12->65 dropped 67 C:\Users\user\AppData\Local\...\60cd78db5.exe, PE32 12->67 dropped 69 7 other files (1 malicious) 12->69 dropped 16 cmd.exe 12->16         started        18 cmd.exe 1 12->18         started        20 cmd.exe 1 12->20         started        22 4 other processes 12->22 file8 process9 process10 24 60cd78db5.exe 16->24         started        29 e39b4f027dbfff1.exe 90 18->29         started        31 8b2ad6130623.exe 20->31         started        33 d62bd528954.exe 14 8 22->33         started        35 6d020bf942ef2.exe 14 5 22->35         started        dnsIp11 77 37.0.10.236 WKD-ASIE Netherlands 24->77 79 37.0.11.8 WKD-ASIE Netherlands 24->79 83 13 other IPs or domains 24->83 45 C:\Users\...\vuwSLf2RfPToeYj3Udxcf2Nd.exe, PE32 24->45 dropped 47 C:\Users\...479hwKT1CxYQCdrgkyGBEWlXV.exe, PE32 24->47 dropped 49 C:\Users\user\AppData\...\P7GlorySp[2].exe, PE32 24->49 dropped 57 35 other files (15 malicious) 24->57 dropped 103 Tries to harvest and steal browser information (history, passwords, etc) 24->103 105 Disable Windows Defender real time protection (registry) 24->105 85 2 other IPs or domains 29->85 59 12 other files (none is malicious) 29->59 dropped 107 Detected unpacking (changes PE section rights) 29->107 109 Detected unpacking (overwrites its own PE header) 29->109 111 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->111 113 Tries to steal Crypto Currency Wallets 29->113 87 4 other IPs or domains 31->87 51 C:\Users\user\AppData\...\aaa_011[1].dll, DOS 31->51 dropped 81 172.67.190.140 CLOUDFLARENETUS United States 33->81 53 C:\Users\user\AppData\Roaming\7290910.exe, PE32 33->53 dropped 61 3 other files (none is malicious) 33->61 dropped 89 2 other IPs or domains 35->89 55 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 35->55 dropped file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65624215e9613e4922c32eb184b75ea1334a6a2fa32d45ef535918ef7b9a9eca/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-08-09 19:01:29 UTC
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mvreefpjme7esiwdf2yyjn26uezuu2rpumwul32tlemo6642t3fa._file
Verdict:
unknown
Similar samples:
39ec80621b9b8fcefe89e543622c4263b7629a1207107bebd239a50124bb7fc7
DiamondFox
44d025d67d73ae1215ba9483971bc5205afd91ef92cb2aed8410ab70e316e53e
DiamondFox
51837836176f75bd57295071de596b18ec1a1af63681ccfdd69f5dedb0976da3
DiamondFox
854e5c0dbeb31b0953c41b36dc88fa4e959c00c848fb723dc2f9223aeb5a359a
DiamondFox
91949edb9145bda3b1336a5513c44707a86300ca5a378411c9bf8800b8127db9
DiamondFox
befd232ab8dab62c010a0a96e0e62a1ff561509877fd8acfa1507df11e092aec
DiamondFox
c5528f76191477d30f3d6451d82bf0015d9a3706565fddd37e87130635f3182c
DiamondFox
d72dd5663947fc7e1bd8903030b3e2fd551d8d938fdc6417d8513a1c4cc49702
DiamondFox
+ 286 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:7new botnet:916 botnet:937 aspackv2 backdoor dropper evasion infostealer loader persistence spyware stealer suricata themida trojan vmprotect
Link:
https://tria.ge/reports/210812-rpbkflqz6s/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Vidar Stealer
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
https://prophefliloc.tumblr.com/
https://lenak513.tumblr.com/
sytareliar.xyz:80
yabelesatg.xyz:80
ceneimarck.xyz:80
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Unpacked files
SH256 hash:
a19adea0a2b66cfcb23eebd1d1ff9d854eccd4dc65536a45665c149da4ff6265
MD5 hash:
117c7ff5dd9efc0b059f64520f2d4f46
SHA1 hash:
ff07b1fcc58aa62b42d797981e0d953d9f9e0120
Link:
https://www.unpac.me/results/b35b3a84-ff8e-4e04-8661-2c28f5c46b23/
SH256 hash:
76fd57122331c7e402c7ab4a48bb9a86529641200f391241e20f31232e5f439b
MD5 hash:
922068b48ff8abb7e513a724443c1f62
SHA1 hash:
fef5db5322dae45dade837d28a2ad1aa159c74b9
Link:
https://www.unpac.me/results/b35b3a84-ff8e-4e04-8661-2c28f5c46b23/
SH256 hash:
0cfeb696a1e79a5933429e77f1d32b5d95fafbbd7053955a7ade9c0de264a904
MD5 hash:
2354ad9552eb7a2b129b6397be8fdcf1
SHA1 hash:
20218e9b1dc221230e279cdc1e33e012d38a7aeb
Link:
https://www.unpac.me/results/b35b3a84-ff8e-4e04-8661-2c28f5c46b23/
SH256 hash:
6e037f08a0c238f222fa2d717d487896fb12c411129748e6729e5599abc43b13
MD5 hash:
9806f3f87bcb267281009a6fc5c420fa
SHA1 hash:
1e36820c67183d74e9c1f94cfa63863e520b0598
Link:
https://www.unpac.me/results/b35b3a84-ff8e-4e04-8661-2c28f5c46b23/
Parent samples :
549953d5db2a4646740e721e24ec1b7fa57ef6c4d72ffa32752b17d4a65c36e4
2f3cf6f156ce19666bd422299ae5a2055bc1f93dc1ed7330b7305668ef7b3cd5
0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
SH256 hash:
b151ffd0f57b21600a05bb28c5d1f047f423bba9750985ab6c3ffba7a33fa0ff
MD5 hash:
fcd4dda266868b9fe615a1f46767a9be
SHA1 hash:
f5d26b20ebdcd2f48ebbccff80b882ea2fa48e8c
Link:
https://www.unpac.me/results/b35b3a84-ff8e-4e04-8661-2c28f5c46b23/
SH256 hash:
dc5bbf1ea15c5235185184007d3e6183c7aaeb51e6684fbd106489af3255a378
MD5 hash:
af56f5ab7528e0b768f5ea3adcb1be45
SHA1 hash:
eaf7aefb8a730a15094f96cf8e4edd3eff37d8a1
Link:
https://www.unpac.me/results/b35b3a84-ff8e-4e04-8661-2c28f5c46b23/
SH256 hash:
1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
MD5 hash:
0965da18bfbf19bafb1c414882e19081
SHA1 hash:
e4556bac206f74d3a3d3f637e594507c30707240
Link:
https://www.unpac.me/results/b35b3a84-ff8e-4e04-8661-2c28f5c46b23/
SH256 hash:
c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
MD5 hash:
13a289feeb15827860a55bbc5e5d498f
SHA1 hash:
e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
Link:
https://www.unpac.me/results/b35b3a84-ff8e-4e04-8661-2c28f5c46b23/
SH256 hash:
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
MD5 hash:
3263859df4866bf393d46f06f331a08f
SHA1 hash:
5b4665de13c9727a502f4d11afb800b075929d6c
Link:
https://www.unpac.me/results/b35b3a84-ff8e-4e04-8661-2c28f5c46b23/
SH256 hash:
dd0f65cbddcae2175bb4e51f7bc56f32d99408fcd5559ea8910f7cdcff6fa904
MD5 hash:
954e3c53c265d4c095f744a8a3b5ea93
SHA1 hash:
ef8cd0089d61ec1171219677c7256f2b5686d7c8
Link:
https://www.unpac.me/results/b35b3a84-ff8e-4e04-8661-2c28f5c46b23/
SH256 hash:
0a22c13c333663a95e303faae430fcdb5608c3b767a79532e08a4fd98aa5067a
MD5 hash:
d46556df7b34912bd9f2f38f901deb3f
SHA1 hash:
dd776c69430c2d92de8480984962406c4421262e
Link:
https://www.unpac.me/results/b35b3a84-ff8e-4e04-8661-2c28f5c46b23/
SH256 hash:
a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71
MD5 hash:
7aaf005f77eea53dc227734db8d7090b
SHA1 hash:
b6be1dde4cf73bbf0d47c9e07734e96b3442ed59
Link:
https://www.unpac.me/results/b35b3a84-ff8e-4e04-8661-2c28f5c46b23/
SH256 hash:
d3094ace66cb79bc2b60f745c955f3025e3c1b8d20a280e488e3d7e9ceca4be2
MD5 hash:
d3ed4307594c9c5015476ec8232c5058
SHA1 hash:
0781e30b45b422dbfc2d430750256fa41d78750c
Link:
https://www.unpac.me/results/b35b3a84-ff8e-4e04-8661-2c28f5c46b23/
SH256 hash:
8f8b3e74b5f6d971804dcbdf5f6d14de5bdffa425c6390cbd17b54400c8e39ea
MD5 hash:
48342c6e461b10ce83a9798b57e05e63
SHA1 hash:
c12b36d69537422036d0e894c6dbf06f990f4227
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/b35b3a84-ff8e-4e04-8661-2c28f5c46b23/
SH256 hash:
cb40cb8070caacccbc8c1d6ee847b34b35c961095c8a003a3889bfe817347655
MD5 hash:
cd5e1197901a576565e26d332eedec53
SHA1 hash:
7a2b2b11f3824318b00bae0996b69b1d28933ecc
Link:
https://www.unpac.me/results/b35b3a84-ff8e-4e04-8661-2c28f5c46b23/
SH256 hash:
65624215e9613e4922c32eb184b75ea1334a6a2fa32d45ef535918ef7b9a9eca
MD5 hash:
e51038570d307a474c11dad48a5503c2
SHA1 hash:
ad6d23e0da5e05cac857111ce376d8cf6b46930a
Link:
https://www.unpac.me/results/b35b3a84-ff8e-4e04-8661-2c28f5c46b23/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/65624215e9613e4922c32eb184b75ea1334a6a2fa32d45ef535918ef7b9a9eca

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/178554/

Comments