MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76c9ba959cb30c682c744ec265b3ae18fa5f92250cdc153139fb83835ca17356. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76c9ba959cb30c682c744ec265b3ae18fa5f92250cdc153139fb83835ca17356
SHA3-384 hash: 573b0631cd373b77ffee96fee881931ef55dd02959872d1f7a1006ac28a78c4d48b9f53758f949a87681cf1b62c8a2ef
SHA1 hash: 19b4f742ad0beb3bd2306b8e8b1d989e52a01365
MD5 hash: f6336737452a7a106dde9be8ba468a0c
humanhash: tennessee-purple-undress-bravo
File name:F6336737452A7A106DDE9BE8BA468A0C.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:3'770'717 bytes
First seen:2021-09-03 13:56:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:ysevup9c1bf8FmhU3sXZi1ZsarTqLpRgj+uMeCm6:yI9wBhJYZsATqYCuBC
Threatray 486 similar samples on MalwareBazaar
TLSH T12606333845B6B5CCED335C342A7484EA16CDEA931E17BE8F22030AE9FC166745664FE1
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://94.158.245.24/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.158.245.24/ https://threatfox.abuse.ch/ioc/215080/

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
F6336737452A7A106DDE9BE8BA468A0C.exe
Verdict:
No threats detected
Analysis date:
2021-09-03 13:57:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/624845f0-8c81-440f-b8f4-037aba4bb059

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185206/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Dropper.Upatre-9889924-1
Create hunting rule

Win.Dropper.Upatre-9889925-1
Create hunting rule

Win.Dropper.Generickdz-9890301-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Launching a process
Deleting a recently created file
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Reading critical registry keys
Creating a process with a hidden window
Creating a window
Possible injection to a system process
Unauthorized injection to a recently created process
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Blocking the Windows Defender launch
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/152a7773-995a-4c25-8c12-3883383905c0
Result
Threat name:
RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/844880
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 477311 Sample: lkSjT6Eo0h.exe Startdate: 03/09/2021 Architecture: WINDOWS Score: 100 75 google.vrthcobj.com 2->75 103 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->103 105 Antivirus detection for URL or domain 2->105 107 Multi AV Scanner detection for submitted file 2->107 109 10 other signatures 2->109 12 lkSjT6Eo0h.exe 10 2->12         started        signatures3 process4 file5 65 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->65 dropped 15 setup_installer.exe 16 12->15         started        process6 file7 67 C:\Users\user\AppData\...\setup_install.exe, PE32 15->67 dropped 69 C:\Users\user\...\Wed12ff8f9303069a13.exe, PE32 15->69 dropped 71 C:\Users\user\...\Wed12f234a21660d.exe, PE32 15->71 dropped 73 11 other files (6 malicious) 15->73 dropped 18 setup_install.exe 1 15->18         started        process8 dnsIp9 77 hsiens.xyz 172.67.142.91, 49710, 80 CLOUDFLARENETUS United States 18->77 79 127.0.0.1 unknown unknown 18->79 111 Performs DNS queries to domains with low reputation 18->111 113 Adds a directory exclusion to Windows Defender 18->113 22 cmd.exe 1 18->22         started        24 cmd.exe 18->24         started        26 cmd.exe 1 18->26         started        28 7 other processes 18->28 signatures10 process11 signatures12 31 Wed1258b9cb39.exe 22->31         started        34 Wed127454568dab5787.exe 24->34         started        37 Wed122efa49d386.exe 1 13 26->37         started        115 Adds a directory exclusion to Windows Defender 28->115 40 Wed12691e8dbf.exe 28->40         started        42 Wed12b86e03fc.exe 28->42         started        44 Wed12f234a21660d.exe 28->44         started        46 3 other processes 28->46 process13 dnsIp14 117 Multi AV Scanner detection for dropped file 31->117 119 Detected unpacking (changes PE section rights) 31->119 121 Machine Learning detection for dropped file 31->121 133 4 other signatures 31->133 48 explorer.exe 31->48 injected 81 37.0.10.214, 49718, 80 WKD-ASIE Netherlands 34->81 89 3 other IPs or domains 34->89 123 May check the online IP address of the machine 34->123 125 Tries to harvest and steal browser information (history, passwords, etc) 34->125 127 Disable Windows Defender real time protection (registry) 34->127 91 5 other IPs or domains 37->91 63 C:\Users\user\AppData\...\aaa_v013[1].dll, DOS 37->63 dropped 83 cdn.discordapp.com 162.159.135.233, 443, 49714, 49727 CLOUDFLARENETUS United States 40->83 129 Antivirus detection for dropped file 40->129 85 eduarroma.tumblr.com 74.114.154.18, 443, 49716 AUTOMATTICUS Canada 42->85 52 WerFault.exe 42->52         started        93 2 other IPs or domains 44->93 87 185.92.73.84 FOXCLOUDNL Netherlands 46->87 131 Creates processes via WMI 46->131 55 Wed12ff8f9303069a13.exe 46->55         started        file15 signatures16 process17 dnsIp18 59 C:\Users\user\AppData\Roaming\bcsfchu, PE32 48->59 dropped 99 Benign windows process drops PE files 48->99 101 Hides that the sample has been downloaded from the Internet (zone.identifier) 48->101 95 20.189.173.20 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 52->95 97 live.goatgame.live 104.21.70.98, 443, 49712 CLOUDFLARENETUS United States 55->97 61 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 55->61 dropped 57 conhost.exe 55->57         started        file19 signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76c9ba959cb30c682c744ec265b3ae18fa5f92250cdc153139fb83835ca17356/
Threat name:
Win32.Downloader.Upatre
Create hunting rule
Status:
Malicious
First seen:
2021-08-26 02:34:48 UTC
AV detection:
30 of 40 (75.00%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o3e3vfm4wmggqlduj3bglm5odd5f7erfbtobkmjz7obygxfbonla._file
Verdict:
suspicious
Similar samples:
3febf03463e0e65ef9d0fc4e8a38f01dd7c6dfee10258876981539b7a319a620
DiamondFox
4f4c2c9bdfef8a8cfbe2c8f84bf12cc86f26f59d54c277dab39f4c5e92948708
DiamondFox
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
DiamondFox
6e67e541d5801d97cb6fc3ec483b7b9dc302506c0f3a1ef0942ea3f7126e9e87
DiamondFox
a2f15b4e843483e292e4c2f29cdd09a87081d7f158c0e860c88b211b2ad0a348
DiamondFox
bda2b27d917dc919d2df7f2768a5d20f4f554e6f0eeb687f5ac45b53aecbb2f3
DiamondFox
bf0c11eae9de14227141901dffc7bdbd1ecb9b0a2cb1e675f7d36ce5eff0679e
DiamondFox
c33789989d58fce9bbde8cdd23576c881b5ed0c329dce641567db6ad9f10a1ed
DiamondFox
+ 476 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:vidar botnet:2d1fa8a1b3c606f582add005087c86b4317a0710 botnet:706 botnet:937 botnet:b8ef25fa9e346b7a31e4b6ff160623dd5fed2474 botnet:pub2 botnet:test aspackv2 backdoor evasion infostealer stealer themida trojan
