MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f2e44c29365ee8ded05c7de45e97d2d750cb430bf5ea2ea27ad48c2fa9cf884. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f2e44c29365ee8ded05c7de45e97d2d750cb430bf5ea2ea27ad48c2fa9cf884
SHA3-384 hash: 07decd70e29f49981664dda19448a345a7863750903351e548c43fc0e444e717f765631f1d010481efc201ee11bf7a92
SHA1 hash: eeab48b61aabf4a403a5feb47b9b88c31d63b525
MD5 hash: c24d05331d2cf344af12c1c169270846
humanhash: potato-august-glucose-bravo
File name:C24D05331D2CF344AF12C1C169270846.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:963'544 bytes
First seen:2021-07-03 09:06:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'457 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 12288:aQi3B0ofuu2ydD1238K6P7GoqNKjJ0pWR6m6UR0I2me1OWITjRXTwDFzDjDXgC4e:aQiLVBB0HIM1fDFDPXDnARIFDPzCWic
TLSH DF251219A746E8F5D0222A71DA13B7108233EE506EB7D50D3D4C7ACA6F663F485C3B1A
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
213.189.218.18:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
213.189.218.18:80 https://threatfox.abuse.ch/ioc/157416/

Intelligence

File Origin
# of uploads :
1
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
C24D05331D2CF344AF12C1C169270846.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-03 09:08:34 UTC
Tags:
installer
Link:
https://app.any.run/tasks/772a23f2-0dc1-4f27-9f3c-e6737d16c1ad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Application.Agent.AIQ.2330.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff2de07b-5798-4ff3-916d-4b20a9672fb4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/811403
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 443814 Sample: 0h3pHSa6GU.exe Startdate: 03/07/2021 Architecture: WINDOWS Score: 100 86 Multi AV Scanner detection for domain / URL 2->86 88 Antivirus detection for URL or domain 2->88 90 Antivirus detection for dropped file 2->90 92 5 other signatures 2->92 9 0h3pHSa6GU.exe 2 2->9         started        12 Qacuberura.exe 2->12         started        process3 dnsIp4 68 C:\Users\user\AppData\...\0h3pHSa6GU.tmp, PE32 9->68 dropped 15 0h3pHSa6GU.tmp 3 19 9->15         started        80 superstationcity.com 12->80 70 C:\Program Files (x86)\...\Windows Update.exe, PE32 12->70 dropped 72 C:\...\Windows Update.exe.config, XML 12->72 dropped 19 Windows Update.exe 12->19         started        file5 process6 dnsIp7 84 superstationcity.com 194.163.135.248, 49712, 49731, 80 NEXINTO-DE Germany 15->84 42 C:\Users\user\AppData\...\758____Dawn.exe, PE32 15->42 dropped 44 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 15->44 dropped 46 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 15->46 dropped 48 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 15->48 dropped 21 758____Dawn.exe 22 20 15->21         started        26 dw20.exe 19->26         started        file8 process9 dnsIp10 74 requested404.com 63.250.33.126, 49724, 80 NAMECHEAP-NETUS United States 21->74 76 iplogger.org 88.99.66.31, 443, 49728 HETZNER-ASDE Germany 21->76 78 2 other IPs or domains 21->78 52 C:\Users\user\AppData\...\SHodipizhyxo.exe, PE32 21->52 dropped 54 C:\Users\user\AppData\...\Vojavopiby.exe, PE32 21->54 dropped 56 C:\Program Files (x86)\...\Qacuberura.exe, PE32 21->56 dropped 58 4 other files (3 malicious) 21->58 dropped 94 May check the online IP address of the machine 21->94 96 Machine Learning detection for dropped file 21->96 28 Vojavopiby.exe 14 4 21->28         started        32 SHodipizhyxo.exe 2 21->32         started        34 prolab.exe 2 21->34         started        file11 signatures12 process13 dnsIp14 82 connectini.net 28->82 98 Detected unpacking (overwrites its own PE header) 28->98 100 Machine Learning detection for dropped file 28->100 102 Antivirus detection for dropped file 32->102 37 dw20.exe 17 2 32->37         started        50 C:\Users\user\AppData\Local\...\prolab.tmp, PE32 34->50 dropped 39 prolab.tmp 27 26 34->39         started        file15 signatures16 process17 file18 60 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 39->60 dropped 62 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 39->62 dropped 64 C:\Program Files (x86)\...\is-U923T.tmp, PE32 39->64 dropped 66 8 other files (none is malicious) 39->66 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f2e44c29365ee8ded05c7de45e97d2d750cb430bf5ea2ea27ad48c2fa9cf884/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-06-30 21:32:44 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r4xejqutmxxi33ify7pel2l5fv2qznbqx5pkf2rhvvemf6u47cca._file
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:redline family:vidar family:zloader botnet:domlyla botnet:vasja campaign:vasja backdoor botnet discovery dropper evasion infostealer loader persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210703-h1nberqjv2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Gathers network information
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Modifies Windows Firewall
UPX packed file
VMProtect packed file
Checks for common network interception software
Vidar Stealer
Glupteba
Glupteba Payload
MetaSploit
RedLine
RedLine Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://iqowijsdakm.com/gate.php
https://wiewjdmkfjn.com/gate.php
https://dksaoidiakjd.com/gate.php
https://iweuiqjdakjd.com/gate.php
https://yuidskadjna.com/gate.php
https://olksmadnbdj.com/gate.php
https://odsakmdfnbs.com/gate.php
https://odsakjmdnhsaj.com/gate.php
https://odjdnhsaj.com/gate.php
https://odoishsaj.com/gate.php
detuyaluro.xyz:80
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/e014f3b3-c072-4d99-a65a-441845160f69/
SH256 hash:
d4307646a0d7402e2a7b12d5ab2ae78947ee17dd040262fcb9d6f67f4403ecc5
MD5 hash:
a9a085292f13ea5649b7fd31391ed0f3
SHA1 hash:
686d479dcc3537d8bce0f854859f989f11b0ace2
Link:
https://www.unpac.me/results/e014f3b3-c072-4d99-a65a-441845160f69/
SH256 hash:
8f2e44c29365ee8ded05c7de45e97d2d750cb430bf5ea2ea27ad48c2fa9cf884
MD5 hash:
c24d05331d2cf344af12c1c169270846
SHA1 hash:
eeab48b61aabf4a403a5feb47b9b88c31d63b525
Link:
https://www.unpac.me/results/e014f3b3-c072-4d99-a65a-441845160f69/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8f2e44c29365ee8ded05c7de45e97d2d750cb430bf5ea2ea27ad48c2fa9cf884

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments