MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 844131e4d854e4963f3e742809946adb7d3644409a819cce010415d611f2a174. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 12


Intelligence 12 IOCs 4 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 844131e4d854e4963f3e742809946adb7d3644409a819cce010415d611f2a174
SHA3-384 hash: 3bd47852a0edd1923f168d6aacac448c8ae13128c6d13a64433466e016b4731f49c0b33ccf69a373e699200720bb06a3
SHA1 hash: b3d3553edeca61e6f9598e0336e147f217740c04
MD5 hash: 4e11cced3478d15d5e579fbfb8ab30e5
humanhash: video-kilo-apart-virginia
File name:4E11CCED3478D15D5E579FBFB8AB30E5.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:7'389'509 bytes
First seen:2021-07-23 07:45:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 196608:UOxHcgftBQQ/Q6spjux/SR2o8eL+gADoic4:vqggY/SRIDY4
Threatray 216 similar samples on MalwareBazaar
TLSH T167763351BEC060F0C5A11D794774AF24E826BC652B665FC7B3585A8E4D3A0C2EF38BB1
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
77.220.213.35:52349

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
77.220.213.35:52349 https://threatfox.abuse.ch/ioc/162067/
http://188.119.112.73/ https://threatfox.abuse.ch/ioc/162168/
185.244.182.34:22602 https://threatfox.abuse.ch/ioc/162201/
178.20.42.11:80 https://threatfox.abuse.ch/ioc/162206/

Intelligence

File Origin
# of uploads :
1
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4E11CCED3478D15D5E579FBFB8AB30E5.exe
Verdict:
Malicious activity
Analysis date:
2021-07-23 07:47:11 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/9a079b6b-a7ea-4d6c-8f8e-1233ad13077c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173551/
Detection(s):
Win.Malware.Clipbanker-9873068-0
Create hunting rule

Win.Malware.Generic-9873526-0
Create hunting rule

Win.Malware.Clipbanker-9874840-0
Create hunting rule

Win.Malware.Qshell-9875653-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/486d4d89-aa6b-415b-91c8-21b2955887f9
Result
Threat name:
Backstage Stealer Raccoon RedLine SmokeL
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820614
Signature
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Renames NTDLL to bypass HIPS
Sample is protected by VMProtect
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Backstage Stealer
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 453025 Sample: 226wkEc1Jt.exe Startdate: 23/07/2021 Architecture: WINDOWS Score: 100 78 91.241.19.12 REDBYTES-ASRU Russian Federation 2->78 80 208.95.112.1 TUT-ASUS United States 2->80 82 5 other IPs or domains 2->82 124 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->124 126 Antivirus detection for URL or domain 2->126 128 Multi AV Scanner detection for submitted file 2->128 130 14 other signatures 2->130 9 226wkEc1Jt.exe 1 27 2->9         started        12 svchost.exe 2->12         started        signatures3 process4 file5 40 C:\Users\user\Desktop\pub2.exe, PE32 9->40 dropped 42 C:\Users\user\Desktop\jg3_3uag.exe, PE32 9->42 dropped 44 C:\Users\user\Desktop\KRSetp.exe, PE32 9->44 dropped 46 4 other files (3 malicious) 9->46 dropped 14 Info.exe 4 56 9->14         started        19 Files.exe 9->19         started        21 pub2.exe 9->21         started        25 5 other processes 9->25 23 WerFault.exe 12->23         started        process6 dnsIp7 94 103.155.93.196 TWIDC-AS-APTWIDCLimitedHK unknown 14->94 96 136.144.41.201 WORLDSTREAMNL Netherlands 14->96 102 8 other IPs or domains 14->102 64 C:\Users\...\x6r8xY9rk6wgTNtDrX5cNEhC.exe, PE32 14->64 dropped 66 C:\Users\...\u_fmC3GWsOBmVYN6qQOgKR7r.exe, PE32 14->66 dropped 68 C:\Users\...\pv6BksHcwZwofKpVmx_H36t4.exe, PE32 14->68 dropped 76 33 other files (16 malicious) 14->76 dropped 106 Drops PE files to the document folder of the user 14->106 108 Disable Windows Defender real time protection (registry) 14->108 70 C:\Users\user\AppData\Local\Temp\...\File.exe, PE32 19->70 dropped 27 File.exe 19->27         started        72 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 21->72 dropped 110 DLL reload attack detected 21->110 112 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->112 114 Renames NTDLL to bypass HIPS 21->114 116 Checks if the current machine is a virtual machine (disk enumeration) 21->116 98 128.1.32.84, 49733, 80 HINETDataCommunicationBusinessGroupTW United States 25->98 100 www.listincode.com 144.202.76.47, 443, 49744 AS-CHOOPAUS United States 25->100 104 4 other IPs or domains 25->104 74 C:\Users\user\Documents\...\jg3_3uag.exe, PE32 25->74 dropped 118 Detected unpacking (changes PE section rights) 25->118 120 Writes to foreign memory regions 25->120 122 Creates processes via WMI 25->122 32 chrome.exe 19 25->32         started        34 Folder.exe 25->34         started        36 conhost.exe 25->36         started        file8 signatures9 process10 dnsIp11 84 185.234.247.50 INTERKONEKT-ASPL Russian Federation 27->84 86 195.201.225.248 HETZNER-ASDE Germany 27->86 48 C:\Users\user\AppData\...\vcruntime140.dll, PE32 27->48 dropped 50 C:\Users\user\AppData\...\ucrtbase.dll, PE32 27->50 dropped 52 C:\Users\user\AppData\...\softokn3.dll, PE32 27->52 dropped 62 56 other files (none is malicious) 27->62 dropped 132 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 27->132 134 Tries to steal Mail credentials (via file access) 27->134 136 Tries to harvest and steal browser information (history, passwords, etc) 27->136 138 Tries to detect virtualization through RDTSC time measurements 27->138 88 iplogger.org 88.99.66.31, 443, 49730, 49738 HETZNER-ASDE Germany 32->88 90 clients.l.google.com 142.250.186.142, 443, 49731, 50602 GOOGLEUS United States 32->90 92 7 other IPs or domains 32->92 54 C:\Users\user\AppData\Local\...\Cookies, SQLite 32->54 dropped 56 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 34->56 dropped 58 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 34->58 dropped 60 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 34->60 dropped 38 conhost.exe 34->38         started        file12 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/844131e4d854e4963f3e742809946adb7d3644409a819cce010415d611f2a174/
Threat name:
Win32.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 09:50:07 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qratdzgyktsjmpz6oquatfdk3n6tmrcatkazztqbaqk5mepsuf2a._file
