MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88c98c6871442d02b5f26dc7625926c1dcd4de88a7d31bc53786f6182204c902. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 13


Intelligence 13 IOCs 3 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88c98c6871442d02b5f26dc7625926c1dcd4de88a7d31bc53786f6182204c902
SHA3-384 hash: 4c389e21f97885161acafbf5bd73d2450bf5c15048258a4541578215cd3347a2be3dc4cfd8043d2e80fbc148a7279f1e
SHA1 hash: 1208f33ac7bd8d5bbe4089b75fe3b708bfc4bf03
MD5 hash: 00810b59644d1610f9eb57e2d9e175e4
humanhash: salami-delaware-white-potato
File name:00810B59644D1610F9EB57E2D9E175E4.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:4'361'371 bytes
First seen:2021-07-18 14:10:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:Ubhu1zNQzrgiH7hdjJXR85svk3upL/qkyZ9RVlWtH:UluzYF7hdjJXR85svkuLyjRVlS
Threatray 124 similar samples on MalwareBazaar
TLSH T1E516335239C494B3D5662A754E35AB11293CBD201F38CA6F93B8186EDA344D1FF32B93
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://wymesc72.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://wymesc72.top/index.php https://threatfox.abuse.ch/ioc/160942/
http://morjed07.top/index.php https://threatfox.abuse.ch/ioc/160943/
http://x-vpn.ug/hfV3vDtt/index.php https://threatfox.abuse.ch/ioc/160958/

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
00810B59644D1610F9EB57E2D9E175E4.exe
Verdict:
Malicious activity
Analysis date:
2021-07-18 14:13:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5bd33cda-0646-4df0-b0f6-55f27815eaf6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172413/
Detection(s):
Win.Malware.Generic-9866235-0
Create hunting rule

Win.Malware.Nymeria-9873414-0
Create hunting rule

Win.Malware.SmokeLoader-9874090-1
Create hunting rule

Win.Malware.Generic-9874384-0
Create hunting rule

Win.Malware.Qshell-9875653-0
Create hunting rule

Win.Malware.Chapak-9878126-0
Create hunting rule

Win.Malware.Chapak-9879189-0
Create hunting rule

Win.Malware.Nymeria-9879208-0
Create hunting rule

Win.Malware.Chapak-9879385-0
Create hunting rule

Win.Malware.Chapak-9879387-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Chapak
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b867c08c-3f00-4750-93b1-49128415168e
Result
Threat name:
Backstage Stealer Cookie Stealer RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817930
Signature
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample is protected by VMProtect
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Backstage Stealer
Yara detected Cookie Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 450341 Sample: jYzWBKTsxE.exe Startdate: 18/07/2021 Architecture: WINDOWS Score: 100 119 email.yg9.me 2->119 149 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->149 151 Multi AV Scanner detection for domain / URL 2->151 153 Antivirus detection for URL or domain 2->153 155 14 other signatures 2->155 9 jYzWBKTsxE.exe 1 29 2->9         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        signatures3 process4 file5 97 C:\Users\user\Desktop\pub2.exe, PE32 9->97 dropped 99 C:\Users\user\Desktop\jg3_3uag.exe, PE32 9->99 dropped 101 C:\Users\user\Desktop\KRSetp.exe, PE32 9->101 dropped 103 6 other files (3 malicious) 9->103 dropped 16 Infos.exe 9->16         started        21 KRSetp.exe 15 7 9->21         started        23 pub2.exe 9->23         started        33 7 other processes 9->33 25 WerFault.exe 12->25         started        27 WerFault.exe 12->27         started        29 WerFault.exe 12->29         started        31 WerFault.exe 12->31         started        process6 dnsIp7 105 103.155.92.207 TWIDC-AS-APTWIDCLimitedHK unknown 16->105 107 136.144.41.201 WORLDSTREAMNL Netherlands 16->107 115 9 other IPs or domains 16->115 61 C:\Users\...\zXhYMmHTWki4tRnSZF9o6vnH.exe, PE32+ 16->61 dropped 63 C:\Users\...\ozZRdcAQH8Rrn1WC9MHhHece.exe, PE32 16->63 dropped 65 C:\Users\...\nKWes4m2nxoX0X2ZJrg_GHoC.exe, PE32 16->65 dropped 73 27 other files (17 malicious) 16->73 dropped 133 Drops PE files to the document folder of the user 16->133 135 Disable Windows Defender real time protection (registry) 16->135 109 videoconvert-download38.xyz 172.67.201.250, 443, 49771 CLOUDFLARENETUS United States 21->109 67 C:\Users\user\AppData\Roaming\7385876.exe, PE32 21->67 dropped 75 2 other files (none is malicious) 21->75 dropped 137 Performs DNS queries to domains with low reputation 21->137 35 7385876.exe 21->35         started        38 7489660.exe 21->38         started        42 3564026.exe 21->42         started        69 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 23->69 dropped 139 DLL reload attack detected 23->139 141 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 23->141 143 Renames NTDLL to bypass HIPS 23->143 145 Checks if the current machine is a virtual machine (disk enumeration) 23->145 44 explorer.exe 23->44 injected 111 91.241.19.12 REDBYTES-ASRU Russian Federation 33->111 113 www.listincode.com 144.202.76.47, 443, 49738 AS-CHOOPAUS United States 33->113 117 11 other IPs or domains 33->117 71 C:\Users\user\Documents\...\jg3_3uag.exe, PE32 33->71 dropped 77 5 other files (1 malicious) 33->77 dropped 147 Creates processes via WMI 33->147 46 jfiag3g_gg.exe 33->46         started        48 chrome.exe 33->48         started        50 Folder.exe 33->50         started        52 6 other processes 33->52 file8 signatures9 process10 dnsIp11 157 Query firmware table information (likely to detect VMs) 35->157 159 Tries to detect sandboxes and other dynamic analysis tools (window names) 35->159 161 Hides threads from debuggers 35->161 163 Tries to detect sandboxes / dynamic malware analysis system (registry check) 35->163 121 104.21.35.96 CLOUDFLARENETUS United States 38->121 79 C:\ProgramData\58\vcruntime140.dll, PE32 38->79 dropped 81 C:\ProgramData\58\sqlite3.dll, PE32 38->81 dropped 83 C:\ProgramData\58\softokn3.dll, PE32 38->83 dropped 95 4 other files (none is malicious) 38->95 dropped 54 WerFault.exe 38->54         started        85 C:\Users\user\AppData\...\WinHoster.exe, PE32 42->85 dropped 57 WinHoster.exe 42->57         started        165 Tries to harvest and steal browser information (history, passwords, etc) 46->165 123 142.250.185.99 GOOGLEUS United States 48->123 125 googlehosted.l.googleusercontent.com 142.250.74.193, 443, 49761 GOOGLEUS United States 48->125 129 4 other IPs or domains 48->129 87 C:\Users\user\AppData\Local\...\Cookies, SQLite 48->87 dropped 89 C:\Users\user\AppData\Local\Temp\libEGL.dll, PE32+ 50->89 dropped 91 C:\Users\user\...\eventlog_provider.dll, PE32+ 50->91 dropped 93 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 50->93 dropped 59 conhost.exe 50->59         started        127 newja.webtm.ru 92.53.96.150, 49731, 80 TIMEWEB-ASRU Russian Federation 52->127 file12 signatures13 process14 dnsIp15 131 104.43.139.144 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 54->131
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/88c98c6871442d02b5f26dc7625926c1dcd4de88a7d31bc53786f6182204c902/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-07-12 20:06:03 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rdeyy2driqwqfnpsnxdwewjgyhonjxuiu7jrxrjxq33bqiqezeba._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
00ac3efa4faaa3927d28bf7b78793d4dac0c814cdbefb2015734d76bee8c988f
DiamondFox
2c1e4de15b0a08e77555d4b16f2bb56fae378081a9411138d323b6b52a7e891b
DiamondFox
419dbec500b45dcb0aca32df66ed6107975ae346cea116494e7f36445746aa27
DiamondFox
5c1f581f9d11fd4614ae17de1eaa58f5e37f47d15d18943214abe9c05f55e97d
DiamondFox
76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93
DiamondFox
bf86597d2d10ad8d82f0af8b53cf72757094322e79e92180092aa60341b90034
DiamondFox
cc161c44340b9944936e1af83913c62bfe6cdc92703e19fc036e556bd89caf79
DiamondFox
fdccd5539f179d7b405ebbc63749ce662af29a3bbe0b66816cce09029e785aaf
DiamondFox
+ 114 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:glupteba family:metasploit family:redline family:smokeloader family:socelars family:vidar botnet:15_7_r botnet:865 botnet:903 agilenet backdoor discovery dropper evasion infostealer loader persistence spyware stealer themida trojan upx vmprotect
Link:
https://tria.ge/reports/210718-fn1x3ykm8j/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
autoit_exe
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
Vidar Stealer
CryptBot
CryptBot Payload
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
wymesc72.top
morjed07.top
xtarweanda.xyz:80
https://sslamlssa1.tumblr.com/
Unpacked files
SH256 hash:
df7137b05ea3a31c9f95d8fb6da48693da61cf3bba9aaef04c2d5e72bf63bd9c
MD5 hash:
4b7082c2226e6a3ab4a7f36a487ce3ab
SHA1 hash:
16f0a0e4db0522d7559f07fa1b92e312ab2edf84
Link:
https://www.unpac.me/results/101eb645-0981-4290-ab98-3a1530399171/
SH256 hash:
304e420204d773b118d8062374597577f90d4cf1086814638587bec9cfbeeff5
MD5 hash:
b6799ef54cf66f2b1239f5b7e799c4b1
SHA1 hash:
1c80500d0b79b89f4cde7c8e236721e6f1de7c18
Link:
https://www.unpac.me/results/101eb645-0981-4290-ab98-3a1530399171/
SH256 hash:
d0dff6cfb8b523ec2d1bbedb11bf47aec7ab6a17a3d00bc0a921c7787ae66f5b
MD5 hash:
f007792a9558a2ce1375b4ec4993a36c
SHA1 hash:
108dcb7c17cc5a41924fc39e3c09057cade1ace2
Link:
https://www.unpac.me/results/101eb645-0981-4290-ab98-3a1530399171/
SH256 hash:
e98199099130da0e62f2c6b9f989dd8e3076fdb55162f4a12540eea55e8e890f
MD5 hash:
c70c527554c5dd0acf0c13ee6edff8aa
SHA1 hash:
58c23239da9af51827b30aa41c600b14954bbf15
Link:
https://www.unpac.me/results/101eb645-0981-4290-ab98-3a1530399171/
SH256 hash:
67cdc7c5de5e46229adc831dc6fd3053d996ecf02e94706b6b6ae1b0ed976f2c
MD5 hash:
555b5b60b2dcc53e71e6d9ba8302c4b9
SHA1 hash:
550326b1226629a867d4606ad0c98c4ef9596b47
Link:
https://www.unpac.me/results/101eb645-0981-4290-ab98-3a1530399171/
Parent samples :
e47bfa7b58706edeeaf73664039c10cb1ff7a517d833c0b28751b835bdc68cf7
32ac0624a534a2c40fb8eba41e80bb1d31b99cd118d42208c89229079699f783
SH256 hash:
21a27c1c007206117edc2618bb834fa31d07f0aa0fe15ef0171e90ec70733017
MD5 hash:
71a8b425237ed53182cebb5dbc841332
SHA1 hash:
4220c9de6b28f499a8e37818e3a1118ca49ed509
Link:
https://www.unpac.me/results/101eb645-0981-4290-ab98-3a1530399171/
SH256 hash:
e7ea471d02218191b90911b15cc9991eab28a1047a914c784966ecd182bd499c
MD5 hash:
7f7c75db900d8b8cd21c7a93721a6142
SHA1 hash:
c8b86e62a8479a4e6b958d2917c60dccef8c033f
Link:
https://www.unpac.me/results/101eb645-0981-4290-ab98-3a1530399171/
SH256 hash:
e1f78561b92e392c01f2dc14021fab196b43dab8d68c052c3256487e3c7c3b0d
MD5 hash:
dddaf4d52b6ccd14e48d55df21771843
SHA1 hash:
6732d81a72a83f59df0899449ad3053ffecc2738
Link:
https://www.unpac.me/results/101eb645-0981-4290-ab98-3a1530399171/
SH256 hash:
55cdb9054f66ed88b8215d9f981efd7421c6f50dc9285140ec5ff591e34121bd
MD5 hash:
5631522a0758055c133e7966c1948802
SHA1 hash:
90caf8180bf43727fc490ffa34b1d578833aad7f
Link:
https://www.unpac.me/results/101eb645-0981-4290-ab98-3a1530399171/
SH256 hash:
c0db7b3683836e025148140a0efdcd92ea7a58e3c6a40b2e27475d1e2f028b2e
MD5 hash:
4a85709f21f295e89b4ba936e9457e4b
SHA1 hash:
a4c64a7369bc2cca1fa39e86c1fa51e35455485a
Link:
https://www.unpac.me/results/101eb645-0981-4290-ab98-3a1530399171/
SH256 hash:
c612a69033bcf47117ab6202a9f4313a6badc2f9be625e08f39f79e99109b6e4
MD5 hash:
ded88fd3c262855314b70b00c2d74c0c
SHA1 hash:
da072027d456f7a186351fa79cdd472df2bee72a
Link:
https://www.unpac.me/results/101eb645-0981-4290-ab98-3a1530399171/
SH256 hash:
3211a67156069a1eb9cbcc0a8758073bcb9c154298a74645fe08a0b1144d748e
MD5 hash:
f277a1686035938fe0709c2140698c73
SHA1 hash:
4de0ff83d23a4ade95eca53b8c02386d96e1344e
Link:
https://www.unpac.me/results/101eb645-0981-4290-ab98-3a1530399171/
SH256 hash:
5d9a147b48ef767a2ad8d96c444320a49f02187cc082461a87e49f9daafee572
MD5 hash:
71c6f293c127ee7bdf408909603d02f0
SHA1 hash:
6daeb6ef5c72ce6c8f1ebb8a1017306189f83f65
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/101eb645-0981-4290-ab98-3a1530399171/
SH256 hash:
88c98c6871442d02b5f26dc7625926c1dcd4de88a7d31bc53786f6182204c902
MD5 hash:
00810b59644d1610f9eb57e2d9e175e4
SHA1 hash:
1208f33ac7bd8d5bbe4089b75fe3b708bfc4bf03
Link:
https://www.unpac.me/results/101eb645-0981-4290-ab98-3a1530399171/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88c98c6871442d02b5f26dc7625926c1dcd4de88a7d31bc53786f6182204c902

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172413/

Comments