MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72b24e99cdd46d7cee31af6d8858782b775db1753d4ed954774a2b1306d5dd89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 9


Intelligence 9 IOCs 2 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72b24e99cdd46d7cee31af6d8858782b775db1753d4ed954774a2b1306d5dd89
SHA3-384 hash: 12220965f346f44e4aafaf61a32ab1fe1e66bd4fe9950720f8a36fc4291165bc1a35e34bd0c620df4e48e5589d95770e
SHA1 hash: bdce10de18c09ebb6b388eeef3c11c43e9e8d39c
MD5 hash: 5d2d3d4eae63a13afbd30c96b70a56cf
humanhash: carbon-north-bacon-mango
File name:5D2D3D4EAE63A13AFBD30C96B70A56CF.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:1'543'922 bytes
First seen:2021-07-24 17:11:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 24576:Eg5ngsT7c6L5PDh+TwMShDHActO6s5E7GPW7lm2q/k0VRjEK2E:EgBv/9L5rhXvMIO6s5axw2qM0/jE1E
Threatray 227 similar samples on MalwareBazaar
TLSH T15C65332033F6CC5AD263DE70267151479ED1960FD5A90A03BF54BA2B3E33A84B05FB69
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
37.46.128.40:2787

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
37.46.128.40:2787 https://threatfox.abuse.ch/ioc/162769/
193.56.146.60:51431 https://threatfox.abuse.ch/ioc/162770/

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5D2D3D4EAE63A13AFBD30C96B70A56CF.exe
Verdict:
No threats detected
Analysis date:
2021-07-24 17:13:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/72f9bab1-8ee5-4141-b2ef-555103eb6833

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector03
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173922/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4b87a23c-08cb-430a-a443-965286b0c656
Result
Threat name:
Backstage Stealer Ficker Stealer Glupteb
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/821275
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Backstage Stealer
Yara detected Ficker Stealer
Yara detected Glupteba
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 453686 Sample: DcGlR2fkjS.exe Startdate: 24/07/2021 Architecture: WINDOWS Score: 100 88 37.0.8.225 WKD-ASIE Netherlands 2->88 90 g-prtnrs.top 91.241.19.12 REDBYTES-ASRU Russian Federation 2->90 92 6 other IPs or domains 2->92 116 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->116 118 Antivirus detection for URL or domain 2->118 120 Antivirus detection for dropped file 2->120 122 23 other signatures 2->122 12 DcGlR2fkjS.exe 10 2->12         started        signatures3 process4 file5 68 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->68 dropped 15 setup_installer.exe 10 12->15         started        process6 file7 80 C:\Users\user\AppData\...\setup_install.exe, PE32 15->80 dropped 82 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 15->82 dropped 84 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 15->84 dropped 86 5 other files (none is malicious) 15->86 dropped 18 setup_install.exe 1 15->18         started        process8 dnsIp9 94 wxkeww.xyz 104.21.56.66, 49726, 80 CLOUDFLARENETUS United States 18->94 96 127.0.0.1 unknown unknown 18->96 98 192.168.2.1 unknown unknown 18->98 124 Detected unpacking (changes PE section rights) 18->124 126 Performs DNS queries to domains with low reputation 18->126 22 cmd.exe 1 18->22         started        24 cmd.exe 1 18->24         started        26 conhost.exe 18->26         started        signatures10 process11 process12 28 karotima_1.exe 4 62 22->28         started        33 karotima_2.exe 1 24->33         started        dnsIp13 110 www.szwbjs.com 28->110 112 37.0.11.9, 49731, 80 WKD-ASIE Netherlands 28->112 114 12 other IPs or domains 28->114 70 C:\Users\...\zXAaeLtzjHdrajFkGUdcz2NK.exe, PE32 28->70 dropped 72 C:\Users\...\zU0GhMQLqFLEE3Il43Yk6jtq.exe, PE32 28->72 dropped 74 C:\Users\...\v1CyUK5vF0qLr_NuEbQPVRdI.exe, PE32 28->74 dropped 78 37 other files (22 malicious) 28->78 dropped 142 Drops PE files to the document folder of the user 28->142 144 May check the online IP address of the machine 28->144 146 Performs DNS queries to domains with low reputation 28->146 148 Disable Windows Defender real time protection (registry) 28->148 35 HafPxWMXq1xYjoC5p730nI_q.exe 28->35         started        40 Bk0Qg6oIxH8EYmmwI5Qo3Usj.exe 28->40         started        42 X6Mft9hvtsMTd_RyTqZ56Aa3.exe 1 28->42         started        46 14 other processes 28->46 76 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 33->76 dropped 150 DLL reload attack detected 33->150 152 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 33->152 154 Renames NTDLL to bypass HIPS 33->154 156 2 other signatures 33->156 44 explorer.exe 3 6 33->44 injected file14 signatures15 process16 dnsIp17 100 116.202.183.50 HETZNER-ASDE Germany 35->100 102 shpak125.tumblr.com 74.114.154.18 AUTOMATTICUS Canada 35->102 50 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 35->50 dropped 66 11 other files (none is malicious) 35->66 dropped 128 Detected unpacking (changes PE section rights) 35->128 130 Detected unpacking (overwrites its own PE header) 35->130 132 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->132 140 2 other signatures 35->140 52 C:\Program Files (x86)\...\md8_8eus.exe, PE32 40->52 dropped 54 C:\Program Files (x86)\Company\...\jooyu.exe, PE32 40->54 dropped 56 C:\Program Files (x86)\...\customer3.exe, PE32+ 40->56 dropped 58 C:\Program Files (x86)\...\Uninstall.exe, PE32 40->58 dropped 134 Sample uses process hollowing technique 42->134 136 Injects a PE file into a foreign processes 42->136 104 ip-api.com 208.95.112.1 TUT-ASUS United States 46->104 106 iplis.ru 88.99.66.31 HETZNER-ASDE Germany 46->106 108 4 other IPs or domains 46->108 60 C:\Users\user\AppData\Local\Temp\22222.exe, PE32 46->60 dropped 62 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 46->62 dropped 64 C:\Users\user\AppData\...\aaa_v005[1].dll, DOS 46->64 dropped 138 May check the online IP address of the machine 46->138 48 conhost.exe 46->48         started        file18 signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/72b24e99cdd46d7cee31af6d8858782b775db1753d4ed954774a2b1306d5dd89/
Threat name:
Win32.Trojan.Sdum
Create hunting rule
Status:
Malicious
First seen:
2021-07-22 01:40:00 UTC
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=okze5gon2rwxz3rrv5wyqwdyfn3v3mlvhvhnsvdxjivrgbwv3weq._file
Verdict:
unknown
Similar samples:
0bfeff80f0a3f724a9ed3d36d1ae8f957a2df82e778e31203421dece1af586b9
DiamondFox
20ed0f1b402d630a3e131e9e788c57a74d348bcc358e1c0e6f5fd112ad838ab3
DiamondFox
2263fd1332612187cb951793ae3b34b74bd815da95d82b9d04d1fd6facb8311b
DiamondFox
356e6444780389e9a1432eb575cea622a01bab5d8331f1c3b13046ca8209d06b
DiamondFox
510d3eadc5652908d47db79067009b04cf4e9234720f052e90cc7d18ffad0b20
DiamondFox
5c5a71fd5e122ae176b592ae080a18f61b38653ab9405e1724dfe053ddbf6d1c
DiamondFox
6bb22351b0b468f3b05880df6e8a61f7ed792d90af19163e703a2c649b53cb14
DiamondFox
d09cb69744c809f1e48fda7e9ab5623852a42fc6f2cf79547ecc3329871e84ca
DiamondFox
e10f5bc4cb6610bd2aee334a581f2a9872b16c830bdce2f67ffe3cf57bf0b065
DiamondFox
+ 217 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:fickerstealer family:redline family:smokeloader family:socelars family:vidar botnet:865 botnet:903 botnet:921 botnet:lisekmix botnet:newone botnet:sel20 aspackv2 backdoor discovery evasion infostealer spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210724-bm77draern/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Fickerstealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/Ficker Stealer Activity M3
Malware Config
C2 Extraction:
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
dwarimlari.xyz:80
86.106.181.209:18845
37.46.128.40:2787
37.0.8.225:80
https://shpak125.tumblr.com/
Unpacked files
SH256 hash:
5da0d850941091855ce3a6f48447d2873452443282751fe376c104ef65a45efa
MD5 hash:
5df4d842ec44f8e63168ecb7cafd7e42
SHA1 hash:
cba084a866650d9a06d7dd1873f26ad3ba483163
Link:
https://www.unpac.me/results/557e9abc-4e4b-49f1-9039-14df2a104d26/
Parent samples :
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779
c82a55fdd3caeb95db17754e3ba270ec93a7eb3c9997f9f9c6f02de0e17bacec
SH256 hash:
f7fdbf113412a6ebcb6183c0c8323b5375f385787c907a7f7b7dc583cbc9d506
MD5 hash:
1152f7b8dcf206563eeadd83a3f70c25
SHA1 hash:
8a3f84cc9f43a97b9339ee5c6c9388dc0f95d6d8
Link:
https://www.unpac.me/results/557e9abc-4e4b-49f1-9039-14df2a104d26/
SH256 hash:
c9d5525b2f2b76087121039ee1c23ed35508e60f653479722ec64ea3a064878e
MD5 hash:
9108ad5775c76cccbb4eadf02de24f5d
SHA1 hash:
82996bc4f72b3234536d0b58630d5d26bcf904b0
Link:
https://www.unpac.me/results/557e9abc-4e4b-49f1-9039-14df2a104d26/
Parent samples :
e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779
c82a55fdd3caeb95db17754e3ba270ec93a7eb3c9997f9f9c6f02de0e17bacec
SH256 hash:
9fac7b2d11f5ae799e04bd5f751cec1175b11eb4888e4c322ad7ff31a28214d3
MD5 hash:
d8f47fa4b3b38d8ee48b334ad37d82e3
SHA1 hash:
54e02c180d29f2463adab18f688986cba7fee4c9
Link:
https://www.unpac.me/results/557e9abc-4e4b-49f1-9039-14df2a104d26/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/557e9abc-4e4b-49f1-9039-14df2a104d26/
SH256 hash:
21ab7c2ca2a2312b657b09b149971564f19b78e34f1522a92cd355722897f087
MD5 hash:
9ea0988b1696b9cdf0956feb5ab28225
SHA1 hash:
924efcedebdb011c0daefb5abc51680858160276
Link:
https://www.unpac.me/results/557e9abc-4e4b-49f1-9039-14df2a104d26/
SH256 hash:
72b24e99cdd46d7cee31af6d8858782b775db1753d4ed954774a2b1306d5dd89
MD5 hash:
5d2d3d4eae63a13afbd30c96b70a56cf
SHA1 hash:
bdce10de18c09ebb6b388eeef3c11c43e9e8d39c
Link:
https://www.unpac.me/results/557e9abc-4e4b-49f1-9039-14df2a104d26/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/72b24e99cdd46d7cee31af6d8858782b775db1753d4ed954774a2b1306d5dd89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/173922/

Comments