MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DiamondFox

Vendor detections: 7

Intelligence 7 IOCs 1 YARA File information Comments

SHA256 hash:	aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e
SHA3-384 hash:	4951534bcc58635c609e800fb3ee96e18587ff559d95b2bfa903db83649b9361b9b13996949ca814d6b476f4b3ec7ae3
SHA1 hash:	d0b1569b0ca632defc74a6320658c0c1481f3ee1
MD5 hash:	e69948a6953a77464e92ac44fe945242
humanhash:	yankee-red-fruit-pluto
File name:	E69948A6953A77464E92AC44FE945242.exe
Download:	download sample
Signature	DiamondFox Create hunting rule
File size:	3'035'844 bytes
First seen:	2021-09-06 22:06:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep	49152:xcBhEwJ84vLRaBtIl9mVJUv0E5ZpAR7px2jOT+lp4wC/+nDVHrP7gvUQI0QBJ:xbCvLUBsgI0gZpU7pcOT+rL+4JbWUQ8
Threatray	191 similar samples on MalwareBazaar
TLSH	T17AE533583AC2C0F3E9815074BE586FF2A1FAD3880F7A898B3761028D5F3D5E9D21755A
dhash icon	848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter	abuse_ch
Tags:	DiamondFox exe

abuse_ch

DiamondFox C2:
http://45.142.215.237/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://45.142.215.237/	https://threatfox.abuse.ch/ioc/216755/

Intelligence

File Origin

# of uploads :

# of downloads :

161

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

E69948A6953A77464E92AC44FE945242.exe

Verdict:

No threats detected

Analysis date:

2021-09-06 22:34:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/dbe9bfe4-a648-4b72-a1e7-e6ee79844949

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/185741/

Detection(s):

Win.Packed.Barys-9859531-0

Win.Malware.Generic-9863888-0

Win.Packed.Jaik-9863991-0

Win.Dropper.Upatre-9890301-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Searching for the window

Running batch commands

Connection attempt

Sending a custom TCP request

DNS request

Launching the default Windows debugger (dwwin.exe)

Launching a process

Creating a window

Sending a UDP request

Sending an HTTP GET request

Reading critical registry keys

Deleting a recently created file

Creating a file

Creating a file in the %AppData% directory

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Connection attempt to an infection source

Query of malicious DNS domain

Sending a TCP request to an infection source

Blocking the Windows Defender launch

Sending an HTTP GET request to an infection source

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/ddb71c74-12dd-4037-a687-5df3174289a5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e/

Threat name:

Win32.Trojan.ArkeiStealer

Status:

Malicious

First seen:

2021-09-01 16:47:04 UTC

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vjpj74trcq6dzuqftcgdcahrxoce24gssmhqjivsaaxjyckru5ha._file

Verdict:

malicious

DiamondFox

11adb6fd4fbcb8fe68033ff2bc3b8cc45b980c573f7c58be291383d5b95d6e41

DiamondFox

2ff77816fa6b9e2fdbc630e06a003b09228f39887f8dfea7f8020d9346bd2324

DiamondFox

4468428f16aeb36c8c1a53f40c68806473201d37d94b6ac8f1c0d324d1e17006

DiamondFox

56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482

DiamondFox

9453ddc4bebb87a937e3d53d38c56814907b2862496142ccdb568f48caf2d467

DiamondFox

ba15a8b7d1ecc6348ee4806b0903afdf5917a595a909ce529e85cacd197c6e77

DiamondFox

bda2b27d917dc919d2df7f2768a5d20f4f554e6f0eeb687f5ac45b53aecbb2f3

DiamondFox

d2d90f02ccd7c3fd1b46d667081529a1af8172e4a51feda461c8d250081c3548

DiamondFox

+ 181 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:smokeloader family:vidar botnet:706 aspackv2 backdoor evasion stealer themida trojan

Link:

https://tria.ge/reports/210906-11m7yabec4/

Behaviour

Kills process with taskkill

Modifies system certificate store

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Loads dropped DLL

Themida packer

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

Vidar Stealer

Modifies Windows Defender Real-time Protection settings

Process spawned unexpected child process

SmokeLoader

Vidar

Malware Config

C2 Extraction:

https://eduarroma.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/

Unpacked files

SH256 hash:

a1a1f636b65bd84247c87965980f3adc0fa1316506a56bb6ea1042de0c9526c6

MD5 hash:

638e8b3e6640a0885cd8a1fe8ff70065

SHA1 hash:

56e819d5ff1b424f1c8d39d82d699f5567bcfac9

Link:

https://www.unpac.me/results/469b59cd-8b0d-4a88-8c1d-ea1e2bc0e51a/

SH256 hash:

a18e5d223da775448e2e111101fe1f4ab919be801fd435d3a278718aa5e6ccba

MD5 hash:

0c6cae115465a83f05d3ff391fd009ac

SHA1 hash:

066ea93bb540ae4be0d2e522d4bb59eec74053ad

Link:

https://www.unpac.me/results/469b59cd-8b0d-4a88-8c1d-ea1e2bc0e51a/

Parent samples :

7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
fc2e04d392ab5e508fdf6c90ce456bfd0af6def1f10a2074f82df8f58079d5e4
f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
22275b7c5a57111aca919f6bbfae171e5e99f5ef777d1043802deb672f5136a0
d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
0a7d966e66cbd260c909de1d79038c86a071f2f10a810f5890a150b67c4fd954
1b4c7144874551beb52bc3e864822c0b803d0967531addf9612f61898cf2394d
090f1369dc856e37b73969d22799341b1d328a235470ee608d3e32dd34df7022
4879803b6326f27bb8b68448fe7394b2358c2eeb25ec2c4c6a176313d003c29a
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
ada6977abf5caa24a75f0db17220267f6b05f11ed949757e8fc8beab3c720fc1
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc

SH256 hash:

38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2

MD5 hash:

33600475b2cc5445df2d3809c3798311

SHA1 hash:

3cb60432de30b82e87b8b607e0180a7843128b5a

Link:

https://www.unpac.me/results/469b59cd-8b0d-4a88-8c1d-ea1e2bc0e51a/

Parent samples :

aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc

SH256 hash:

835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3

MD5 hash:

6961557695f34a53cf8224be7c265fbe

SHA1 hash:

f52d34d0b1dbd181f2acb21f42d875d514afb6f7

Link:

https://www.unpac.me/results/469b59cd-8b0d-4a88-8c1d-ea1e2bc0e51a/

SH256 hash:

16fe676f338597ae7eb18cb0b514a5112e1647350b8415ab1a5acc2e49bcfb51

MD5 hash:

81f4be10fd5f6c757d7b4a0edba497c2

SHA1 hash:

d9cf8601bb46ce25660b5b0be7e42f1c3b3d9eae

Link:

https://www.unpac.me/results/469b59cd-8b0d-4a88-8c1d-ea1e2bc0e51a/

SH256 hash:

1b9d29f4887cb5ec2f7980f3b51fccf0eb699bf81361b31342e9a895cc362c8d

MD5 hash:

abea1f518f0b3957a1755eae02698ca3

SHA1 hash:

b3130e09832595c47cfb06a883388fabdd5bc488

Link:

https://www.unpac.me/results/469b59cd-8b0d-4a88-8c1d-ea1e2bc0e51a/

SH256 hash:

98e7f9b7d0bef132b5871d098f628ac8b8a2bb20a51100267826d522b31a6a90

MD5 hash:

c10dbbcfe59adf575309c00f4144a195

SHA1 hash:

b1773fe090a4b86f38ef14a7fae4fddd867da673

Link:

https://www.unpac.me/results/469b59cd-8b0d-4a88-8c1d-ea1e2bc0e51a/

SH256 hash:

adaebc4e58571c1f9ed4d7f2dd69045c4e7f1b7781dee2e97d5090e4ba7630e4

MD5 hash:

bc972d6cf21476d7396095f1452e359a

SHA1 hash:

97286c9348dcd80e99b686b1bfaf00b32e2ef28d

Link:

https://www.unpac.me/results/469b59cd-8b0d-4a88-8c1d-ea1e2bc0e51a/

SH256 hash:

fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831

MD5 hash:

052270e8e9cfb3512932e0df484caef4

SHA1 hash:

85305fee690beea8458bab5d55d0368c47340501

Link:

https://www.unpac.me/results/469b59cd-8b0d-4a88-8c1d-ea1e2bc0e51a/

SH256 hash:

3e9fbd899c570ef27f7af37a63aae9b2d1b3a5e6717e571b9e8ed6efcf63778b

MD5 hash:

56d5c8e1d4431050061e2d1b8a9a22b0

SHA1 hash:

3d071f57add429765045b7aa61715086ac061ddd

Link:

https://www.unpac.me/results/469b59cd-8b0d-4a88-8c1d-ea1e2bc0e51a/

SH256 hash:

e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4

MD5 hash:

0dedd909aae9aa0a89b4422106310e9e

SHA1 hash:

271d36afa5b729ee590cf8066166ca5e9c9d0340

Link:

https://www.unpac.me/results/469b59cd-8b0d-4a88-8c1d-ea1e2bc0e51a/

SH256 hash:

eb3e1068722d345f458c5bb155a980191fc8f2e64a19b5c4ce37abef9464e774

MD5 hash:

0f73fb85fc530a167ae1568efcd7292c

SHA1 hash:

022f04d62189da1a0450a99a462756521eb266cb

Link:

https://www.unpac.me/results/469b59cd-8b0d-4a88-8c1d-ea1e2bc0e51a/

SH256 hash:

15ab3b4aa3010f333724edee821ee1df200b634aad5c475e687bebe03bd14efa

MD5 hash:

c11fdabf99c9ff2b582321b74dc43c7f

SHA1 hash:

8d3da08ccece5a8deaa6173680ad1379f4bb860a

Link:

https://www.unpac.me/results/469b59cd-8b0d-4a88-8c1d-ea1e2bc0e51a/

SH256 hash:

5af8bf1135c5cf182f388048ff78b4d3addcecbb51452d212327de2daf06ac84

MD5 hash:

ce72b7914155b66dda4b53ec9ea78f7c

SHA1 hash:

f6dc26a8b6f9bd471f303341b070bbfe0ddd528b

Link:

https://www.unpac.me/results/469b59cd-8b0d-4a88-8c1d-ea1e2bc0e51a/

SH256 hash:

b9d617be990ebee7c41462ad23759bac6931cbf69c613640c4de7318dde4ef16

MD5 hash:

bfa872b77185fc1c4e5a9bd584d6df96

SHA1 hash:

92843b46dfc65df58706048a1d646a55b2e79527

Link:

https://www.unpac.me/results/469b59cd-8b0d-4a88-8c1d-ea1e2bc0e51a/

SH256 hash:

aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e

MD5 hash:

e69948a6953a77464e92ac44fe945242

SHA1 hash:

d0b1569b0ca632defc74a6320658c0c1481f3ee1

Link:

https://www.unpac.me/results/469b59cd-8b0d-4a88-8c1d-ea1e2bc0e51a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/185741/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample