MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15
SHA3-384 hash: 1e5237b81d3235fd1bd4388d3c115843631686e1615daacb12df1f2979bb10712f42e1752dfba2246b2dae6b1b8f5a15
SHA1 hash: d318d234f8f27f25de660d9881113df9d11c24ff
MD5 hash: e3b3a95ef03de0de77cca7a54ea22c94
humanhash: eleven-black-bacon-table
File name:setup_x86_x64_install.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:2'300'968 bytes
First seen:2021-09-03 20:42:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 49152:9gFjE2KdbN1Mr7egOThhHP8Hw6RWemieudKc62LFJXck2lMvXImAt:yFjEndbmg9BWW0hKc62LFJX/2s4mAt
Threatray 490 similar samples on MalwareBazaar
TLSH T188B53304D9A20E5FC232DDF06E216D12CDEDD420032663AD7F5C1B2764471BEA5AFBA6
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter Anonymous
Tags:DiamondFox exe Loader RedLineStealer SmokeLoader vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-09-03 20:31:49 UTC
Tags:
trojan rat redline evasion stealer loader opendir vidar raccoon
Link:
https://app.any.run/tasks/4bc432b8-4e9d-4cf8-a624-fd68293e52b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185233/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Sending a custom TCP request
Sending a UDP request
Searching for the window
Connection attempt
DNS request
Running batch commands
Sending an HTTP GET request
Deleting a recently created file
Launching a process
Malware family:
Mokes
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eefe7eda-a658-4646-91a6-649b19a3d194
Result
Threat name:
RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845068
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Creates processes via WMI
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 477499 Sample: setup_x86_x64_install.exe Startdate: 03/09/2021 Architecture: WINDOWS Score: 100 154 104.21.34.192 CLOUDFLARENETUS United States 2->154 156 5.230.68.37 ASGHOSTNETDE Germany 2->156 198 Antivirus detection for URL or domain 2->198 200 Multi AV Scanner detection for dropped file 2->200 202 Multi AV Scanner detection for submitted file 2->202 204 12 other signatures 2->204 12 setup_x86_x64_install.exe 10 2->12         started        signatures3 process4 file5 132 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->132 dropped 15 setup_installer.exe 14 12->15         started        process6 file7 134 C:\Users\user\AppData\...\setup_install.exe, PE32 15->134 dropped 136 C:\Users\user\AppData\...\Fri15af75ee9b.exe, PE32 15->136 dropped 138 C:\Users\user\...\Fri156ec98815f89c.exe, PE32 15->138 dropped 140 9 other files (2 malicious) 15->140 dropped 18 setup_install.exe 1 15->18         started        process8 dnsIp9 158 8.8.8.8 GOOGLEUS United States 18->158 160 172.67.142.91 CLOUDFLARENETUS United States 18->160 162 127.0.0.1 unknown unknown 18->162 206 Adds a directory exclusion to Windows Defender 18->206 22 cmd.exe 18->22         started        24 cmd.exe 18->24         started        26 cmd.exe 1 18->26         started        28 6 other processes 18->28 signatures10 process11 signatures12 31 Fri15af75ee9b.exe 22->31         started        34 Fri1553f0ee90.exe 24->34         started        38 Fri157e25afd971.exe 26->38         started        208 Adds a directory exclusion to Windows Defender 28->208 40 Fri155442fc38b.exe 28->40         started        42 Fri1544861ac3fe6a.exe 70 28->42         started        44 Fri156ec98815f89c.exe 4 28->44         started        46 powershell.exe 25 28->46         started        process13 dnsIp14 210 Detected unpacking (changes PE section rights) 31->210 212 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 31->212 214 Maps a DLL or memory area into another process 31->214 226 2 other signatures 31->226 48 explorer.exe 31->48 injected 164 162.159.134.233 CLOUDFLARENETUS United States 34->164 96 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 34->96 dropped 52 LzmwAqmV.exe 34->52         started        98 C:\Users\user\AppData\...