MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c8131fc986f9477582f43530e0bdc660887285c83360c52e6b68876a57dc9b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c8131fc986f9477582f43530e0bdc660887285c83360c52e6b68876a57dc9b0
SHA3-384 hash: a5a96361f7e2b48a5de93e32bea313e3393ddac6350039fa496a581a40f750689bffa6e9b013baf71ce728ab0ec657a5
SHA1 hash: 9b34b0e3ef10605a4d0ac83488239109e5581a75
MD5 hash: bfb8fde58d474739aaeea4dcb70f32a0
humanhash: don-table-bacon-avocado
File name:BFB8FDE58D474739AAEEA4DCB70F32A0.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:3'501'119 bytes
First seen:2021-07-12 19:25:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:Ub5X1zLyFximAATdA8xdPsvk3upL/TDWtIB1:UdXexHAATdA8vsvkuL3fn
Threatray 118 similar samples on MalwareBazaar
TLSH T191F53342BA8095B1D5261D354A75AB11683D7C201F34CADFA3F4295D9B3A1C2EF32BB3
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
45.140.147.193:35789

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.140.147.193:35789 https://threatfox.abuse.ch/ioc/159762/

Intelligence

File Origin
# of uploads :
1
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BFB8FDE58D474739AAEEA4DCB70F32A0.exe
Verdict:
Malicious activity
Analysis date:
2021-07-12 19:27:46 UTC
Tags:
evasion autoit
Link:
https://app.any.run/tasks/6f5668ef-286c-4197-9fe6-8b56e451e283

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector01
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171179/
Detection(s):
Win.Malware.Generic-9874384-0
Create hunting rule

Win.Malware.Qshell-9875653-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Chapak
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d3a4ca0a-d8e2-45d4-9e7f-a5ca8633b150
Result
Threat name:
Raccoon RedLine SmokeLoader Socelars Vid
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/815116
Signature
.NET source code contains very large strings
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found C&C like URL pattern
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
Sample is protected by VMProtect
Sigma detected: Execution from Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 447527 Sample: 6dCudgmxKY.exe Startdate: 12/07/2021 Architecture: WINDOWS Score: 100 89 google.vrthcobj.com 2->89 91 149.154.167.99 TELEGRAMRU United Kingdom 2->91 93 4 other IPs or domains 2->93 131 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->131 133 Found malware configuration 2->133 135 Antivirus detection for URL or domain 2->135 137 18 other signatures 2->137 9 6dCudgmxKY.exe 1 13 2->9         started        12 iexplore.exe 2 88 2->12         started        signatures3 process4 file5 49 C:\Users\user\Desktop\pub2.exe, PE32 9->49 dropped 51 C:\Users\user\Desktop\jg3_3uag.exe, PE32 9->51 dropped 53 C:\Users\user\Desktop\Installation.exe, PE32 9->53 dropped 55 4 other files (2 malicious) 9->55 dropped 14 Info.exe 9->14         started        19 Files.exe 10 9->19         started        21 pub2.exe 9->21         started        25 4 other processes 9->25 23 iexplore.exe 38 12->23         started        process6 dnsIp7 103 cdn.discordapp.com 14->103 105 www.jinhuamz.com 103.155.92.207, 49746, 80 TWIDC-AS-APTWIDCLimitedHK unknown 14->105 113 14 other IPs or domains 14->113 75 C:\Users\...\zlnAaAT9kg3T6fOZbO_LjfUw.exe, PE32 14->75 dropped 77 C:\Users\...\y3UhbTYvpgf4NRogXYWA99of.exe, PE32 14->77 dropped 79 C:\Users\...\wm2lgHUrVBSkEG2Hjg1SXVl4.exe, PE32 14->79 dropped 87 37 other files (29 malicious) 14->87 dropped 117 Drops PE files to the document folder of the user 14->117 119 Performs DNS queries to domains with low reputation 14->119 121 Disable Windows Defender real time protection (registry) 14->121 81 C:\Users\user\AppData\Local\Temp\...\File.exe, PE32 19->81 dropped 27 File.exe 3 20 19->27         started        83 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 21->83 dropped 123 DLL reload attack detected 21->123 125 Renames NTDLL to bypass HIPS 21->125 127 Checks if the current machine is a virtual machine (disk enumeration) 21->127 32 explorer.exe 21->32 injected 107 2no.co 88.99.66.31, 443, 49727, 49728 HETZNER-ASDE Germany 23->107 109 iplogger.org 23->109 111 101.36.107.74, 49729, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 25->111 115 4 other IPs or domains 25->115 85 C:\Users\user\Documents\...\jg3_3uag.exe, PE32 25->85 dropped 129 Creates processes via WMI 25->129 34 Folder.exe 25->34         started        36 WerFault.exe 25->36         started        38 conhost.exe 25->38         started        file8 signatures9 process10 dnsIp11 99 newja.webtm.ru 92.53.96.150, 49725, 80 TIMEWEB-ASRU Russian Federation 27->99 65 C:\Users\Public\run2.exe, PE32 27->65 dropped 67 C:\Users\Public\run.exe, PE32 27->67 dropped 147 Binary is likely a compiled AutoIt script file 27->147 149 Drops PE files to the user root directory 27->149 40 run2.exe 27->40         started        45 run.exe 27->45         started        69 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 34->69 dropped 71 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 34->71 dropped 73 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 34->73 dropped 47 conhost.exe 34->47         started        101 104.42.151.234 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->101 file12 signatures13 process14 dnsIp15 95 74.114.154.22 AUTOMATTICUS Canada 40->95 97 162.55.223.232 ACPCA United States 40->97 57 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 40->57 dropped 59 C:\Users\user\AppData\...\softokn3[1].dll, PE32 40->59 dropped 61 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 40->61 dropped 63 8 other files (none is malicious) 40->63 dropped 139 Multi AV Scanner detection for dropped file 40->139 141 Detected unpacking (changes PE section rights) 40->141 143 Detected unpacking (overwrites its own PE header) 40->143 145 4 other signatures 40->145 file16 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c8131fc986f9477582f43530e0bdc660887285c83360c52e6b68876a57dc9b0/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2021-07-09 20:43:40 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nsatd7eyn6khowbpinjq4c64myeiokc4qm3ayuxgw2ehnjl5zgya._file
Verdict:
malicious
Similar samples:
00ac3efa4faaa3927d28bf7b78793d4dac0c814cdbefb2015734d76bee8c988f
DiamondFox
0bcf14216198351151d34d3e6ea6c05bf06c62eee05e15804ba132ea455b3710
DiamondFox
1a1d8823b35b8c0d8dfcebe065520a07fe105589893262976fce4122317c55b8
DiamondFox
2d1d2cd3f3cbce923d3db88aa44212210da57e9e032e2ff4a1766fe51ff1255e
DiamondFox
76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93
DiamondFox
924bb78c8e816ebd25d656fb6cf0387449cd4b3cd55846c99d4f0ddb47f71dd5
DiamondFox
adb98685d3d6a8fa5e90b6fd9d458601d874718d5815f8aab66728ba9d067440
DiamondFox
b08e7b20a96d4bf0d2795d783b2b066abff7c0d82ccb15e616df533835193f5d
DiamondFox
bf86597d2d10ad8d82f0af8b53cf72757094322e79e92180092aa60341b90034
DiamondFox
+ 108 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:712 botnet:890 botnet:9_7_r botnet:novee backdoor evasion infostealer stealer themida trojan vmprotect
Link:
https://tria.ge/reports/210712-65ev2cxe26/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
autoit_exe
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Themida packer
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
45.140.147.193:35789
https://sergeevih43.tumblr.com/
qumaranero.xyz:80
xtarweanda.xyz:80
Unpacked files
SH256 hash:
fa8e9649c3ea2415dd1da245b280766263f1344fe8a980944e30fdd4e159bf33
MD5 hash:
155ba44ad55ed22b1b377b42b1928ff6
SHA1 hash:
c5432f0bbb9e6703b8dc490132975c02ba77b203
Link:
https://www.unpac.me/results/59da0081-0a5a-4fc1-ba50-150d6a4d220e/
SH256 hash:
f78cafdf504a8dbc642063f10fad6604919bebbb457621acf9fd12cd9cb8a8d2
MD5 hash:
546ec8e29b9563c6b5f31ebda05dab92
SHA1 hash:
b21d335a6e4468dc57eb3a4368019788b1b4489b
Link:
https://www.unpac.me/results/59da0081-0a5a-4fc1-ba50-150d6a4d220e/
SH256 hash:
ef741c122ea840d444c718852b75da0b27f202e1d8bc0d08fb2227c7d3065ab4
MD5 hash:
b6e0ef10bbdbfc8646c9ffe5e079aa5c
SHA1 hash:
01ec8b37b9a82f31aebe54decf0e926640d302c2
Link:
https://www.unpac.me/results/59da0081-0a5a-4fc1-ba50-150d6a4d220e/
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/59da0081-0a5a-4fc1-ba50-150d6a4d220e/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/59da0081-0a5a-4fc1-ba50-150d6a4d220e/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/59da0081-0a5a-4fc1-ba50-150d6a4d220e/
SH256 hash:
14a2d1d619c218545acf152fb02788e3b6cacd4a62d24ecac4cb9370324bdcc7
MD5 hash:
836aa5b12dac26bb595bca09e249b031
SHA1 hash:
b62fdb89a8eed2cdd8302bf5e94effc458eb9506
Link:
https://www.unpac.me/results/59da0081-0a5a-4fc1-ba50-150d6a4d220e/
SH256 hash:
67cdc7c5de5e46229adc831dc6fd3053d996ecf02e94706b6b6ae1b0ed976f2c
MD5 hash:
555b5b60b2dcc53e71e6d9ba8302c4b9
SHA1 hash:
550326b1226629a867d4606ad0c98c4ef9596b47
Link:
https://www.unpac.me/results/59da0081-0a5a-4fc1-ba50-150d6a4d220e/
Parent samples :
e47bfa7b58706edeeaf73664039c10cb1ff7a517d833c0b28751b835bdc68cf7
32ac0624a534a2c40fb8eba41e80bb1d31b99cd118d42208c89229079699f783
SH256 hash:
8ff7e0b62c176f54d723facb15e878bef9da7ab710757b2c6269ea6ec09965cf
MD5 hash:
2411734d36fd9552f0e3b5852b4b9dfb
SHA1 hash:
6d5bf73b8186be4fa8830663fc1ccfc8070d3af2
Link:
https://www.unpac.me/results/59da0081-0a5a-4fc1-ba50-150d6a4d220e/
SH256 hash:
68c94236ba4498f79c40d130e4581e8a2b7baf6894912aa11d25b1889c5b184b
MD5 hash:
0dd2006abcd09ffc83bd842f033bc97b
SHA1 hash:
15e8837fc9858ee1687c0d37affadd4ee510d698
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/59da0081-0a5a-4fc1-ba50-150d6a4d220e/
SH256 hash:
199223ebce992b9600c00b1f78bac682e94d391ca7096aa519d1df51ab3eb25c
MD5 hash:
2d6f160c18ed9c1d0ad8d5aef975700f
SHA1 hash:
6692e47e071d700c94f7406e6a62631c28261555
Link:
https://www.unpac.me/results/59da0081-0a5a-4fc1-ba50-150d6a4d220e/
SH256 hash:
55cdb9054f66ed88b8215d9f981efd7421c6f50dc9285140ec5ff591e34121bd
MD5 hash:
5631522a0758055c133e7966c1948802
SHA1 hash:
90caf8180bf43727fc490ffa34b1d578833aad7f
Link:
https://www.unpac.me/results/59da0081-0a5a-4fc1-ba50-150d6a4d220e/
SH256 hash:
3df5169b3430a73458fa650007fba6e36694402bb306b04e4fb7093db94a191d
MD5 hash:
a23c2d12420d773e4048e78ee45d1549
SHA1 hash:
f058fd756feef314ef2de6b2d8fff61df4c21fbd
Link:
https://www.unpac.me/results/59da0081-0a5a-4fc1-ba50-150d6a4d220e/
SH256 hash:
6c8131fc986f9477582f43530e0bdc660887285c83360c52e6b68876a57dc9b0
MD5 hash:
bfb8fde58d474739aaeea4dcb70f32a0
SHA1 hash:
9b34b0e3ef10605a4d0ac83488239109e5581a75
Link:
https://www.unpac.me/results/59da0081-0a5a-4fc1-ba50-150d6a4d220e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c8131fc986f9477582f43530e0bdc660887285c83360c52e6b68876a57dc9b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_new_mem
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8/
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171179/

Comments