MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8616545829272fd918765d945bb44e610852b995be21965577b77cfea4868007. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8616545829272fd918765d945bb44e610852b995be21965577b77cfea4868007
SHA3-384 hash: 85af6df0b6650123f06a74d117c4c82efcde435a46388586d653873bb53f230439c699ca786e7ec8cf7ec33b4e6055bc
SHA1 hash: 07476d19fa25fafdec37767eb06ca91a4caf2ee9
MD5 hash: ab74af82928f328979d85af5db7debab
humanhash: indigo-island-colorado-uniform
File name:ISF-10+2 光國 WTXLAX200007.scr
Download: download sample
Signature DiamondFox
Create hunting rule
File size:830'976 bytes
First seen:2020-10-06 05:39:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:IZIQNofjTjC+TQ+zVFFfz8OiXDv2JoDTnJdBdsAhQb9o7vj:WI8Y70+zVFFfzLiz//rBdtmbk
Threatray 221 similar samples on MalwareBazaar
TLSH FC05BF1192880267F132D039A626D4B86B729D466A04D2D42DE6DCFFFECFE98F5D0349
Reporter abuse_ch
Tags:DiamondFox scr


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.genoram.gq
Sending IP: 103.109.37.72
From: Whale TCH / Miffy <admin@genoram.gq>
Subject: 光國 10/08 TXG-LAX CFS 1535 裝船通知
Attachment: ISF-10+2 光國 WTXLAX200007.zip (contains "ISF-10+2 光國 WTXLAX200007.scr")

