MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85d8cd417a894c7c1a719251b626f9e038410a009f6d2a1a6b820a64d6e6ed2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85d8cd417a894c7c1a719251b626f9e038410a009f6d2a1a6b820a64d6e6ed2d
SHA3-384 hash: 09db2d3dcf67db3bb105808588e9a32a10294c4095cac3ac66f75cadb02161814523f68e36741752eb0011db3e2070dd
SHA1 hash: 73ee7a9af2ce35095220d9659bd718e1c777f92d
MD5 hash: 96fc3528782a191efca64aa289ca0f73
humanhash: batman-carolina-pluto-lemon
File name:96FC3528782A191EFCA64AA289CA0F73.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:1'541'454 bytes
First seen:2021-07-25 00:36:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 24576:Eg55B5dxx6X/vmbchN44fJFnDSKTOwfH1hut5IggSCYuSA6+x8QfTXlZ0CYqb1B:Eg1jv6XKchfycOwfHrufngS5uV6+20T1
Threatray 232 similar samples on MalwareBazaar
TLSH T11065331EB844C176C607DF359C62132229FE8821AA305E5777A54BCBBE135F4F248BA6
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
193.56.146.60:51431

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.56.146.60:51431 https://threatfox.abuse.ch/ioc/162770/

Intelligence

File Origin
# of uploads :
1
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
96FC3528782A191EFCA64AA289CA0F73.exe
Verdict:
No threats detected
Analysis date:
2021-07-25 00:40:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/65ea317a-7e9d-4ecb-bd0f-8f92e626a047

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector03
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173960/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/485f1570-e8bb-4b6c-8fe9-9990d34bc6ce
Result
Threat name:
Backstage Stealer Glupteba RedLine Smoke
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/821367
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Backstage Stealer
Yara detected Glupteba
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 453778 Sample: tEya6kw8XB.exe Startdate: 25/07/2021 Architecture: WINDOWS Score: 100 78 37.0.8.225 WKD-ASIE Netherlands 2->78 80 128.1.32.84 HINETDataCommunicationBusinessGroupTW United States 2->80 82 13 other IPs or domains 2->82 104 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->104 106 Multi AV Scanner detection for domain / URL 2->106 108 Antivirus detection for URL or domain 2->108 110 21 other signatures 2->110 12 tEya6kw8XB.exe 10 2->12         started        signatures3 process4 file5 52 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->52 dropped 15 setup_installer.exe 10 12->15         started        process6 file7 70 C:\Users\user\AppData\...\setup_install.exe, PE32 15->70 dropped 72 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 15->72 dropped 74 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 15->74 dropped 76 5 other files (none is malicious) 15->76 dropped 18 setup_install.exe 1 15->18         started        process8 dnsIp9 84 wxkeww.xyz 172.67.179.203, 49723, 80 CLOUDFLARENETUS United States 18->84 86 127.0.0.1 unknown unknown 18->86 112 Detected unpacking (changes PE section rights) 18->112 114 Performs DNS queries to domains with low reputation 18->114 22 cmd.exe 1 18->22         started        24 cmd.exe 1 18->24         started        26 conhost.exe 18->26         started        signatures10 process11 process12 28 karotima_1.exe 4 54 22->28         started        33 karotima_2.exe 1 24->33         started        dnsIp13 98 www.szwbjs.com 28->98 100 37.0.11.9, 49729, 80 WKD-ASIE Netherlands 28->100 102 12 other IPs or domains 28->102 54 C:\Users\...\uHum39BtU95y2ODUNahfarx9.exe, PE32 28->54 dropped 56 C:\Users\...\rldToyGY0jCZFmlhVBd2ZqW5.exe, PE32+ 28->56 dropped 58 C:\Users\...\qBlyw7KVJRHqTMp059_dwWrI.exe, PE32 28->58 dropped 62 31 other files (29 malicious) 28->62 dropped 134 Drops PE files to the document folder of the user 28->134 136 May check the online IP address of the machine 28->136 138 Performs DNS queries to domains with low reputation 28->138 148 2 other signatures 28->148 35 DlSSbV8_P8XavKngqgywyUPk.exe 28->35         started        38 QmoSnnqbfdSCq0mieMC957OK.exe 28->38         started        41 i9Uq_zLmeTCKpGsSE6XpQ383.exe 28->41         started        45 10 other processes 28->45 60 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 33->60 dropped 140 DLL reload attack detected 33->140 142 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 33->142 144 Renames NTDLL to bypass HIPS 33->144 146 Checks if the current machine is a virtual machine (disk enumeration) 33->146 43 explorer.exe 3 9 33->43 injected file14 signatures15 process16 dnsIp17 116 Query firmware table information (likely to detect VMs) 35->116 118 Tries to detect sandboxes and other dynamic analysis tools (window names) 35->118 120 Tries to detect virtualization through RDTSC time measurements 35->120 132 2 other signatures 35->132 88 g-prtnrs.top 91.241.19.12 REDBYTES-ASRU Russian Federation 38->88 122 Detected unpacking (changes PE section rights) 38->122 124 Detected unpacking (overwrites its own PE header) 38->124 126 Sample uses process hollowing technique 41->126 128 Injects a PE file into a foreign processes 41->128 90 192.168.2.1 unknown unknown 43->90 92 ip-api.com 208.95.112.1 TUT-ASUS United States 45->92 94 193.56.146.60 LVLT-10753US unknown 45->94 96 5 other IPs or domains 45->96 64 C:\Users\user\AppData\Local\Temp\22222.exe, PE32 45->64 dropped 66 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 45->66 dropped 68 C:\Users\user\AppData\...\aaa_v005[1].dll, DOS 45->68 dropped 130 May check the online IP address of the machine 45->130 48 conhost.exe 45->48         started        50 conhost.exe 45->50         started        file18 signatures19 process20
Gathering data
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-07-22 01:59:00 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qxmm2ql2rfghygtrsji3mjxz4a4eccqat5wsugtlqifgjvxg5uwq._file
Verdict:
unknown
Similar samples:
0bfeff80f0a3f724a9ed3d36d1ae8f957a2df82e778e31203421dece1af586b9
DiamondFox
20ed0f1b402d630a3e131e9e788c57a74d348bcc358e1c0e6f5fd112ad838ab3
DiamondFox
2263fd1332612187cb951793ae3b34b74bd815da95d82b9d04d1fd6facb8311b
DiamondFox
356e6444780389e9a1432eb575cea622a01bab5d8331f1c3b13046ca8209d06b
DiamondFox
510d3eadc5652908d47db79067009b04cf4e9234720f052e90cc7d18ffad0b20
DiamondFox
5c5a71fd5e122ae176b592ae080a18f61b38653ab9405e1724dfe053ddbf6d1c
DiamondFox
6bb22351b0b468f3b05880df6e8a61f7ed792d90af19163e703a2c649b53cb14
DiamondFox
d09cb69744c809f1e48fda7e9ab5623852a42fc6f2cf79547ecc3329871e84ca
DiamondFox
e10f5bc4cb6610bd2aee334a581f2a9872b16c830bdce2f67ffe3cf57bf0b065
DiamondFox
+ 222 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:buran family:glupteba family:metasploit family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:23_7_r botnet:865 botnet:903 botnet:newone botnet:sel21 aspackv2 backdoor discovery dropper evasion infostealer loader ransomware spyware stealer suricata themida trojan vmprotect
Link:
https://tria.ge/reports/210725-zl1evtbzyx/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Interacts with shadow copies
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Deletes shadow copies
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
Vidar Stealer
Buran
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
193.56.146.60:51431
zertypelil.xyz:80
salkefard.xyz:80
86.106.181.209:18845
https://shpak125.tumblr.com/
Unpacked files
SH256 hash:
5da0d850941091855ce3a6f48447d2873452443282751fe376c104ef65a45efa
MD5 hash:
5df4d842ec44f8e63168ecb7cafd7e42
SHA1 hash:
cba084a866650d9a06d7dd1873f26ad3ba483163
Link:
https://www.unpac.me/results/81b917f7-aba0-428b-ad38-ebabdfa51b12/
Parent samples :
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779
c82a55fdd3caeb95db17754e3ba270ec93a7eb3c9997f9f9c6f02de0e17bacec
SH256 hash:
4abd107f8a0defd4522d05abbfb693c7d6981566e0513793ea653e5e0b609d0f
MD5 hash:
d1e18bdecbf416b1d9c9d9268a1f2bdb
SHA1 hash:
f329b93f9c8442bfd70e9975e26bc09c76c3d7f2
Link:
https://www.unpac.me/results/81b917f7-aba0-428b-ad38-ebabdfa51b12/
SH256 hash:
c9d5525b2f2b76087121039ee1c23ed35508e60f653479722ec64ea3a064878e
MD5 hash:
9108ad5775c76cccbb4eadf02de24f5d
SHA1 hash:
82996bc4f72b3234536d0b58630d5d26bcf904b0
Link:
https://www.unpac.me/results/81b917f7-aba0-428b-ad38-ebabdfa51b12/
Parent samples :
e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779
c82a55fdd3caeb95db17754e3ba270ec93a7eb3c9997f9f9c6f02de0e17bacec
SH256 hash:
16093751461569683e7bb5097fd882ced7f854933dcaba6f62510dafc0a57e2e
MD5 hash:
47d7cda9d63c5f66328b5ed78a9663f9
SHA1 hash:
4426eb8dffe79602c5d500cce9d28461b70e3bb2
Link:
https://www.unpac.me/results/81b917f7-aba0-428b-ad38-ebabdfa51b12/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/81b917f7-aba0-428b-ad38-ebabdfa51b12/
SH256 hash:
eb578278c4926c4fdd2c997fbad7592db11ac7db088f97b4ff94dc3e65cc028b
MD5 hash:
5aaedecdc0916766cca6448d206eb3e0
SHA1 hash:
b8efad85f17f6d4695fc6043c2a70c803254f9f5
Link:
https://www.unpac.me/results/81b917f7-aba0-428b-ad38-ebabdfa51b12/
SH256 hash:
85d8cd417a894c7c1a719251b626f9e038410a009f6d2a1a6b820a64d6e6ed2d
MD5 hash:
96fc3528782a191efca64aa289ca0f73
SHA1 hash:
73ee7a9af2ce35095220d9659bd718e1c777f92d
Link:
https://www.unpac.me/results/81b917f7-aba0-428b-ad38-ebabdfa51b12/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85d8cd417a894c7c1a719251b626f9e038410a009f6d2a1a6b820a64d6e6ed2d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/173960/

Comments