MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ad452c41af7ed761449a51cca42b89827921f70f564331a4eed7a191c37c325. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ad452c41af7ed761449a51cca42b89827921f70f564331a4eed7a191c37c325
SHA3-384 hash: 3c384295f40c9d096c200cf1f7f7925f799607fba308630359796940ae15d25f90dab6340d6ae5b12d863e8642f11771
SHA1 hash: 9cdb3b09d484bf50f8fa42b210e1e36ff3910ba4
MD5 hash: 67397c537c058858df34d0ae99941a66
humanhash: pennsylvania-four-illinois-august
File name:9
Download: download sample
Signature DiamondFox
Create hunting rule
File size:145'920 bytes
First seen:2020-11-05 06:10:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9ff7327d844853e487d5de2408f53ec9 (1 x DiamondFox, 1 x ZLoader)
ssdeep 3072:FVtLnjvPlwRS//4hiFvTGJRKpLxM3Rik+S2oB3OWgXqKRaZ6:F7LnJH//44FgKTWL25Lql8
Threatray 3'138 similar samples on MalwareBazaar
TLSH D5E3AE1139E2C4B2D2A2697148B0DBB50A7FFC72677542CB3B983A2E5F702C04A75793
Reporter SAJJEDHASSAN
Tags:DiamondFox Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/83048/
Detection(s):
Win.Dropper.Glupteba-9781264-0
Create hunting rule

Win.Packed.Generickdz-9781272-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a process with a hidden window
Creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/520936
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables Windows Defender (via service or powershell)
Found C&C like URL pattern
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell create lnk in startup
Suspicious powershell command line found
Writes or reads registry keys via WMI
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 309565 Sample: 9 Startdate: 05/11/2020 Architecture: WINDOWS Score: 100 44 vaxton.site 2->44 46 ip.seeip.org 2->46 54 Antivirus detection for dropped file 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 7 other signatures 2->60 10 9.exe 1 2->10         started        13 atiedxx.exe 2->13         started        15 OpenWith.exe 2->15         started        signatures3 process4 signatures5 70 Detected unpacking (changes PE section rights) 10->70 72 Detected unpacking (overwrites its own PE header) 10->72 74 Suspicious powershell command line found 10->74 17 powershell.exe 21 10->17         started        process6 file7 36 C:\Users\user\AppData\Local\...\atiedxx.exe, PE32 17->36 dropped 38 C:\Users\user\...\atiedxx.exe:Zone.Identifier, ASCII 17->38 dropped 52 Powershell drops PE file 17->52 21 atiedxx.exe 2 18 17->21         started        26 conhost.exe 17->26         started        signatures8 process9 dnsIp10 48 vaxton.site 8.208.97.167, 49742, 49743, 49744 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 21->48 50 ip.seeip.org 23.128.64.141, 443, 49740 JOESDATACENTERUS United States 21->50 40 C:\Users\user\AppData\Local\Temp\lsass, PE32+ 21->40 dropped 42 C:\Users\user\...\1603539326_rupaul[1].exe, PE32+ 21->42 dropped 62 Antivirus detection for dropped file 21->62 64 Multi AV Scanner detection for dropped file 21->64 66 Detected unpacking (changes PE section rights) 21->66 68 6 other signatures 21->68 28 powershell.exe 5 21->28         started        30 powershell.exe 5 21->30         started        file11 signatures12 process13 process14 32 conhost.exe 28->32         started        34 conhost.exe 30->34         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ad452c41af7ed761449a51cca42b89827921f70f564331a4eed7a191c37c325/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2020-10-18 13:01:34 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tlkffra267wxmfcjuuomuqvytatzeh3q6vsdggso5v5bshbxymsq._file
Verdict:
malicious
Similar samples:
0074b4e19d6ad55ab6573d7522ead0f75a84b866611cc8133d08b5800e3bb32a
DiamondFox
0da94c587aef560c9ff0d315cff1c1e073f8ab71f31b259cb78bb9c2293ece80
DiamondFox
14eb827b600c3f7ccf2af766d0fec868e6b0467eba9264f19b75427f95ef7cfa
DiamondFox
81f7c328aef1d0b652a4e7b4157b34f2b462ace5c2f2483350b1a5e156ce8adb
DiamondFox
8affd0d74b7fea47b03869e3fb44a1f76144b751503eac0d8c61c203f6a081f9
DiamondFox
c83ae5695c48f86c4a90f32a1c2e2cf93656d6880e8e5322f671ef79a98fe934
DiamondFox
c845d091a060520675309673246e766d1e61bd90ee0e46e1ba46fc08e1cd1ead
DiamondFox
d4d22a42f8307b64ffeeaa26275000213a940c1792231db0911678d7bbb2cfb9
DiamondFox
e74ff01d6412f87caf49182bdf1cae9e6d7200a3c176e37b7ff14b158f1a7433
DiamondFox
fd9a58a1ecdcfcfe67bc1eb8d2d2d35ec30a93651c6c60cca4c519b19c20be39
DiamondFox
+ 3'128 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/201105-7rfqh79ewn/
Behaviour
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
9ad452c41af7ed761449a51cca42b89827921f70f564331a4eed7a191c37c325
MD5 hash:
67397c537c058858df34d0ae99941a66
SHA1 hash:
9cdb3b09d484bf50f8fa42b210e1e36ff3910ba4
Link:
https://www.unpac.me/results/190d5841-3f55-4bd0-8eec-1b4f0c7433ae/
SH256 hash:
04cbf0652f570ec796aee70f3cbb9e64282fd147de3ca2a166d903a6019d2af9
MD5 hash:
266cb6ce5f0d04fc685ac28e0f5cad76
SHA1 hash:
5e4a0be1d8a8e0004bfe9bef8a3c786fad4a7482
Link:
https://www.unpac.me/results/190d5841-3f55-4bd0-8eec-1b4f0c7433ae/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DiamondFox

Executable exe 9ad452c41af7ed761449a51cca42b89827921f70f564331a4eed7a191c37c325

(this sample)

anyrun
any.run
https://app.any.run/tasks/9348550a-2d99-4c4d-adb6-ebe69399fcab/#
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/83048/

Comments