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68395/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Creating a process with a hidden window
Result
Threat name:
Diamondfox
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/482273
Signature
Binary contains a suspicious time stamp
Detected unpacking (creates a PE file in dynamic memory)
Disables Windows Defender (via service or powershell)
Found C&C like URL pattern
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell creates an autostart link
Powershell drops PE file
Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell create lnk in startup
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes or reads registry keys via WMI
Yara detected AntiVM_3
Yara detected Diamondfox
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 293574 Sample: ISF-10+2 #U5149#U570b WTXLA... Startdate: 06/10/2020 Architecture: WINDOWS Score: 100 63 crystalvue-tw.com 2->63 71 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->71 73 Found malware configuration 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 10 other signatures 2->77 12 ISF-10+2 #U5149#U570b WTXLAX200007.exe 3 2->12         started        16 conhost.exe 2->16         started        signatures3 process4 file5 59 ISF-10+2 #U5149#U5...TXLAX200007.exe.log, ASCII 12->59 dropped 91 Injects a PE file into a foreign processes 12->91 18 ISF-10+2 #U5149#U570b WTXLAX200007.exe 1 12->18         started        21 ISF-10+2 #U5149#U570b WTXLAX200007.exe 12->21         started        signatures6 process7 signatures8 69 Suspicious powershell command line found 18->69 23 powershell.exe 21 18->23         started        process9 file10 53 C:\Users\user\AppData\Local\...\conhost.exe, PE32 23->53 dropped 55 C:\Users\user\...\conhost.exe:Zone.Identifier, ASCII 23->55 dropped 79 Powershell creates an autostart link 23->79 81 Powershell drops PE file 23->81 27 conhost.exe 3 23->27         started        30 conhost.exe 23->30         started        signatures11 process12 signatures13 83 Multi AV Scanner detection for dropped file 27->83 85 Detected unpacking (creates a PE file in dynamic memory) 27->85 87 Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines) 27->87 89 3 other signatures 27->89 32 conhost.exe 3 27->32         started        36 conhost.exe 27->36         started        38 conhost.exe 27->38         started        40 conhost.exe 27->40         started        process14 dnsIp15 61 crystalvue-tw.com 86.106.93.230, 49754, 49755, 49756 BELCLOUDBG Belize 32->61 65 Disables Windows Defender (via service or powershell) 32->65 67 Injects a PE file into a foreign processes 32->67 42 powershell.exe 16 32->42         started        45 powershell.exe 23 32->45         started        47 conhost.exe 32->47         started        signatures16 process17 file18 57 C:\Users\user\AppData\Roaming\...\conhost.lnk, MS 42->57 dropped 49 conhost.exe 42->49         started        51 conhost.exe 45->51         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8616545829272fd918765d945bb44e610852b995be21965577b77cfea4868007/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 00:20:32 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qylfiwbje4x5sgdwlwkfxncomeeffomvxyqzmvlxw56p5jegqadq._file
Verdict:
malicious
Similar samples:
4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f
DiamondFox
516f16ca6f1b1ec44cb6c21f9849ceb0e7474adffce7530d1fe46c4483e5c27f
DiamondFox
521433d5e57056d9453e33f572757e5dde402d9b97b4edee522bff7dcaea579e
DiamondFox
5a69c76991e5c1b6d2f46d9a300fa8902d3ff6fb6afcebeee91697743b0542b7
DiamondFox
7e17e9de1f6643f57b6cda4a921b025a9caf5689728b0af2f653887f41e2c318
DiamondFox
9e22f04ea9205b5c5cb910ef9be7709b38b189a3d34384baacff53c754ce95bb
DiamondFox
a6964b245e70a97f8633616ede2122a72b6e159a70874beb1d8b3aba26b510dc
DiamondFox
b841402ba599fba5dc3b4775aa53e26445a49c4d7df1fa8e64d26c4cc16c5083
DiamondFox
d33a08e10593effc2e5bd990a67c3759bfdeebf6d91ec5055d4bd4ad5fa07b43
DiamondFox
e281f0b064faeff8de9de21c7bd3ef3b385decbeb9cb69cc72035c02c1571eb4
DiamondFox
+ 211 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/201006-abvz72628x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
8616545829272fd918765d945bb44e610852b995be21965577b77cfea4868007
MD5 hash:
ab74af82928f328979d85af5db7debab
SHA1 hash:
07476d19fa25fafdec37767eb06ca91a4caf2ee9
Link:
https://www.unpac.me/results/5286b57f-c667-4228-9e00-87fc00447182/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/5286b57f-c667-4228-9e00-87fc00447182/
SH256 hash:
36a43cff23d6602159e8c838661107fc0ff4d415488e4b22edcb4fd872986053
MD5 hash:
fc31f54eb5b42b6cafdb563de02ee81d
SHA1 hash:
2b49b5c53d8c6916d63717d200921f24a62e6cdc
Link:
https://www.unpac.me/results/5286b57f-c667-4228-9e00-87fc00447182/
SH256 hash:
8bddedace6b1e5e2f959ddeda19737d78fda65f742549bb1893af7b463284162
MD5 hash:
14fccefdd934a3e291c1ed731d7a3e20
SHA1 hash:
2fc46f5aad0bb4396bfaba1bfa28d7ea30f87073
Link:
https://www.unpac.me/results/5286b57f-c667-4228-9e00-87fc00447182/
SH256 hash:
265fb595f69533e4b9571667b7e395a6dc1c943fdb670024e03ef4148913ffff
MD5 hash:
a6b1792f975e3ab2c258061c92df1c3e
SHA1 hash:
7bf05158f837b72a2ce3be618b2f2728feba6c09
Link:
https://www.unpac.me/results/5286b57f-c667-4228-9e00-87fc00447182/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8616545829272fd918765d945bb44e610852b995be21965577b77cfea4868007

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DiamondFox

zip e833b7c2b0a0e1b3d9914a3e80e7738eab7453685d864e7a9668387dd0a247d0

DiamondFox

Executable exe 8616545829272fd918765d945bb44e610852b995be21965577b77cfea4868007

(this sample)

  
Dropped by
MD5 9f9b7810b1d76a3c81562332be2a356f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e833b7c2b0a0e1b3d9914a3e80e7738eab7453685d864e7a9668387dd0a247d0
Cape
Cape
https://www.capesandbox.com/analysis/68395/

Comments