Link:
https://tria.ge/reports/210903-q9acbsdbg8/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
https://eduarroma.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
185.92.73.84:80
45.14.49.169:22411
https://romkaxarit.tumblr.com/
Unpacked files
SH256 hash:
9c0ef67f53069b6c536d0a48d39021659849e6030009596eb252644d34c22ba6
MD5 hash:
ebab03847265e12c3223b66f16bf64da
SHA1 hash:
305c56392dc460363673c9234c4e0fb3ee977617
Link:
https://www.unpac.me/results/2ae4656b-1627-47d1-95a5-7675640b7e26/
SH256 hash:
b3b6df5968e11b89a4132b732f4f756a7e29d20e211db8cfbb873e36ccf71bb8
MD5 hash:
f2f7c988fc4a918a1e2ef2631700c7f3
SHA1 hash:
183e303ad3f7aba9d8d806f220548a472998ce49
Link:
https://www.unpac.me/results/2ae4656b-1627-47d1-95a5-7675640b7e26/
SH256 hash:
9b5923d26248adde4546d4421275f7b0ac36e4e2c4af232d367563bca7cf5209
MD5 hash:
3093c62cf5c8c754576a62c8d173b11c
SHA1 hash:
468210c7bc85627a27a2b10da0580c119e0ec3d8
Link:
https://www.unpac.me/results/2ae4656b-1627-47d1-95a5-7675640b7e26/
SH256 hash:
59c8b228088a6a89dfd12a9f2ee3b4b35ba5c11d22917e4794c8c40f607ccf12
MD5 hash:
594093a4765e2444ce9f5b064dc857ef
SHA1 hash:
32e65e3bf804a2abfa94281933fd5b5a0d23a30d
Link:
https://www.unpac.me/results/2ae4656b-1627-47d1-95a5-7675640b7e26/
SH256 hash:
771879a5daba9c1534171c0c3179008c0fde3629582b4c9412a10ee2d50b627a
MD5 hash:
ae0845f56193eedc564b4a1bf6bb3b74
SHA1 hash:
119c61acd1499c1e06409a9405c0605f92255764
Link:
https://www.unpac.me/results/2ae4656b-1627-47d1-95a5-7675640b7e26/
SH256 hash:
a18e5d223da775448e2e111101fe1f4ab919be801fd435d3a278718aa5e6ccba
MD5 hash:
0c6cae115465a83f05d3ff391fd009ac
SHA1 hash:
066ea93bb540ae4be0d2e522d4bb59eec74053ad
Link:
https://www.unpac.me/results/2ae4656b-1627-47d1-95a5-7675640b7e26/
Parent samples :
7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
fc2e04d392ab5e508fdf6c90ce456bfd0af6def1f10a2074f82df8f58079d5e4
f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
22275b7c5a57111aca919f6bbfae171e5e99f5ef777d1043802deb672f5136a0
d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
0a7d966e66cbd260c909de1d79038c86a071f2f10a810f5890a150b67c4fd954
1b4c7144874551beb52bc3e864822c0b803d0967531addf9612f61898cf2394d
090f1369dc856e37b73969d22799341b1d328a235470ee608d3e32dd34df7022
4879803b6326f27bb8b68448fe7394b2358c2eeb25ec2c4c6a176313d003c29a
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
ada6977abf5caa24a75f0db17220267f6b05f11ed949757e8fc8beab3c720fc1
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/2ae4656b-1627-47d1-95a5-7675640b7e26/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
087fb40204cded7087e763dd535a255e392aa55ebd0ab02bb4ff364e2de91e85
MD5 hash:
1052f0d11603338ce203a457482f6200
SHA1 hash:
f46fbc5375e053bcbaa5a377ff00915d4652afe0
Link:
https://www.unpac.me/results/2ae4656b-1627-47d1-95a5-7675640b7e26/
SH256 hash:
4d83535f05cd4388598695585731de012746c3de0f01f971f7a8832171b003b6
MD5 hash:
0f5a889a58b64ca0e4ffab8bb91a3d42
SHA1 hash:
e836324e2698d8d7c64bb3a5638f75ab93bcbe1b
Link:
https://www.unpac.me/results/2ae4656b-1627-47d1-95a5-7675640b7e26/
SH256 hash:
2906cff26bce67c4a6c12d1f1d1691ab0f8ce7f98b8c5876c9385887fa7f021e
MD5 hash:
d640812863d65d90669e5b9194649f83
SHA1 hash:
dc2ec2d486ffeb8008c9dd9cfb91a100a3127b48
Link:
https://www.unpac.me/results/2ae4656b-1627-47d1-95a5-7675640b7e26/
SH256 hash:
88a1da34354279e18e10c7dd4361d7174f45c243f6a0d3321036127939cd7642
MD5 hash:
dcde2f9b24961954196f6e044994cdb6
SHA1 hash:
b8b5df5cd2a6945fd33257812cda157e0d912eca
Link:
https://www.unpac.me/results/2ae4656b-1627-47d1-95a5-7675640b7e26/
SH256 hash:
827bd4f935a63e7cfbf4f456ace4409bc0c6727648f2e68d2fe1b21aa0bafb36
MD5 hash:
1ad2ca1d308b5af46541cae6dbbf39e3
SHA1 hash:
1a2b236ab4b273d5fdadeac4dfa6f4fd5e44fab3
Link:
https://www.unpac.me/results/2ae4656b-1627-47d1-95a5-7675640b7e26/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/2ae4656b-1627-47d1-95a5-7675640b7e26/
SH256 hash:
e208a50c90cab0bae3c78356de96a8682eb762022296c1a5428a1d5a9ed1bb9c
MD5 hash:
f2ea99db3ab6ff7fe7464ef03b8aa78d
SHA1 hash:
034fb0bc616b0e35d0794655d9ab40eb868dd3af
Link:
https://www.unpac.me/results/2ae4656b-1627-47d1-95a5-7675640b7e26/
SH256 hash:
e7b85b21936aa81f1a0f91523117179edeabf47e917173da15f7fa06c86cbf9b
MD5 hash:
b817cfcc60e604a3cf9b71ccba86d022
SHA1 hash:
ef834bc41620d1f07377023ca4c5d500cd569ff9
Link:
https://www.unpac.me/results/2ae4656b-1627-47d1-95a5-7675640b7e26/
SH256 hash:
700cb5959220b1e13ce20685e3a1d1cc3973923d07a07fe3868873a18f6ee070
MD5 hash:
746f12573fa746943df9b3949154b6d7
SHA1 hash:
4fb375f88ce65e92ea9f242d9dd4ab920a0df15d
Link:
https://www.unpac.me/results/2ae4656b-1627-47d1-95a5-7675640b7e26/
SH256 hash:
76c9ba959cb30c682c744ec265b3ae18fa5f92250cdc153139fb83835ca17356
MD5 hash:
f6336737452a7a106dde9be8ba468a0c
SHA1 hash:
19b4f742ad0beb3bd2306b8e8b1d989e52a01365
Link:
https://www.unpac.me/results/2ae4656b-1627-47d1-95a5-7675640b7e26/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/76c9ba959cb3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76c9ba959cb30c682c744ec265b3ae18fa5f92250cdc153139fb83835ca17356

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185206/

Comments