MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a282005eef80a8f19035835337c495306785cd4b6452cff47ea42c89e32f2001. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a282005eef80a8f19035835337c495306785cd4b6452cff47ea42c89e32f2001
SHA3-384 hash: 811fce3cc02a623ae9103a61cab5d9d5c7ff1a1fff12c4c0681717e2787c9f6d3d74ee482d15c88f69fe3051dd12285f
SHA1 hash: 3b7c2d36a7bd94d6d57c73a1dbfd783948422979
MD5 hash: a128c5bc0609f0871555f4e66bb19717
humanhash: fix-cat-jersey-montana
File name:a128c5bc0609f0871555f4e66bb19717.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:3'505'002 bytes
First seen:2021-08-13 22:11:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 49152:9gRiwI8xQ4T7zXz6mEDmxu9/d9EvK7NIPIc1vhnkau3hSbx/krAP7Kp32aAgAA5a:y0g7RWYu9/Evxl1uphUxgymGaAxAt9bE
Threatray 328 similar samples on MalwareBazaar
TLSH T165F5336CBBC9E357D05A0A782C312B105E63018F1489339F53D76EAC7F41AB262DB7A5
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://34.77.115.2/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://34.77.115.2/ https://threatfox.abuse.ch/ioc/185163/

Intelligence

File Origin
# of uploads :
1
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a128c5bc0609f0871555f4e66bb19717.exe
Verdict:
No threats detected
Analysis date:
2021-08-13 22:12:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1c028ada-e8d9-4023-adba-58b0bd8ad919

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179098/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Jaik-9885385-0
Create hunting rule

Win.Malware.Jaik-9885387-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Deleting a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/12a1989a-b63c-4c09-910c-05f8d9be20c4
Result
Threat name:
Raccoon RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832680
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sample is protected by VMProtect
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 465111 Sample: jGjGE5ts0G.exe Startdate: 14/08/2021 Architecture: WINDOWS Score: 100 103 208.95.112.1 TUT-ASUS United States 2->103 105 195.201.225.248 HETZNER-ASDE Germany 2->105 107 10 other IPs or domains 2->107 139 Multi AV Scanner detection for domain / URL 2->139 141 Antivirus detection for URL or domain 2->141 143 Antivirus detection for dropped file 2->143 145 16 other signatures 2->145 12 jGjGE5ts0G.exe 10 2->12         started        15 svchost.exe 1 2->15         started        signatures3 process4 file5 89 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->89 dropped 17 setup_installer.exe 8 12->17         started        process6 file7 55 C:\Users\user\AppData\...\setup_install.exe, PE32 17->55 dropped 57 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 17->57 dropped 59 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 17->59 dropped 61 3 other files (none is malicious) 17->61 dropped 20 setup_install.exe 9 17->20         started        process8 dnsIp9 109 104.21.19.116 CLOUDFLARENETUS United States 20->109 111 127.0.0.1 unknown unknown 20->111 81 C:\Users\user\AppData\...\ed10a8b2b3d6.exe, PE32 20->81 dropped 83 C:\Users\user\AppData\...\cb4071ec97a2.exe, PE32 20->83 dropped 85 C:\Users\user\AppData\...\c65040c72c7.exe, PE32 20->85 dropped 87 5 other files (2 malicious) 20->87 dropped 24 cmd.exe 1 20->24         started        26 cmd.exe 20->26         started        28 cmd.exe 20->28         started        30 6 other processes 20->30 file10 process11 process12 32 30dd64a3b09404.exe 4 66 24->32         started        37 ed10a8b2b3d6.exe 26->37         started        39 c65040c72c7.exe 28->39         started        41 6f0ef9103.exe 7 30->41         started        43 cb4071ec97a2.exe 2 30->43         started        45 a6d6262485.exe 30->45         started        dnsIp13 91 37.0.10.236 WKD-ASIE Netherlands 32->91 93 37.0.11.8 WKD-ASIE Netherlands 32->93 101 12 other IPs or domains 32->101 63 C:\Users\...\zD0tDLvP7WRrOP3kdL7gjfJy.exe, PE32 32->63 dropped 65 C:\Users\...\x4JPbf0M5GybDRAwBoOWCgY7.exe, PE32 32->65 dropped 67 C:\Users\...\wtmyS_gzBcVyhgmLb3_D14IT.exe, PE32 32->67 dropped 77 43 other files (34 malicious) 32->77 dropped 117 Detected unpacking (creates a PE file in dynamic memory) 32->117 119 Drops PE files to the document folder of the user 32->119 121 Creates HTML files with .exe extension (expired dropper behavior) 32->121 123 Disable Windows Defender real time protection (registry) 32->123 95 116.203.127.162 HETZNER-ASDE Germany 37->95 97 74.114.154.22 AUTOMATTICUS Canada 37->97 69 C:\Users\user\AppData\...\freebl3[1].dll, PE32 37->69 dropped 71 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 37->71 dropped 79 10 other files (none is malicious) 37->79 dropped 125 Detected unpacking (changes PE section rights) 37->125 127 Detected unpacking (overwrites its own PE header) 37->127 129 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 37->129 137 2 other signatures 37->137 131 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 39->131 133 Checks if the current machine is a virtual machine (disk enumeration) 39->133 99 186.2.171.3 DDOS-GUARDCORPBZ Belize 41->99 73 C:\Users\user\Documents\...\6f0ef9103.exe, PE32 41->73 dropped 135 Creates processes via WMI 43->135 47 cb4071ec97a2.exe 43->47         started        75 C:\Users\user\AppData\...\a6d6262485.tmp, PE32 45->75 dropped file14 signatures15 process16 dnsIp17 113 8.8.8.8 GOOGLEUS United States 47->113 115 172.67.222.125 CLOUDFLARENETUS United States 47->115 53 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 47->53 dropped 51 conhost.exe 47->51         started        file18 process19
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a282005eef80a8f19035835337c495306785cd4b6452cff47ea42c89e32f2001/
Threat name:
Win32.Infostealer.Passteal
Create hunting rule
Status:
Malicious
First seen:
2021-08-12 07:35:42 UTC
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ukbaaxxpqcupdebvqnjtprevgbtyltklmrjm75d6uqwityzpeaaq._file
Verdict:
unknown
Similar samples:
486d5231a35dc4e4cb3417a1353c300298824a9df98890a100c596e7c1186aa5
DiamondFox
5d10fa7657f41f17d508c1dbb3f63b5b2ad6deea2f47e747b118345a56ab6cdc
DiamondFox
6e19816cb41452f85a6f40216c40140066ea8bc999d81e378dd3b5daefd26347
DiamondFox
799cb4b1d385475c155fae6fc0c214b059f191ed06b9229f287a8d9225ba8a21
DiamondFox
95070ee5eadc35fc22ec5818a4406261a776a28292576024bd58102126e2cb30
DiamondFox
9e74b137b73150bea9b3ef6b987d3af1b3c445163c8ea469e6608d3ebc6062d9
DiamondFox
aa9b8b79b9b4e0478e85c4ae5b08c15aadea45cac7617de2c298070fd781748e
DiamondFox
bae14391cbc9ddb999947b70f3975a7309f73d422a02aaa13ae9100baaa0652c
DiamondFox
f9029a8f9164bd1b7ec115bb9fbc556bee6b60c61dfefbe16ffb434d1151d5f9
