MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8896b158ac271c269cfea637cd9402db48676eeef02b9d694d5c9f0eaeb3dbb0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8896b158ac271c269cfea637cd9402db48676eeef02b9d694d5c9f0eaeb3dbb0
SHA3-384 hash: 1ef22089a547e7488adfec92442519aa63b29ffe837a307a5831526f61a4d645549610c8d7e006fe0141e8ab26fd2828
SHA1 hash: d497f364487fd039f8167ba316e98c819d469088
MD5 hash: ea2b3d6abba472d4f37f31edcf64371c
humanhash: fish-kitten-magnesium-winner
File name:EA2B3D6ABBA472D4F37F31EDCF64371C.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:5'400'049 bytes
First seen:2021-09-06 22:07:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:yuEE/LXN/acREegl8Xn+zrnP0xhJuDwhRzV0utBvn3F/92PHPSOSftvW:yuLN/ac0LsJucB0On3F/9gvS0
Threatray 515 similar samples on MalwareBazaar
TLSH T1A5463389E1A57101ECD3AAF31BBD34A67DBC8B1745503A07EB59F882B1F27B1C461E81
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://45.142.215.237/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.142.215.237/ https://threatfox.abuse.ch/ioc/216755/

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
EA2B3D6ABBA472D4F37F31EDCF64371C.exe
Verdict:
No threats detected
Analysis date:
2021-09-06 22:09:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/479268f5-e61c-40e6-817f-c5befbb7998d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Sharik
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185744/
Detection(s):
Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Deleting a recently created file
Running batch commands
Sending a UDP request
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Launching a process
Creating a window
Creating a process with a hidden window
Delayed writing of the file
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a tool to kill processes
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7a4608db-2301-4c27-8f28-85cc63b1a4a9
Result
Threat name:
RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846148
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 478581 Sample: o06RIULPrN.exe Startdate: 07/09/2021 Architecture: WINDOWS Score: 100 98 37.0.10.214 WKD-ASIE Netherlands 2->98 100 185.183.96.3 HSAE Netherlands 2->100 102 16 other IPs or domains 2->102 114 Antivirus detection for URL or domain 2->114 116 Antivirus detection for dropped file 2->116 118 Multi AV Scanner detection for dropped file 2->118 120 15 other signatures 2->120 14 o06RIULPrN.exe 10 2->14         started        signatures3 process4 file5 82 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 14->82 dropped 17 setup.exe 8 14->17         started        process6 file7 64 C:\Users\user\AppData\...\setup_install.exe, PE32 17->64 dropped 66 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 17->66 dropped 68 C:\Users\user\AppData\Local\...\libzip.dll, PE32 17->68 dropped 70 3 other files (none is malicious) 17->70 dropped 20 setup_install.exe 3 17->20         started        process8 file9 72 C:\Users\user\AppData\...\cb614b141f.exe, PE32 20->72 dropped 122 Multi AV Scanner detection for dropped file 20->122 24 cmd.exe 1 20->24         started        27 conhost.exe 20->27         started        signatures10 process11 signatures12 124 Adds a directory exclusion to Windows Defender 24->124 29 cb614b141f.exe 17 24->29         started        process13 file14 74 C:\Users\user\AppData\...\setup_install.exe, PE32 29->74 dropped 76 C:\Users\user\...\Thu08e8f22dec23b.exe, PE32 29->76 dropped 78 C:\Users\user\...\Thu0898a9af0cbc91e74.exe, PE32 29->78 dropped 80 12 other files (5 malicious) 29->80 dropped 32 setup_install.exe 1 29->32         started        process15 dnsIp16 92 8.8.8.8 GOOGLEUS United States 32->92 94 172.67.142.91 CLOUDFLARENETUS United States 32->94 96 127.0.0.1 unknown unknown 32->96 112 Adds a directory exclusion to Windows Defender 32->112 36 cmd.exe 32->36         started        38 cmd.exe 1 32->38         started        40 cmd.exe 32->40         started        42 8 other processes 32->42 signatures17 process18 signatures19 45 Thu08e8f22dec23b.exe 36->45         started        50 Thu0836dbd347b.exe 38->50         started        52 Thu088fadf0b8243.exe 40->52         started        126 Adds a directory exclusion to Windows Defender 42->126 54 Thu0898a9af0cbc91e74.exe 42->54         started        56 Thu0868f8edbe.exe 3 42->56         started        58 Thu0813cdfb0d27.exe 42->58         started        60 3 other processes 42->60 process20 dnsIp21 104 162.159.133.233 CLOUDFLARENETUS United States 45->104 84 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 45->84 dropped 128 Antivirus detection for dropped file 45->128 130 Machine Learning detection for dropped file 45->130 62 mshta.exe 50->62         started        106 74.114.154.22 AUTOMATTICUS Canada 52->106 86 C:\Users\user\...\Thu0898a9af0cbc91e74.tmp, PE32 54->86 dropped 132 Multi AV Scanner detection for dropped file 58->132 108 172.67.195.219 CLOUDFLARENETUS United States 60->108 110 192.168.2.1 unknown unknown 60->110 88 C:\Users\user\AppData\Roaming\2114853.exe, PE32 60->88 dropped 90 C:\Users\user\AppData\Roaming\7666993.exe, PE32 60->90 dropped file22 signatures23 process24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8896b158ac271c269cfea637cd9402db48676eeef02b9d694d5c9f0eaeb3dbb0/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-09-03 02:54:00 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rcllcwfme4ocnhh6uy343fac3nego3xo6avz22knlspq5lvt3oya._file
Verdict:
malicious
Similar samples:
4f4c2c9bdfef8a8cfbe2c8f84bf12cc86f26f59d54c277dab39f4c5e92948708
DiamondFox
6bd2d5f2630ce91d3d93d5a686d0ea381b6efa2b25d0dbd0f509a17f7ed3788d
DiamondFox
96b3a6f88bebb213230bd38f95804466296c238e0774861ceec6ad4424dcfb45
DiamondFox
9cf8a802217928175088777f3f886dde3cba71c0a5c427ed169e24581e1c7a9b
DiamondFox
bf0c11eae9de14227141901dffc7bdbd1ecb9b0a2cb1e675f7d36ce5eff0679e
DiamondFox
d2d90f02ccd7c3fd1b46d667081529a1af8172e4a51feda461c8d250081c3548
DiamondFox
e63f3efc1462f054169998d9bdb7e5b2ca0cb78b393e978880458965472f76de
DiamondFox
f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be
DiamondFox
+ 505 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:706 botnet:pab777 aspackv2 infostealer stealer themida
Link:
https://tria.ge/reports/210906-118tmsbec9/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
Vidar
Malware Config
C2 Extraction:
https://lenko349.tumblr.com/
185.215.113.15:6043
Unpacked files
SH256 hash:
e173de6e79423d659886704dcaaf5848078ced4e14e0772e4f1e7b3931bb0862
MD5 hash:
95f9e24e7dd90ee5892743c58801db9f
SHA1 hash:
f107fcd45e57e7b71193f1f1777b8377f5d3cda1
Link:
https://www.unpac.me/results/3de564cb-da35-4c03-954c-5890820b3e64/
SH256 hash:
e621e23cf07ea962557bce0f28940a8283135de86d3fd3d520d58115a8484982
MD5 hash:
35959e37d587e649357c57c2c5797a93
SHA1 hash:
b3f2ef17f1c45e34ea84a70285a14672034a97ae
Link:
https://www.unpac.me/results/3de564cb-da35-4c03-954c-5890820b3e64/
SH256 hash:
4266165affda48b7a0fc19e67760e2d0ff275bf5f66d463acdf89c17362c3022
MD5 hash:
6e5515bdee2907426548266c47390abc
SHA1 hash:
105000cfd2dcd2e5f5f5f9e1f5ab4eff4626473e
Link:
https://www.unpac.me/results/3de564cb-da35-4c03-954c-5890820b3e64/
SH256 hash:
d6488d1275b4578144b03273fe898622c73291b312acc0da1d9d1c9256045da8
MD5 hash:
a1cb9d03144fe3471e5677890d5075dc
SHA1 hash:
de3064b43d8aef20d11cb9a6011452b2a6edccef
Link:
https://www.unpac.me/results/3de564cb-da35-4c03-954c-5890820b3e64/
SH256 hash:
606d3d9365f40fee12e9fc577ae5bf4cd42d502f4758320cdab01b53a7e0d4b8
MD5 hash:
51894ed4e7fec456b08027e2e6620386
SHA1 hash:
bbffdd90f9a5644086006734e03c15ac28db1ae9
Link:
https://www.unpac.me/results/3de564cb-da35-4c03-954c-5890820b3e64/
SH256 hash:
13492a113107ae59e2fe02f3c3b9afa411a39caa73b78ea06dec0fb9a970f7a2
MD5 hash:
f0cddb85d1f6e01372db9988700b1849
SHA1 hash:
b561eab96075434a5405459cf2cd947c9cda78fa
Link:
https://www.unpac.me/results/3de564cb-da35-4c03-954c-5890820b3e64/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/3de564cb-da35-4c03-954c-5890820b3e64/
SH256 hash:
ffd9ceeda950da333b3c41b0cebcb411159a27db32e3afa0b83d68602573202b
MD5 hash:
36724cae7f4898caa3c3518113922d1b
SHA1 hash:
81c710d53b7940ff0af2a8e83c7340aad5b10e4f
Link:
https://www.unpac.me/results/3de564cb-da35-4c03-954c-5890820b3e64/
SH256 hash:
431ec1c10ab74dc8db5bc67c2ee525f8368723d83c430503447556f501a55b31
MD5 hash:
95d7311801b28a847745beedccd8b9bc
SHA1 hash:
70f3d3600befe358d9fd2733aaab886510377d98
Link:
https://www.unpac.me/results/3de564cb-da35-4c03-954c-5890820b3e64/
SH256 hash:
367591f8a40151c4d788bbaa29e20b3dd57ce22f056b51f9f0380e4fd2275c07
MD5 hash:
4e0196b3ab0d47e4a2093ffa87c7326b
SHA1 hash:
58ba603c32b3036477b615cd46a9e834cc4645d8
Link:
https://www.unpac.me/results/3de564cb-da35-4c03-954c-5890820b3e64/
SH256 hash:
90dbef969fb8b29739533bb61fc87bc6d3cacd7fbf683b0767d4cdbb8c592638
MD5 hash:
169549a8f4d2eb765200ef72aa822231
SHA1 hash:
4c88bae16debacbdf6bccef30fd04650d7b8f988
Link:
https://www.unpac.me/results/3de564cb-da35-4c03-954c-5890820b3e64/
SH256 hash:
612696af1bca04a1e58d4bda585d793b04e3b25982a389820044a21ee1882a4a
MD5 hash:
315f88c84f98cc3b3aef8a3d868e3d73
SHA1 hash:
3b9c6db0b01edc71dea23ddecc704262c7a1eeb3
Link:
https://www.unpac.me/results/3de564cb-da35-4c03-954c-5890820b3e64/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/3de564cb-da35-4c03-954c-5890820b3e64/
SH256 hash:
aff5052dcaceac8cc0d97983c19091be8f1d2fa3b2ea4f649adf0c16855bc8b8
MD5 hash:
b32e81cfce4fb1d3a87156891c95e35c
SHA1 hash:
9a1b6b18d71016d4b7ebe5abbfaaa204d51ece86
Link:
https://www.unpac.me/results/3de564cb-da35-4c03-954c-5890820b3e64/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/3de564cb-da35-4c03-954c-5890820b3e64/
SH256 hash:
61c5fcaa49f0d49c151aed1076625455a245150942dd292a29182d8ca1ce6bfc
MD5 hash:
b00957824ab7790185ec07c6e6face35
SHA1 hash:
1107b6a89474fe310fcdd0589a628a06eef5c264
Link:
https://www.unpac.me/results/3de564cb-da35-4c03-954c-5890820b3e64/
SH256 hash:
c8040666dfc672d25ad082c69e3ba73dd9f012e253a6a3dbb5f24d28ff816575
MD5 hash:
4cd8a3d2d2392735aa89b8d985b479a2
SHA1 hash:
ffde7e9becc0b6ce67829fa8cb7f3d25d44a7028
Detections:
win_oski_g0
Create hunting rule
Link:
https://www.unpac.me/results/3de564cb-da35-4c03-954c-5890820b3e64/
Parent samples :
8303c9a626d7edb090bdd8f0d128fc887b7fa36b0dfc43a7f71dcb5b34b1bbab
ecc23ade7514bff1e172b9a02c27572a66e0d16bb68b4927198dc091abf1c982
f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be
022fc71a6661ab3d6efc0f7d3e560a05cceb22b31081e7cb5d882b01921d5e38
4468428f16aeb36c8c1a53f40c68806473201d37d94b6ac8f1c0d324d1e17006
96b3a6f88bebb213230bd38f95804466296c238e0774861ceec6ad4424dcfb45
3542020f73e24ff693b50a375bbd366e6b6ca4cd4fd93bd15403e4cc70d91756
9cf8a802217928175088777f3f886dde3cba71c0a5c427ed169e24581e1c7a9b
e63f3efc1462f054169998d9bdb7e5b2ca0cb78b393e978880458965472f76de
8896b158ac271c269cfea637cd9402db48676eeef02b9d694d5c9f0eaeb3dbb0
1f2a3d598734fe566de2054f3c73fd2245fc6023f0740bdbae88a076f508ebd2
18f74890fef60f1e18d5b1d0b43f100c69b430445187d672bbedf46aff687d09
74bafd56c1fb3cdebf0a63de4ffb6f16dc1d5cee38e11ab0d2bc2614538da65f
07c18e8e0f92e75367df02c4114947b038e86fcbc7c8e5a77df739deb955263a
3d898349908143bef8f7652dada13c6075f84af469349be709b1d33d2ddf6672
SH256 hash:
d97a71e8b4cad9f5b2f3264c8a8bb88f50fd0f343190783615743615c4f31e40
MD5 hash:
f0ba72a7c6c209a9920376fd37e5156b
SHA1 hash:
7feeaa58dbbbaa18817fab15a94577faec21532b
Link:
https://www.unpac.me/results/3de564cb-da35-4c03-954c-5890820b3e64/
SH256 hash:
79186b353ce2d8381e8faedb81aa7a03b25f782c31d7300eea829e8b4ea3982f
MD5 hash:
bcf30a9dabf41cc63024cb36fd3b6a4d
SHA1 hash:
27b9e9b354aa9065563e96c60f27c2ec48c172b7
Link:
https://www.unpac.me/results/3de564cb-da35-4c03-954c-5890820b3e64/
SH256 hash:
458c43937b3aa26628aabc75939d6c1886b720a568b1d1f6acb6295339de1938
MD5 hash:
95e5df032edb468db7ca9b4eb8a6ac95
SHA1 hash:
848c033789e75902173f1bc192174c5dc03748d1
Link:
https://www.unpac.me/results/3de564cb-da35-4c03-954c-5890820b3e64/
SH256 hash:
30559a998c95646797cad9047e3682de7d234d4e2cf5ca3d7b09986fafc53f53
MD5 hash:
e17870a91946df8db29b3f9368295386
SHA1 hash:
42d4e3a4fb3502316fc42ebecc8b2ee55cf0eb4f
Detections:
win_retefe_auto
Create hunting rule
Link:
https://www.unpac.me/results/3de564cb-da35-4c03-954c-5890820b3e64/
SH256 hash:
464dd401bf1548f91c96163035ff154cda0fddcabc3ea4d4cb1f9b26eba5db8a
MD5 hash:
9837d0d73ea9976655b35b947b38afdf
SHA1 hash:
e09674f214868223ec087bce0865d1424720c687
Link:
https://www.unpac.me/results/3de564cb-da35-4c03-954c-5890820b3e64/
SH256 hash:
8896b158ac271c269cfea637cd9402db48676eeef02b9d694d5c9f0eaeb3dbb0
MD5 hash:
ea2b3d6abba472d4f37f31edcf64371c
SHA1 hash:
d497f364487fd039f8167ba316e98c819d469088
Link:
https://www.unpac.me/results/3de564cb-da35-4c03-954c-5890820b3e64/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8896b158ac271c269cfea637cd9402db48676eeef02b9d694d5c9f0eaeb3dbb0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185744/

Comments