MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
SHA3-384 hash: aa0d8142c41d330863ed0a1efdb504ac7a0c2601d3267686951b5e0f299f101af428eeab8205c4eacb3c14ba4ad92b49
SHA1 hash: ee509d9c5910532340694e17fa0b50d0d9558414
MD5 hash: 6ebf4dbc2f41cfe7c3e55e5a76d2a670
humanhash: romeo-don-maine-nebraska
File name:7755E890ECB6B60A9CBED072A609FBE099968B1FBDA51.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:3'960'723 bytes
First seen:2021-10-17 20:40:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:y56aQtE6efCFSGn/Qvp2b/5/fKVzuJiShnf4NMM5/L1hY:y56aeJefAXt4Mf4NMM5/A
TLSH T1CA06338233A2D260F3B8CDFB24B40B3526DF576DA425C75857F8E614AA60DB0AC553F8
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://185.163.204.33/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.204.33/ https://threatfox.abuse.ch/ioc/234895/

Intelligence

File Origin
# of uploads :
1
# of downloads :
365
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DLInjector04
Create hunting rule
Link:
https://www.capesandbox.com/analysis/198000/
Detection(s):
Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0a6eb96f-9342-45a4-9a9a-0179ec8583f2
Result
Threat name:
SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/871872
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 504300 Sample: 7755E890ECB6B60A9CBED072A60... Startdate: 17/10/2021 Architecture: WINDOWS Score: 100 107 Antivirus detection for URL or domain 2->107 109 Antivirus detection for dropped file 2->109 111 Multi AV Scanner detection for dropped file 2->111 113 12 other signatures 2->113 12 7755E890ECB6B60A9CBED072A609FBE099968B1FBDA51.exe 10 2->12         started        process3 file4 79 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 12->79 dropped 15 setup.exe 8 12->15         started        process5 file6 81 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 15->81 dropped 83 C:\Users\user\AppData\...\setup_install.exe, PE32 15->83 dropped 85 C:\Users\user\AppData\Local\...\libzip.dll, PE32 15->85 dropped 87 3 other files (none is malicious) 15->87 dropped 18 setup_install.exe 3 15->18         started        process7 file8 59 C:\Users\user\...\8572490dc48c4520c7.exe, PE32 18->59 dropped 21 cmd.exe 1 18->21         started        24 conhost.exe 18->24         started        process9 signatures10 115 Adds a directory exclusion to Windows Defender 21->115 26 8572490dc48c4520c7.exe 16 21->26         started        process11 file12 61 C:\Users\user\AppData\...\setup_install.exe, PE32 26->61 dropped 63 C:\Users\user\AppData\...\Mon108166492cc.exe, PE32 26->63 dropped 65 C:\Users\user\...\Mon106dc47d7f4c0.exe, PE32+ 26->65 dropped 67 11 other files (4 malicious) 26->67 dropped 29 setup_install.exe 1 26->29         started        process13 dnsIp14 103 172.67.142.91 CLOUDFLARENETUS United States 29->103 105 127.0.0.1 unknown unknown 29->105 135 Adds a directory exclusion to Windows Defender 29->135 33 cmd.exe 29->33         started        35 cmd.exe 1 29->35         started        37 cmd.exe 29->37         started        39 7 other processes 29->39 signatures15 process16 signatures17 42 Mon1010d117630.exe 33->42         started        47 Mon10589f756fdde.exe 35->47         started        49 Mon108166492cc.exe 37->49         started        117 Adds a directory exclusion to Windows Defender 39->117 51 Mon106dc47d7f4c0.exe 39->51         started        53 Mon100785fd63739.exe 39->53         started        55 Mon1043829e64.exe 39->55         started        57 3 other processes 39->57 process18 dnsIp19 89 37.0.10.214 WKD-ASIE Netherlands 42->89 91 37.0.10.244 WKD-ASIE Netherlands 42->91 97 9 other IPs or domains 42->97 69 C:\Users\user\...