DiamondFox
+ 318 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:706 aspackv2 backdoor infostealer spyware stealer suricata trojan vmprotect
Link:
https://tria.ge/reports/210813-9t9l999kts/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Vidar Stealer
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
Malware Config
C2 Extraction:
https://lenak513.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Unpacked files
SH256 hash:
a19adea0a2b66cfcb23eebd1d1ff9d854eccd4dc65536a45665c149da4ff6265
MD5 hash:
117c7ff5dd9efc0b059f64520f2d4f46
SHA1 hash:
ff07b1fcc58aa62b42d797981e0d953d9f9e0120
Link:
https://www.unpac.me/results/fa02777d-8870-48c0-a31a-d3d8af349485/
SH256 hash:
91ef165ad61d09dfda345f827b8ff78a18a3e40d8e12454cdb494d1555af7656
MD5 hash:
a6b572db00b94224d6637341961654cb
SHA1 hash:
9f0dbcce0496fede379ce4ecbfc2aa2afbb8ee8c
Link:
https://www.unpac.me/results/fa02777d-8870-48c0-a31a-d3d8af349485/
SH256 hash:
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
MD5 hash:
3263859df4866bf393d46f06f331a08f
SHA1 hash:
5b4665de13c9727a502f4d11afb800b075929d6c
Link:
https://www.unpac.me/results/fa02777d-8870-48c0-a31a-d3d8af349485/
SH256 hash:
f6e8a89445d39406106ec40f51ec6bf2c7dc34641482960d440bc2f8802652b0
MD5 hash:
e54a6986056249a0490915cba0ba0ef4
SHA1 hash:
44892df4238ff4f008606ddafbb09fadd8c28794
Link:
https://www.unpac.me/results/fa02777d-8870-48c0-a31a-d3d8af349485/
SH256 hash:
491b5dd65f81070616fab1c5513842e8d2405b3bbb44ab0c8fb5b3e26bbe017f
MD5 hash:
0b31b326131bbbd444a76bc37fe708fd
SHA1 hash:
2c71c646a257b7749b8a055744112056b92d4ff2
Link:
https://www.unpac.me/results/fa02777d-8870-48c0-a31a-d3d8af349485/
SH256 hash:
ec32b38e5ad5c285c1d6d8237341a99772709e8e4ea23db953d63ab8f078379c
MD5 hash:
ccf4a60623b784b084855d0468d76eab
SHA1 hash:
9419cc65a1bb70e8780f6da7cedd169eb333db88
Link:
https://www.unpac.me/results/fa02777d-8870-48c0-a31a-d3d8af349485/
SH256 hash:
4029cfe17d0ff11a3022316e1e2c09eff68b01a3b5cb41a099094e5a1de991d7
MD5 hash:
eebd5de1617a5d3531e84279a7037b6a
SHA1 hash:
d1e041c9cbd251d4f5141356ad51cafb29beaf06
Link:
https://www.unpac.me/results/fa02777d-8870-48c0-a31a-d3d8af349485/
SH256 hash:
938e0e0f749c527bc28411c79207d1090d30e9597183fd6a2766877b0414c0d6
MD5 hash:
37ac1646cc4864c7272f76eeba1d2841
SHA1 hash:
b14767aaf9ac5fa3a8f12f9ab22a5b5bde431636
Link:
https://www.unpac.me/results/fa02777d-8870-48c0-a31a-d3d8af349485/
SH256 hash:
4e137b956bb23006a7b69bd78b288c0d65c5f7c8022505c877647a1757c62009
MD5 hash:
12a3abfe618489c4cc1a2f0aed4e4b54
SHA1 hash:
894987e0200bf5f91eb831e3496a5192e7c12ab7
Link:
https://www.unpac.me/results/fa02777d-8870-48c0-a31a-d3d8af349485/
SH256 hash:
d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6
MD5 hash:
5b8639f453da7c204942d918b40181de
SHA1 hash:
2daed225238a9b1fe2359133e6d8e7e85e7d6995
Link:
https://www.unpac.me/results/fa02777d-8870-48c0-a31a-d3d8af349485/
SH256 hash:
15ce493df175abeb16f370d3c33c28cf99e63fc45af8e2ce89e4f0f011207542
MD5 hash:
b812d851fcd08f071e13b1ac7e83da10
SHA1 hash:
1c6e606d0707887429e4f41849918ab56358b9e4
Link:
https://www.unpac.me/results/fa02777d-8870-48c0-a31a-d3d8af349485/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/fa02777d-8870-48c0-a31a-d3d8af349485/
SH256 hash:
df6d674013ce24f66df320faf829d720fda51294f673ab12e6ca660d4f5a0d93
MD5 hash:
ed22a008628e35cdaa23b15d6cc1fac7
SHA1 hash:
7a05e54bd591efa7e2b53112f76ec74effdb59c0
Link:
https://www.unpac.me/results/fa02777d-8870-48c0-a31a-d3d8af349485/
SH256 hash:
c2b57b7467e0847649cfd47c0a22bd8801fa86f920e89c71e99a6896659d2047
MD5 hash:
1a21b6bd3fff783f6b63d512988104ec
SHA1 hash:
442dff9a2584873af7443c1153dc9a670731d877
Link:
https://www.unpac.me/results/fa02777d-8870-48c0-a31a-d3d8af349485/
SH256 hash:
c3f668640e10b6eb17e155cf7f564c54af57b2719ea5f97ce4bd6cbab92bad7f
MD5 hash:
4ea74e00b361ebbe8f5e06d7a104c697
SHA1 hash:
115fb2bb0ca9aeeb597fc3259371a4f77678322b
Link:
https://www.unpac.me/results/fa02777d-8870-48c0-a31a-d3d8af349485/
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Link:
https://www.unpac.me/results/fa02777d-8870-48c0-a31a-d3d8af349485/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
4e804eca27ce89ea4a38ab37afb55c3de47923cdbab2032bd8fda5e50137f4f9
MD5 hash:
76b197e7881e89ecc31c56cb0f7dd491
SHA1 hash:
b939dcf925f99fb89f3c9c5a15878b8c2411785a
Link:
https://www.unpac.me/results/fa02777d-8870-48c0-a31a-d3d8af349485/
SH256 hash:
f342c8bc75905a5e86b3dd52d889b3b506f11c0c9a5e2e729faa7c3a7a16f1ec
MD5 hash:
1fbe398f2bcb1e19f7d55353f14c54ea
SHA1 hash:
eab2804d7500a00b0380713828184e20433ae191
Link:
https://www.unpac.me/results/fa02777d-8870-48c0-a31a-d3d8af349485/
SH256 hash:
a282005eef80a8f19035835337c495306785cd4b6452cff47ea42c89e32f2001
MD5 hash:
a128c5bc0609f0871555f4e66bb19717
SHA1 hash:
3b7c2d36a7bd94d6d57c73a1dbfd783948422979
Link:
https://www.unpac.me/results/fa02777d-8870-48c0-a31a-d3d8af349485/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a282005eef80/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a282005eef80a8f19035835337c495306785cd4b6452cff47ea42c89e32f2001

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179098/

Comments