Verdict:
malicious
Similar samples:
09abe799d30cdceab1600a1421583b1d7a5d3a9b14fb89e7dfa8d4ca4e5c85ac
DiamondFox
474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c
DiamondFox
76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93
DiamondFox
87be6f628553d89007fd8f7d0758d42906f2ee7d84ca18e961cb463921061a42
DiamondFox
88c98c6871442d02b5f26dc7625926c1dcd4de88a7d31bc53786f6182204c902
DiamondFox
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0
DiamondFox
f2fcd49dd7ce2e64415e73f5276e813e90d53dea18f5fba68e1c8b55e0c1f631
DiamondFox
+ 206 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader family:socelars family:vidar backdoor discovery evasion spyware stealer suricata themida trojan vmprotect
Link:
https://tria.ge/reports/210723-867183nx6n/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Nirsoft
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Malware Config
C2 Extraction:
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Unpacked files
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/77454868-e3bb-4542-8b3f-af1465dc34ac/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/77454868-e3bb-4542-8b3f-af1465dc34ac/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/77454868-e3bb-4542-8b3f-af1465dc34ac/
SH256 hash:
67cdc7c5de5e46229adc831dc6fd3053d996ecf02e94706b6b6ae1b0ed976f2c
MD5 hash:
555b5b60b2dcc53e71e6d9ba8302c4b9
SHA1 hash:
550326b1226629a867d4606ad0c98c4ef9596b47
Link:
https://www.unpac.me/results/77454868-e3bb-4542-8b3f-af1465dc34ac/
Parent samples :
e47bfa7b58706edeeaf73664039c10cb1ff7a517d833c0b28751b835bdc68cf7
32ac0624a534a2c40fb8eba41e80bb1d31b99cd118d42208c89229079699f783
SH256 hash:
e2633a6fa326b36f1d0c44d5ca7454dbfbf11e6bae7e8811405f5ef7ff297e8a
MD5 hash:
a0441beac04ccbb21ff06f799e60c32a
SHA1 hash:
917ea3052d98c5ed1c8de6b5bdd408f824f8871a
Link:
https://www.unpac.me/results/77454868-e3bb-4542-8b3f-af1465dc34ac/
SH256 hash:
9127d581959ab4c65cd34a6fa25409ef83ffe92bea0b876019b7e3f6ee5d24b3
MD5 hash:
80a694ac31cce628fb5d6cbed3fa0cb9
SHA1 hash:
72fb8bb321a567b731c69c8588fc8e0a98417abb
Link:
https://www.unpac.me/results/77454868-e3bb-4542-8b3f-af1465dc34ac/
SH256 hash:
5c0608fffba82ae6b716ebc62f03f81d9fce59eda1fee8e6abebe20af4887c74
MD5 hash:
15af5a75f205f9874f71a5dcd98b6546
SHA1 hash:
69deec05f2039d482435fe30567b2b55e09e18ce
Link:
https://www.unpac.me/results/77454868-e3bb-4542-8b3f-af1465dc34ac/
SH256 hash:
021f224a62320acde54efdebaf983240ff13f5c1cf36900966ab0e0f58307634
MD5 hash:
ecba72787e060ca7b0eaa42e7279178f
SHA1 hash:
b208a8440add66f6ffe4a74d02fc2a983db9bd79
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/77454868-e3bb-4542-8b3f-af1465dc34ac/
Parent samples :
844131e4d854e4963f3e742809946adb7d3644409a819cce010415d611f2a174
10b52b26be692aea2c0365965a300d479698bdd72910592b55ea42dcb5a29e1b
e47bfa7b58706edeeaf73664039c10cb1ff7a517d833c0b28751b835bdc68cf7
SH256 hash:
0e92da3cce74ad3949d0892f70019583816fb09769f26bf61116fe297c3744dc
MD5 hash:
36965f487ce103f7be1320659d021f63
SHA1 hash:
19da972f34827a320a28ec80f13e9245d8b7ee44
Link:
https://www.unpac.me/results/77454868-e3bb-4542-8b3f-af1465dc34ac/
SH256 hash:
398896043adf6caff3467e1206be8f01207d4637a7866533632352755899f844
MD5 hash:
13d7bb11aa528b473ea70858d14741a4
SHA1 hash:
c9f94b02105d3bc19ea0b3bd01400d8b3ca85b79
Link:
https://www.unpac.me/results/77454868-e3bb-4542-8b3f-af1465dc34ac/
SH256 hash:
559a50068461becf6f90e20d4be8476867989bccfc4c519e4aa1e166cefa8da6
MD5 hash:
a9193d274e6285e784ed7827f53f27f8
SHA1 hash:
d1f2842434fc330754ede46752823a91d03e90eb
Link:
https://www.unpac.me/results/77454868-e3bb-4542-8b3f-af1465dc34ac/
SH256 hash:
04ea36655df1031253bafb93fef183b19115711b62e06fdbb37892d964b11ce7
MD5 hash:
fdc5b332b0d1bc5a4228085e7a0201b8
SHA1 hash:
99642991336d01d3283e26790d8dd567de9d242c
Link:
https://www.unpac.me/results/77454868-e3bb-4542-8b3f-af1465dc34ac/
SH256 hash:
a6a7992c1e85af4fc725a0a7553a41bdf3e661b0cf1914e0b62d63b65e0f96eb
MD5 hash:
ae0ecf65c96ece0c843b062e7c1d6db7
SHA1 hash:
8bc95cbfe5b12d03360acf7a72d466ba79dd13bb
Link:
https://www.unpac.me/results/77454868-e3bb-4542-8b3f-af1465dc34ac/
SH256 hash:
844131e4d854e4963f3e742809946adb7d3644409a819cce010415d611f2a174
MD5 hash:
4e11cced3478d15d5e579fbfb8ab30e5
SHA1 hash:
b3d3553edeca61e6f9598e0336e147f217740c04
Link:
https://www.unpac.me/results/77454868-e3bb-4542-8b3f-af1465dc34ac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/844131e4d854e4963f3e742809946adb7d3644409a819cce010415d611f2a174

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/173551/

Comments