MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96b3a6f88bebb213230bd38f95804466296c238e0774861ceec6ad4424dcfb45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96b3a6f88bebb213230bd38f95804466296c238e0774861ceec6ad4424dcfb45
SHA3-384 hash: 92ef3bf9a50908158dbe342a42a1f75fdaad0dd490c6e19076552761cdafe933eb607be5f1b70cb051362e3668a59153
SHA1 hash: 268186377c6306055e8c42c1a1bde48adcb735b2
MD5 hash: 500a3b64014de00b03f981299586fae6
humanhash: robert-fifteen-alabama-may
File name:500A3B64014DE00B03F981299586FAE6.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:5'804'570 bytes
First seen:2021-09-05 12:31:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xRrRBN2e1xmerMGHPGm3gfLagxJvzGj66eL1WyeLiUfETuDbb6bRWPDKQ7N5t:xRrR32yzHPGmwfzJGj6f0ye9Vnkkp5t
Threatray 500 similar samples on MalwareBazaar
TLSH T174463329BED0C6B7D8702DF4F60C5BA2E272877B173668D357057860FB2C3598075A8A
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://94.158.245.173/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.158.245.173/ https://threatfox.abuse.ch/ioc/215894/

Intelligence

File Origin
# of uploads :
1
# of downloads :
281
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
500A3B64014DE00B03F981299586FAE6.exe
Verdict:
No threats detected
Analysis date:
2021-09-05 12:34:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/14d5de40-22fe-431d-bc06-30eff8145ca9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185440/
Detection(s):
Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Creating a file
Deleting a recently created file
Running batch commands
Sending a UDP request
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eada0680-2b43-4fe9-b2c1-b666f9a43f4b
Result
Threat name:
RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845535
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 477965 Sample: 6WNWU8oUzk.exe Startdate: 05/09/2021 Architecture: WINDOWS Score: 100 94 13.107.4.50 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->94 96 45.90.58.90 GREENFLOID-ASUA Bulgaria 2->96 98 5 other IPs or domains 2->98 116 Multi AV Scanner detection for domain / URL 2->116 118 Antivirus detection for URL or domain 2->118 120 Antivirus detection for dropped file 2->120 122 14 other signatures 2->122 12 6WNWU8oUzk.exe 8 2->12         started        15 svchost.exe 1 2->15         started        signatures3 process4 file5 86 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 12->86 dropped 88 C:\Users\user\AppData\...\setup_install.exe, PE32 12->88 dropped 90 C:\Users\user\AppData\Local\...\libzip.dll, PE32 12->90 dropped 92 3 other files (none is malicious) 12->92 dropped 17 setup_install.exe 3 12->17         started        process6 file7 58 C:\Users\user\...\58a51f2acaa24098.exe, PE32 17->58 dropped 20 cmd.exe 1 17->20         started        23 conhost.exe 17->23         started        process8 signatures9 124 Adds a directory exclusion to Windows Defender 20->124 25 58a51f2acaa24098.exe 17 20->25         started        process10 file11 60 C:\Users\user\AppData\...\setup_install.exe, PE32 25->60 dropped 62 C:\Users\user\AppData\...\Wed17f8546734.exe, PE32 25->62 dropped 64 C:\Users\user\...\Wed17973b80f1b7ee.exe, PE32 25->64 dropped 66 12 other files (4 malicious) 25->66 dropped 28 setup_install.exe 1 25->28         started        process12 dnsIp13 110 8.8.8.8 GOOGLEUS United States 28->110 112 172.67.142.91 CLOUDFLARENETUS United States 28->112 114 127.0.0.1 unknown unknown 28->114 140 Adds a directory exclusion to Windows Defender 28->140 32 cmd.exe 28->32         started        34 cmd.exe 28->34         started        36 cmd.exe 28->36         started        38 7 other processes 28->38 signatures14 process15 signatures16 41 Wed17f8546734.exe 32->41         started        46 Wed17631ea38e1e.exe 34->46         started        48 Wed1721b23025489.exe 36->48         started        126 Adds a directory exclusion to Windows Defender 38->126 50 Wed1737159769dee23c.exe 38->50         started        52 Wed17c84299447a8.exe 38->52         started        54 powershell.exe 25 38->54         started        56 2 other processes 38->56 process17 dnsIp18 100 37.0.10.214 WKD-ASIE Netherlands 41->100 102 31.210.20.251 PLUSSERVER-ASN1DE Netherlands 41->102 108 9 other IPs or domains 41->108 68 C:\Users\...\zSRDH0yHLuwS1uHG5t2Rgc1i.exe, PE32 41->68 dropped 70 C:\Users\...\vlCwp8qbEXVh6wVCvANNK_UR.exe, PE32 41->70 dropped 72 C:\Users\...\vAObg8CCL102MCFKQoyGols4.exe, PE32 41->72 dropped 80 49 other files (41 malicious) 41->80 dropped 128 Drops PE files to the document folder of the user 41->128 130 Tries to harvest and steal browser information (history, passwords, etc) 41->130 132 Disable Windows Defender real time protection (registry) 41->132 104 172.67.141.201 CLOUDFLARENETUS United States 46->104 74 C:\Users\user\AppData\Roaming\8703983.exe, PE32 46->74 dropped 76 C:\Users\user\AppData\Roaming\4966462.exe, PE32 46->76 dropped 82 3 other files (none is malicious) 46->82 dropped 134 Detected unpacking (changes PE section rights) 46->134 106 74.114.154.22 AUTOMATTICUS Canada 48->106 136 Machine Learning detection for dropped file 48->136 78 C:\Users\user\...\Wed1737159769dee23c.tmp, PE32 50->78 dropped 138 Antivirus detection for dropped file 50->138 84 2 other files (none is malicious) 52->84 dropped file19 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/96b3a6f88bebb213230bd38f95804466296c238e0774861ceec6ad4424dcfb45/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-09-02 07:02:34 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=s2z2n6el5ozbgiyl2ohzlacemyuwyi4oa52imhhoy2wuijg47ncq._file
Verdict:
unknown
Similar samples:
077ac4018bc25a85796c54e06872071d561df272188dde34daca7e5d01e950fd
DiamondFox
3b15547e53d7254ec42974dc5a1d7b72cffd722a41114944b5606a845be7b76d
DiamondFox
6bd2d5f2630ce91d3d93d5a686d0ea381b6efa2b25d0dbd0f509a17f7ed3788d
DiamondFox
987a2417a285a7e885e5acdd635d3e2dfa1cf00bb98b6a39fbc17bc7c3fb4993
DiamondFox
a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409
DiamondFox
d2d90f02ccd7c3fd1b46d667081529a1af8172e4a51feda461c8d250081c3548
DiamondFox
f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be
DiamondFox
+ 490 additional samples on MalwareBazaar
Result
Malware family:
vkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:raccoon family:redline family:vidar family:vkeylogger botnet:706 botnet:937 botnet:b8ef25fa9e346b7a31e4b6ff160623dd5fed2474 botnet:pab777 aspackv2 backdoor discovery dropper evasion infostealer keylogger loader persistence spyware stealer trojan
Link:
https://tria.ge/reports/210905-pqmmwahfb3/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
VKeylogger
VKeylogger Payload
Vidar
Malware Config
C2 Extraction:
https://lenko349.tumblr.com/
185.215.113.15:6043
https://romkaxarit.tumblr.com/
Unpacked files
SH256 hash:
c6b27043e32354f111a6080ca0e96b8fa0a334f92b538cdfc8dc297380479d08
MD5 hash:
10c90ba5a47c8c640e814a37f5901a9e
SHA1 hash:
de2b4ac96d10e59b0abe48c660b6d74dcdbe2f50
Link:
https://www.unpac.me/results/7cadfafc-b10c-4832-8755-eabb5a2454bf/
SH256 hash:
c0761900602cd14bfb3e6abe397dce2ddaabac4e635c272eb524ae1140131bac
MD5 hash:
6e60d71bf9b003280c490d951fcf4feb
SHA1 hash:
d89c86328ffea1151d0e62867193d6f178369b1d
Link:
https://www.unpac.me/results/7cadfafc-b10c-4832-8755-eabb5a2454bf/
SH256 hash:
606d3d9365f40fee12e9fc577ae5bf4cd42d502f4758320cdab01b53a7e0d4b8
MD5 hash:
51894ed4e7fec456b08027e2e6620386
SHA1 hash:
bbffdd90f9a5644086006734e03c15ac28db1ae9
Link:
https://www.unpac.me/results/7cadfafc-b10c-4832-8755-eabb5a2454bf/
SH256 hash:
e98a890955e8369cd79709b147fdf513dc222a68eb503127829c8300fa32f30b
MD5 hash:
9d6b4995214632e3aabe2f62de71ba8e
SHA1 hash:
8a5b52a807be6c6b2b55bfd89bfdf68f99aa564e
Link:
https://www.unpac.me/results/7cadfafc-b10c-4832-8755-eabb5a2454bf/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/7cadfafc-b10c-4832-8755-eabb5a2454bf/
SH256 hash:
f2e5b3b710ceb2a8d41cd9ad6da781851607d15456e22f254cb5284d713dba9d
MD5 hash:
f91ab5a1a6fced7173f86923c04d9d45
SHA1 hash:
80e856f67e1cf8c30243b0a2f60e22728bc65e52
Link:
https://www.unpac.me/results/7cadfafc-b10c-4832-8755-eabb5a2454bf/
SH256 hash:
367591f8a40151c4d788bbaa29e20b3dd57ce22f056b51f9f0380e4fd2275c07
MD5 hash:
4e0196b3ab0d47e4a2093ffa87c7326b
SHA1 hash:
58ba603c32b3036477b615cd46a9e834cc4645d8
Link:
https://www.unpac.me/results/7cadfafc-b10c-4832-8755-eabb5a2454bf/
SH256 hash:
96aebb504a87e240a46e3e6b0cdfbaf6fc1e846e22a6fc2393c45c3208184f6c
MD5 hash:
d2c1d7aae1a68dfc796d0740a341740b
SHA1 hash:
400e51592995edb266d84b0c7db1f41fdb3dc342
Link:
https://www.unpac.me/results/7cadfafc-b10c-4832-8755-eabb5a2454bf/
SH256 hash:
8c2df8b7dd3f3da28dfc8ea14abf9fc6d40dc87973de8af69c5274d3ae86affe
MD5 hash:
d3022335f0de5967538364edc6f76783
SHA1 hash:
157743b90ee241b0e721c74cc0e9f832c68a17dc
Link:
https://www.unpac.me/results/7cadfafc-b10c-4832-8755-eabb5a2454bf/
SH256 hash:
e173de6e79423d659886704dcaaf5848078ced4e14e0772e4f1e7b3931bb0862
MD5 hash:
95f9e24e7dd90ee5892743c58801db9f
SHA1 hash:
f107fcd45e57e7b71193f1f1777b8377f5d3cda1
Link:
https://www.unpac.me/results/7cadfafc-b10c-4832-8755-eabb5a2454bf/
SH256 hash:
e621e23cf07ea962557bce0f28940a8283135de86d3fd3d520d58115a8484982
MD5 hash:
35959e37d587e649357c57c2c5797a93
SHA1 hash:
b3f2ef17f1c45e34ea84a70285a14672034a97ae
Link:
https://www.unpac.me/results/7cadfafc-b10c-4832-8755-eabb5a2454bf/
SH256 hash:
4266165affda48b7a0fc19e67760e2d0ff275bf5f66d463acdf89c17362c3022
MD5 hash:
6e5515bdee2907426548266c47390abc
SHA1 hash:
105000cfd2dcd2e5f5f5f9e1f5ab4eff4626473e
Link:
https://www.unpac.me/results/7cadfafc-b10c-4832-8755-eabb5a2454bf/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/7cadfafc-b10c-4832-8755-eabb5a2454bf/
SH256 hash:
c8040666dfc672d25ad082c69e3ba73dd9f012e253a6a3dbb5f24d28ff816575
MD5 hash:
4cd8a3d2d2392735aa89b8d985b479a2
SHA1 hash:
ffde7e9becc0b6ce67829fa8cb7f3d25d44a7028
Detections:
win_oski_g0
Create hunting rule
Link:
https://www.unpac.me/results/7cadfafc-b10c-4832-8755-eabb5a2454bf/
Parent samples :
8303c9a626d7edb090bdd8f0d128fc887b7fa36b0dfc43a7f71dcb5b34b1bbab
ecc23ade7514bff1e172b9a02c27572a66e0d16bb68b4927198dc091abf1c982
f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be
022fc71a6661ab3d6efc0f7d3e560a05cceb22b31081e7cb5d882b01921d5e38
4468428f16aeb36c8c1a53f40c68806473201d37d94b6ac8f1c0d324d1e17006
96b3a6f88bebb213230bd38f95804466296c238e0774861ceec6ad4424dcfb45
3542020f73e24ff693b50a375bbd366e6b6ca4cd4fd93bd15403e4cc70d91756
9cf8a802217928175088777f3f886dde3cba71c0a5c427ed169e24581e1c7a9b
e63f3efc1462f054169998d9bdb7e5b2ca0cb78b393e978880458965472f76de
8896b158ac271c269cfea637cd9402db48676eeef02b9d694d5c9f0eaeb3dbb0
1f2a3d598734fe566de2054f3c73fd2245fc6023f0740bdbae88a076f508ebd2
18f74890fef60f1e18d5b1d0b43f100c69b430445187d672bbedf46aff687d09
74bafd56c1fb3cdebf0a63de4ffb6f16dc1d5cee38e11ab0d2bc2614538da65f
07c18e8e0f92e75367df02c4114947b038e86fcbc7c8e5a77df739deb955263a
3d898349908143bef8f7652dada13c6075f84af469349be709b1d33d2ddf6672
SH256 hash:
5f463952815ce4f763e9f4b3b72ed70ad82f74a69a271fc2b1588055c3fec4cc
MD5 hash:
21775ff041e7277d87aa8fdf1e09da6c
SHA1 hash:
6dd1d6716cb93adef6c9b39490a79e77fd5396c9
Link:
https://www.unpac.me/results/7cadfafc-b10c-4832-8755-eabb5a2454bf/
SH256 hash:
7a4d6a3eea3a78d1cf86d94b4ed95364ee872a8ee48ada6dd513176140bd0e93
MD5 hash:
eb1ac06d91ff5ae0accbfb81513372f1
SHA1 hash:
59a6c96f10fdf6ec9e7f20ce7c92e2f31234967e
Link:
https://www.unpac.me/results/7cadfafc-b10c-4832-8755-eabb5a2454bf/
SH256 hash:
61c5fcaa49f0d49c151aed1076625455a245150942dd292a29182d8ca1ce6bfc
MD5 hash:
b00957824ab7790185ec07c6e6face35
SHA1 hash:
1107b6a89474fe310fcdd0589a628a06eef5c264
Link:
https://www.unpac.me/results/7cadfafc-b10c-4832-8755-eabb5a2454bf/
SH256 hash:
6f0c93fbb331b821ce8f70110834ca0d14b7be669dae96af22270fa31b7e36aa
MD5 hash:
35bc072d030d6b102d5f8345e053781a
SHA1 hash:
2cdf5ebf0d3c477adf65d76a138b70e8b6307223
Link:
https://www.unpac.me/results/7cadfafc-b10c-4832-8755-eabb5a2454bf/
SH256 hash:
58b519219d8ef2361f713852193c047e59ab8c2631bb5e8711a47f1f1ac8e5b5
MD5 hash:
e6979a1562028a2860489b28babe90ba
SHA1 hash:
6ca16f4008ea638c1ba03f643f478406d2005a7f
Link:
https://www.unpac.me/results/7cadfafc-b10c-4832-8755-eabb5a2454bf/
SH256 hash:
8cf3bee91e0446a9ed64e985d03c2c03889e0724907c6543c5053e653b413147
MD5 hash:
a88b613553018ad0e821022a15c094fb
SHA1 hash:
1ca119ab36b1f62e94d3f7aafed258125068012c
Link:
https://www.unpac.me/results/7cadfafc-b10c-4832-8755-eabb5a2454bf/
SH256 hash:
9c2edee328359f4bbf3f070f8d18372cd907301ea818e029601c59399e46cd8c
MD5 hash:
e6a5409213374da7035ed392a577e52f
SHA1 hash:
4df8bacf2ca3dddf9e0ed0ae03a5bc7de140b541
Link:
https://www.unpac.me/results/7cadfafc-b10c-4832-8755-eabb5a2454bf/
SH256 hash:
570519d3995eb914e3282d42e3954ff975a52a9460b345945e53db1801983460
MD5 hash:
c49d984aa25913cff491a4299324d8a8
SHA1 hash:
13e7c9b38df309aecf67f64c1f3573f87f2c5440
Link:
https://www.unpac.me/results/7cadfafc-b10c-4832-8755-eabb5a2454bf/
SH256 hash:
96b3a6f88bebb213230bd38f95804466296c238e0774861ceec6ad4424dcfb45
MD5 hash:
500a3b64014de00b03f981299586fae6
SHA1 hash:
268186377c6306055e8c42c1a1bde48adcb735b2
Link:
https://www.unpac.me/results/7cadfafc-b10c-4832-8755-eabb5a2454bf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/96b3a6f88bebb213230bd38f95804466296c238e0774861ceec6ad4424dcfb45

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185440/

Comments