MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bd2d5f2630ce91d3d93d5a686d0ea381b6efa2b25d0dbd0f509a17f7ed3788d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bd2d5f2630ce91d3d93d5a686d0ea381b6efa2b25d0dbd0f509a17f7ed3788d
SHA3-384 hash: 93810defa53d6da0e05fcaffec90424d437c63ce49383c72cf4c0000093127c59f47fbc746c196b1c9104ced01cee3ba
SHA1 hash: 58de952fe5d182294e5e6d5141567b9ce61a331e
MD5 hash: 47000b94531ad6b652797c1f2e525752
humanhash: angel-happy-harry-lion
File name:47000B94531AD6B652797C1F2E525752.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:3'949'498 bytes
First seen:2021-09-04 07:20:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:yktaLYOV0bHarm4/UIL8HCKqq/4bB5jIlEK:yOakOObqtRz0lEK
Threatray 488 similar samples on MalwareBazaar
TLSH T12E06333C3F5DB693CB50D377467265C02F8A64A791A3F1CDB39B8300799D46F6A96202
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://94.158.245.24/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.158.245.24/ https://threatfox.abuse.ch/ioc/215080/

Intelligence

File Origin
# of uploads :
1
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
47000B94531AD6B652797C1F2E525752.exe
Verdict:
No threats detected
Analysis date:
2021-09-04 07:23:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ac787fc5-23be-496d-918b-f15e857bfc85

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185269/
Detection(s):
Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Deleting a recently created file
Running batch commands
Sending a custom TCP request
Connection attempt
DNS request
Sending an HTTP GET request
Launching a process
Sending a UDP request
Creating a window
Launching the default Windows debugger (dwwin.exe)
Reading critical registry keys
Creating a process with a hidden window
Delayed reading of the file
Using the Windows Management Instrumentation requests
Creating a file in the Program Files subdirectories
Unauthorized injection to a recently created process
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Blocking the Windows Defender launch
Sending an HTTP GET request to an infection source
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0b870990-49f9-445b-9f1d-a37cd37ed78c
Result
Threat name:
BitCoin Miner Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845165
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Chrome passwords or cookies
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected BitCoin Miner
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 477596 Sample: vIpT2aCuWz.exe Startdate: 04/09/2021 Architecture: WINDOWS Score: 100 111 172.67.187.120 CLOUDFLARENETUS United States 2->111 113 172.67.194.30 CLOUDFLARENETUS United States 2->113 115 google.vrthcobj.com 2->115 163 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->163 165 Antivirus detection for URL or domain 2->165 167 Multi AV Scanner detection for dropped file 2->167 169 15 other signatures 2->169 14 vIpT2aCuWz.exe 10 2->14         started        17 svchost.exe 1 2->17         started        signatures3 process4 file5 83 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 14->83 dropped 19 setup.exe 8 14->19         started        process6 file7 73 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 19->73 dropped 75 C:\Users\user\AppData\...\setup_install.exe, PE32 19->75 dropped 77 C:\Users\user\AppData\Local\...\libzip.dll, PE32 19->77 dropped 79 3 other files (none is malicious) 19->79 dropped 22 setup_install.exe 3 19->22         started        process8 file9 81 C:\Users\user\AppData\...\5350ad3bc3d6e68.exe, PE32 22->81 dropped 25 cmd.exe 1 22->25         started        28 conhost.exe 22->28         started        process10 signatures11 171 Adds a directory exclusion to Windows Defender 25->171 30 5350ad3bc3d6e68.exe 16 25->30         started        process12 file13 85 C:\Users\user\AppData\...\setup_install.exe, PE32 30->85 dropped 87 C:\Users\user\AppData\...\Mon10ec395ae192.exe, PE32 30->87 dropped 89 C:\Users\user\...\Mon10d95ada86e6c1786.exe, PE32+ 30->89 dropped 91 11 other files (5 malicious) 30->91 dropped 33 setup_install.exe 1 30->33         started        process14 dnsIp15 107 sornx.xyz 104.21.43.244, 49712, 80 CLOUDFLARENETUS United States 33->107 109 127.0.0.1 unknown unknown 33->109 159 Performs DNS queries to domains with low reputation 33->159 161 Adds a directory exclusion to Windows Defender 33->161 37 cmd.exe 33->37         started        39 cmd.exe 33->39         started        41 cmd.exe 33->41         started        43 7 other processes 33->43 signatures16 process17 signatures18 46 Mon10716eec3c629f745.exe 37->46         started        51 Mon107ce740ef0.exe 39->51         started        53 Mon10d95ada86e6c1786.exe 41->53         started        173 Adds a directory exclusion to Windows Defender 43->173 55 Mon10ec395ae192.exe 43->55         started        57 Mon10c1a120fed696e5.exe 43->57         started        59 Mon10509f710deaa1c.exe 43->59         started        61 3 other processes 43->61 process19 dnsIp20 117 37.0.10.237, 49717, 80 WKD-ASIE Netherlands 46->117 123 10 other IPs or domains 46->123 93 C:\Users\...\z9izMTGRZozcgTkc5N59oNF9.exe, PE32 46->93 dropped 95 C:\Users\...\z718sL9kqz808kOHUjtrkq63.exe, PE32 46->95 dropped 97 C:\Users\...\qUcLHXgnKSZ8wnpez9JBQm7Y.exe, PE32 46->97 dropped 105 39 other files (32 malicious) 46->105 dropped 135 Drops PE files to the document folder of the user 46->135 137 May check the online IP address of the machine 46->137 139 Tries to harvest and steal browser information (history, passwords, etc) 46->139 141 Disable Windows Defender real time protection (registry) 46->141 143 Machine Learning detection for dropped file 51->143 145 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 51->145 147 Maps a DLL or memory area into another process 51->147 149 Checks if the current machine is a virtual machine (disk enumeration) 51->149 125 3 other IPs or domains 53->125 151 Contains functionality to steal Chrome passwords or cookies 53->151 119 remotepc3.xyz 55->119 127 3 other IPs or domains 55->127 153 Performs DNS queries to domains with low reputation 55->153 99 C:\Users\user\...\Mon10c1a120fed696e5.tmp, PE32 57->99 dropped 155 Antivirus detection for dropped file 57->155 63 Mon10c1a120fed696e5.tmp 57->63         started        121 a.goatgame.co 104.21.79.144, 443, 49705 CLOUDFLARENETUS United States 59->121 101 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 59->101 dropped 157 Creates processes via WMI 59->157 129 3 other IPs or domains 61->129 103 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 61->103 dropped file21 signatures22 process23 dnsIp24 131 the-flash-man.com 63->131 133 best-link-app.com 63->133 67 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 63->67 dropped 69 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 63->69 dropped 71 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 63->71 dropped file25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6bd2d5f2630ce91d3d93d5a686d0ea381b6efa2b25d0dbd0f509a17f7ed3788d/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-08-30 23:13:03 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=npjnl4tdbtur2pmt2wtinuhkhanw56rlexinxuhvbgqx67wtpcgq._file
Verdict:
suspicious
Similar samples:
3febf03463e0e65ef9d0fc4e8a38f01dd7c6dfee10258876981539b7a319a620
DiamondFox
4f4c2c9bdfef8a8cfbe2c8f84bf12cc86f26f59d54c277dab39f4c5e92948708
DiamondFox
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
DiamondFox
5bbc833edf2e7c061fd34fe1aba85ff56746dbe0875eafcc945c264ac45193ae
DiamondFox
6e67e541d5801d97cb6fc3ec483b7b9dc302506c0f3a1ef0942ea3f7126e9e87
DiamondFox
76c9ba959cb30c682c744ec265b3ae18fa5f92250cdc153139fb83835ca17356
DiamondFox
bf0c11eae9de14227141901dffc7bdbd1ecb9b0a2cb1e675f7d36ce5eff0679e
DiamondFox
d2d90f02ccd7c3fd1b46d667081529a1af8172e4a51feda461c8d250081c3548
DiamondFox
+ 478 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:706 botnet:937 aspackv2 discovery evasion infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/210904-h6n3bahbcr/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
Vidar
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
Malware Config
C2 Extraction:
https://eduarroma.tumblr.com/
https://romkaxarit.tumblr.com/
Unpacked files
SH256 hash:
835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3
MD5 hash:
6961557695f34a53cf8224be7c265fbe
SHA1 hash:
f52d34d0b1dbd181f2acb21f42d875d514afb6f7
Link:
https://www.unpac.me/results/e15fa139-fce6-4921-8d27-ecaba241c1eb/
SH256 hash:
2466af8b6abf1ab8b53fff7c64f30acab3a7fcb88903ebd2d395d05b99ca2537
MD5 hash:
b4874af2682499c4183a49da1f22b912
SHA1 hash:
f485b57a2764db6ae03b25ef27443b7555829186
Link:
https://www.unpac.me/results/e15fa139-fce6-4921-8d27-ecaba241c1eb/
SH256 hash:
aae108ad4f1cb6c56cf909abe420710cf99b8d9ca0dcc39f8c2217253cfaf255
MD5 hash:
2508c15a4e2b04bc274ea7351c47e618
SHA1 hash:
da542e61297dd117ff15a1d5ce3c5395b6b888ef
Link:
https://www.unpac.me/results/e15fa139-fce6-4921-8d27-ecaba241c1eb/
SH256 hash:
6efa1bb387f52218b77229e465d68fd449d5045e9ac0c5151bb7ef88a3884ece
MD5 hash:
c95ddefabfd156cfe30a75681c42d64e
SHA1 hash:
9fb4cbdab864756c12e4dd3635798ce60cd205b4
Link:
https://www.unpac.me/results/e15fa139-fce6-4921-8d27-ecaba241c1eb/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/e15fa139-fce6-4921-8d27-ecaba241c1eb/
SH256 hash:
9f49d2110ce857ad6bc5a59870ee37d02651dd381820320827a7477082836f3e
MD5 hash:
aba80c623dd45ad9f26e1474cece96af
SHA1 hash:
462562d51999490104300abd8999d25c03f359c7
Link:
https://www.unpac.me/results/e15fa139-fce6-4921-8d27-ecaba241c1eb/
SH256 hash:
c7179b1c0a4b7b5d11949ebb1ecb79634629dea8eebdc6e4afa5b1605a9b87ed
MD5 hash:
8d2cd51de936d9bfc6f37f1d4500465a
SHA1 hash:
199ac6dc8faf384a819334b7ee9cb7f7581fc651
Link:
https://www.unpac.me/results/e15fa139-fce6-4921-8d27-ecaba241c1eb/
SH256 hash:
40f8dce31beb48a500833b7d9cc5e8e2c769383560144eca987d8d518d80319b
MD5 hash:
303d125ad60ffd7f3851cdfa5e55eaeb
SHA1 hash:
18aeb3956434721c664686c0ce3a4be1f7bd74b9
Link:
https://www.unpac.me/results/e15fa139-fce6-4921-8d27-ecaba241c1eb/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/e15fa139-fce6-4921-8d27-ecaba241c1eb/
SH256 hash:
918d6c0eefdf65105a529d1a8268871f94aa9c5342276faedcde2932e16fe1d3
MD5 hash:
8fa35c1eedb3b1aec95cb0ae4ea9f288
SHA1 hash:
cee9648cc9bd46f2c49adb511cc99f46533de3e5
Link:
https://www.unpac.me/results/e15fa139-fce6-4921-8d27-ecaba241c1eb/
SH256 hash:
aff5052dcaceac8cc0d97983c19091be8f1d2fa3b2ea4f649adf0c16855bc8b8
MD5 hash:
b32e81cfce4fb1d3a87156891c95e35c
SHA1 hash:
9a1b6b18d71016d4b7ebe5abbfaaa204d51ece86
Link:
https://www.unpac.me/results/e15fa139-fce6-4921-8d27-ecaba241c1eb/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/e15fa139-fce6-4921-8d27-ecaba241c1eb/
SH256 hash:
1e47b0a87b714febf0f805a2c319a150cc8bd58d738669c76c975a64d40130ab
MD5 hash:
6cbca955ae2bb778cf9de6cef5d114a7
SHA1 hash:
527feb36a0cbd2c348df1862bb2d4516ed9bad6f
Link:
https://www.unpac.me/results/e15fa139-fce6-4921-8d27-ecaba241c1eb/
SH256 hash:
a18e5d223da775448e2e111101fe1f4ab919be801fd435d3a278718aa5e6ccba
MD5 hash:
0c6cae115465a83f05d3ff391fd009ac
SHA1 hash:
066ea93bb540ae4be0d2e522d4bb59eec74053ad
Link:
https://www.unpac.me/results/e15fa139-fce6-4921-8d27-ecaba241c1eb/
Parent samples :
7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
fc2e04d392ab5e508fdf6c90ce456bfd0af6def1f10a2074f82df8f58079d5e4
f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
22275b7c5a57111aca919f6bbfae171e5e99f5ef777d1043802deb672f5136a0
d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
0a7d966e66cbd260c909de1d79038c86a071f2f10a810f5890a150b67c4fd954
1b4c7144874551beb52bc3e864822c0b803d0967531addf9612f61898cf2394d
090f1369dc856e37b73969d22799341b1d328a235470ee608d3e32dd34df7022
4879803b6326f27bb8b68448fe7394b2358c2eeb25ec2c4c6a176313d003c29a
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
ada6977abf5caa24a75f0db17220267f6b05f11ed949757e8fc8beab3c720fc1
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
600c3b985fb158939d974c2b3a82f6c2bf4a463afdbe2e905dba2fe72d95d87c
MD5 hash:
a56a2fbf6ddc429afeccfe66c9085bd8
SHA1 hash:
a00aff190c59ffb6ceb6fd44b5760a005c7b8282
Link:
https://www.unpac.me/results/e15fa139-fce6-4921-8d27-ecaba241c1eb/
SH256 hash:
882407b4cd8ffac6f94f25c6abcce8acb779dfb4c05a9d6223d1b0673bca9536
MD5 hash:
1766b8ec2ef75e59285fde5698a39cd4
SHA1 hash:
d4caaaea524f8b348d91b5932f1454893d641aa7
Link:
https://www.unpac.me/results/e15fa139-fce6-4921-8d27-ecaba241c1eb/
SH256 hash:
761cac88d23dc49adfbd2be17b51e85b99568b62074c9c65805bc3ba22fcaba1
MD5 hash:
6938b2705f565753adf391ac3810a06f
SHA1 hash:
103afdff21e09aa3b05b5727553b92c5404fe2c2
Link:
https://www.unpac.me/results/e15fa139-fce6-4921-8d27-ecaba241c1eb/
SH256 hash:
00c74e0e5981f09c7ff9f3f01552124f23e6ac20264dbdb2fb8f14a2910c4315
MD5 hash:
ca6224e9156e954f488f3f4e0ab54176
SHA1 hash:
4eb68f6e08b906da6441ebcb757003fbc83abcbd
Link:
https://www.unpac.me/results/e15fa139-fce6-4921-8d27-ecaba241c1eb/
SH256 hash:
290346963df0fbd15b7b7082cb90e779bfe710b535f1fa74e7371a8e84ed8355
MD5 hash:
4565e6211018090875a897a2949eb59e
SHA1 hash:
b41d441ea0230096b3b77368ccffd44b4031a824
Link:
https://www.unpac.me/results/e15fa139-fce6-4921-8d27-ecaba241c1eb/
SH256 hash:
6bd2d5f2630ce91d3d93d5a686d0ea381b6efa2b25d0dbd0f509a17f7ed3788d
MD5 hash:
47000b94531ad6b652797c1f2e525752
SHA1 hash:
58de952fe5d182294e5e6d5141567b9ce61a331e
Link:
https://www.unpac.me/results/e15fa139-fce6-4921-8d27-ecaba241c1eb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6bd2d5f2630ce91d3d93d5a686d0ea381b6efa2b25d0dbd0f509a17f7ed3788d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185269/

Comments