\search_hyperfs_204[1].exe, PE32 42->69 dropped 71 C:\Users\user\...\DownFlSetup999[1].exe, PE32 42->71 dropped 73 C:\Users\user\AppData\...\askinstall59[1].exe, PE32 42->73 dropped 77 21 other files (3 malicious) 42->77 dropped 119 Creates HTML files with .exe extension (expired dropper behavior) 42->119 121 Tries to harvest and steal browser information (history, passwords, etc) 42->121 123 Disable Windows Defender real time protection (registry) 42->123 125 Machine Learning detection for dropped file 47->125 127 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 47->127 129 Maps a DLL or memory area into another process 47->129 131 Checks if the current machine is a virtual machine (disk enumeration) 47->131 93 162.159.133.233 CLOUDFLARENETUS United States 49->93 133 Antivirus detection for dropped file 49->133 95 208.95.112.1 TUT-ASUS United States 51->95 99 2 other IPs or domains 51->99 75 C:\Users\user\...\Mon100785fd63739.tmp, PE32 53->75 dropped 101 2 other IPs or domains 57->101 file20 signatures21
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-08-30 22:29:38 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o5k6rehmw23avhf62bzkmcp34cmzncy7xwsr6hi7sqf3ywa4t5ya._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader family:socelars family:vidar botnet:706 aspackv2 backdoor evasion spyware stealer trojan
Link:
https://tria.ge/reports/211017-zgek1schd9/
Behaviour
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
SmokeLoader
Socelars
Vidar
Malware Config
C2 Extraction:
https://eduarroma.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Unpacked files
SH256 hash:
600c4fd507ebc51b76cf6d30b360713dbc014490f7862b125db79646ab849736
MD5 hash:
51e3803cea37b8feccdbbb1f42289b9f
SHA1 hash:
fa13af10e68e28e015e8a54085e03183402a661c
Link:
https://www.unpac.me/results/74c3be08-88cc-4a1d-9b45-0f3d6774c8f0/
SH256 hash:
835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3
MD5 hash:
6961557695f34a53cf8224be7c265fbe
SHA1 hash:
f52d34d0b1dbd181f2acb21f42d875d514afb6f7
Link:
https://www.unpac.me/results/74c3be08-88cc-4a1d-9b45-0f3d6774c8f0/
SH256 hash:
160aa9358e246ebf2f253b3eb1c7786c93bbdf298599d217a22dbe1cbd15aff3
MD5 hash:
ab14905b4897eb16ac97bd35b5fd6b0c
SHA1 hash:
e61e2b565a187a36f478d0d715c36bb71cb37b61
Link:
https://www.unpac.me/results/74c3be08-88cc-4a1d-9b45-0f3d6774c8f0/
SH256 hash:
0ad66694cd51054a517518f066a3aadcbc97c11f81f77139e7accc31e44482b0
MD5 hash:
963d59faade426d73cebf79abbf0685b
SHA1 hash:
a036fc0cf108522c792328a17a5b51a88a726978
Link:
https://www.unpac.me/results/74c3be08-88cc-4a1d-9b45-0f3d6774c8f0/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/74c3be08-88cc-4a1d-9b45-0f3d6774c8f0/
SH256 hash:
85c0574b48df124cb351cf102246e547a82619fbf7521d0bc515828b480aeb49
MD5 hash:
5dbebf819f64fc4691f2168c520160ea
SHA1 hash:
74d9e9ad214b51e6ffefb661b31f3f1c592867c1
Link:
https://www.unpac.me/results/74c3be08-88cc-4a1d-9b45-0f3d6774c8f0/
SH256 hash:
9f49d2110ce857ad6bc5a59870ee37d02651dd381820320827a7477082836f3e
MD5 hash:
aba80c623dd45ad9f26e1474cece96af
SHA1 hash:
462562d51999490104300abd8999d25c03f359c7
Link:
https://www.unpac.me/results/74c3be08-88cc-4a1d-9b45-0f3d6774c8f0/
SH256 hash:
873114bb443945989f58c7d33a4e7169b7452adcfcd0fbd9c96bfc53c2233399
MD5 hash:
26d9c532a9a53d4932fe709355f6ccb8
SHA1 hash:
13b9ab29e78931b88dce90747110989d2773a2d0
Link:
https://www.unpac.me/results/74c3be08-88cc-4a1d-9b45-0f3d6774c8f0/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/74c3be08-88cc-4a1d-9b45-0f3d6774c8f0/
SH256 hash:
aff5052dcaceac8cc0d97983c19091be8f1d2fa3b2ea4f649adf0c16855bc8b8
MD5 hash:
b32e81cfce4fb1d3a87156891c95e35c
SHA1 hash:
9a1b6b18d71016d4b7ebe5abbfaaa204d51ece86
Link:
https://www.unpac.me/results/74c3be08-88cc-4a1d-9b45-0f3d6774c8f0/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/74c3be08-88cc-4a1d-9b45-0f3d6774c8f0/
SH256 hash:
5050bc56c683a4dbfda08b43d68973961458fd712164c3792d060153c2bd7027
MD5 hash:
f9210936145be5d696c5c80f8f464a58
SHA1 hash:
4647f8be74272b9a6d6d039fc6bb68aca0c8b49c
Link:
https://www.unpac.me/results/74c3be08-88cc-4a1d-9b45-0f3d6774c8f0/
SH256 hash:
a18e5d223da775448e2e111101fe1f4ab919be801fd435d3a278718aa5e6ccba
MD5 hash:
0c6cae115465a83f05d3ff391fd009ac
SHA1 hash:
066ea93bb540ae4be0d2e522d4bb59eec74053ad
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/74c3be08-88cc-4a1d-9b45-0f3d6774c8f0/
Parent samples :
7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
fc2e04d392ab5e508fdf6c90ce456bfd0af6def1f10a2074f82df8f58079d5e4
f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
22275b7c5a57111aca919f6bbfae171e5e99f5ef777d1043802deb672f5136a0
d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
0a7d966e66cbd260c909de1d79038c86a071f2f10a810f5890a150b67c4fd954
1b4c7144874551beb52bc3e864822c0b803d0967531addf9612f61898cf2394d
090f1369dc856e37b73969d22799341b1d328a235470ee608d3e32dd34df7022
4879803b6326f27bb8b68448fe7394b2358c2eeb25ec2c4c6a176313d003c29a
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
ada6977abf5caa24a75f0db17220267f6b05f11ed949757e8fc8beab3c720fc1
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/74c3be08-88cc-4a1d-9b45-0f3d6774c8f0/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
8c02be7df255cf3b9551e4f2a0c6e338e15a3ac66d97c6cb529810daefa4c57c
MD5 hash:
1165a54279f116393323b2a9a4fb14b2
SHA1 hash:
d8c0da72033d803606a1024fdd5effcf52927167
Link:
https://www.unpac.me/results/74c3be08-88cc-4a1d-9b45-0f3d6774c8f0/
SH256 hash:
ba26989b512e3ac32a7b3f382793a5c84d5872f30b2c40f84f143e4d4cd136ec
MD5 hash:
82a328ac2238831982903b4ae71c94a3
SHA1 hash:
f15856d3165372fa01e31f65d1da34727b66fe49
Link:
https://www.unpac.me/results/74c3be08-88cc-4a1d-9b45-0f3d6774c8f0/
SH256 hash:
f91b2f4d9868c39995ebe9e084dc25a0cb51ec91a67f9c95d70749a0e8b1c47c
MD5 hash:
222bd58378024d09fd93787a7fe56694
SHA1 hash:
ab754a15f63576f9ced5c0c41691be945fb02db8
Link:
https://www.unpac.me/results/74c3be08-88cc-4a1d-9b45-0f3d6774c8f0/
SH256 hash:
9a69b71d7a4ae5e30749576346393d9d920c92ed1f8a090f49a5487ef79cd47a
MD5 hash:
3fa24ff65ee230e0b6f01a5383073c8a
SHA1 hash:
85a5701b3da7e3f1b93b85d395857dbefacdfec5
Link:
https://www.unpac.me/results/74c3be08-88cc-4a1d-9b45-0f3d6774c8f0/
SH256 hash:
79388ec2ea912777e07cb62963c9e92ffd8ef1cccd734c689c6dad2d3174d19a
MD5 hash:
4334b8f0e4a031c50858f113bd71951c
SHA1 hash:
8aa293dbe6fc283d637287d99a9f15770945a493
Link:
https://www.unpac.me/results/74c3be08-88cc-4a1d-9b45-0f3d6774c8f0/
SH256 hash:
7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
MD5 hash:
6ebf4dbc2f41cfe7c3e55e5a76d2a670
SHA1 hash:
ee509d9c5910532340694e17fa0b50d0d9558414
Link:
https://www.unpac.me/results/74c3be08-88cc-4a1d-9b45-0f3d6774c8f0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/198000/

Comments