\Fri157e25afd971.tmp, PE32 38->98 dropped 54 Fri157e25afd971.tmp 38->54         started        166 88.99.66.31 HETZNER-ASDE Germany 40->166 168 172.67.141.201 CLOUDFLARENETUS United States 40->168 170 192.168.2.1 unknown unknown 40->170 100 C:\Users\user\AppData\Roaming\6387874.exe, PE32 40->100 dropped 102 C:\Users\user\AppData\Roaming\2906739.exe, PE32 40->102 dropped 104 C:\Users\user\AppData\Roaming\8306904.exe, PE32 40->104 dropped 106 C:\Users\user\AppData\Roaming\6894157.exe, PE32 40->106 dropped 57 6387874.exe 40->57         started        59 2906739.exe 40->59         started        61 8306904.exe 40->61         started        172 49.12.198.69 HETZNER-ASDE Germany 42->172 174 74.114.154.18 AUTOMATTICUS Canada 42->174 108 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 42->108 dropped 112 11 other files (none is malicious) 42->112 dropped 216 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 42->216 218 Machine Learning detection for dropped file 42->218 220 Tries to harvest and steal browser information (history, passwords, etc) 42->220 222 Tries to steal Crypto Currency Wallets 42->222 63 WerFault.exe 42->63         started        176 172.67.146.70 CLOUDFLARENETUS United States 44->176 110 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 44->110 dropped 224 Creates processes via WMI 44->224 file15 signatures16 process17 dnsIp18 78 C:\Users\user\AppData\Roaming\wiuwvrc, PE32 48->78 dropped 182 Benign windows process drops PE files 48->182 184 Hides that the sample has been downloaded from the Internet (zone.identifier) 48->184 80 C:\Users\user\...\PublicDwlBrowser1100.exe, PE32 52->80 dropped 82 C:\Users\user\AppData\Local\Temp\2.exe, PE32 52->82 dropped 84 C:\Users\user\AppData\Local\...\setup_2.exe, PE32 52->84 dropped 92 6 other files (none is malicious) 52->92 dropped 65 2.exe 52->65         started        69 PublicDwlBrowser1100.exe 52->69         started        72 Chrome 5.exe 52->72         started        178 162.0.213.132 ACPCA Canada 54->178 86 C:\Users\user\AppData\Local\...\zab2our.exe, PE32 54->86 dropped 88 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 54->88 dropped 94 2 other files (none is malicious) 54->94 dropped 74 zab2our.exe 54->74         started        90 C:\Users\user\AppData\...\WinHoster.exe, PE32 57->90 dropped 186 Creates multiple autostart registry keys 57->186 188 Detected unpacking (changes PE section rights) 59->188 76 conhost.exe 59->76         started        180 104.21.24.17 CLOUDFLARENETUS United States 61->180 file19 signatures20 process21 dnsIp22 142 172.67.187.120 CLOUDFLARENETUS United States 65->142 144 172.67.194.30 CLOUDFLARENETUS United States 65->144 190 Antivirus detection for dropped file 65->190 192 Machine Learning detection for dropped file 65->192 146 104.21.41.27 CLOUDFLARENETUS United States 69->146 114 C:\Users\user\AppData\Roaming\8764997.exe, PE32 69->114 dropped 116 C:\Users\user\AppData\Roaming\8076308.exe, PE32 69->116 dropped 118 C:\Users\user\AppData\Roaming\3478821.exe, PE32 69->118 dropped 128 2 other files (none is malicious) 69->128 dropped 194 Detected unpacking (changes PE section rights) 69->194 120 C:\Users\user\AppData\...\services64.exe, PE32+ 72->120 dropped 148 173.222.108.226 AKAMAI-ASN1EU United States 74->148 150 162.0.210.44 ACPCA Canada 74->150 152 162.0.220.187 ACPCA Canada 74->152 122 C:\Users\user\AppData\...\Casinajitu.exe, PE32 74->122 dropped 124 C:\Program Files (x86)\...\Cyshacacaegy.exe, PE32 74->124 dropped 126 C:\Users\user\...\Casinajitu.exe.config, XML 74->126 dropped 130 3 other files (1 malicious) 74->130 dropped 196 Creates multiple autostart registry keys 74->196 file23 signatures24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-09-03 20:43:06 UTC
AV detection:
25 of 43 (58.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xkryd5ls2kjwg23ojdfm2lgwu32ptzpxdrmdq4zgb5vmahyplykq._file
Verdict:
suspicious
Similar samples:
186992db0748857e13271f18b519fbf2b6f016bd8d81c3ee952786de798a6dad
DiamondFox
450b8f11dfa06aee1def7d2b49c29d670406b765e9900efe7d1e8bb1ffff486f
DiamondFox
4571cb6a42768d962b83472fd0e0069e56df5e005f15c1479f046bdf65dece1a
DiamondFox
4f4c2c9bdfef8a8cfbe2c8f84bf12cc86f26f59d54c277dab39f4c5e92948708
DiamondFox
6e67e541d5801d97cb6fc3ec483b7b9dc302506c0f3a1ef0942ea3f7126e9e87
DiamondFox
79d64ca8a0ebef312050fb2a06a68d246aa0acacb30764da9af8fdbc5f821d0a
DiamondFox
bf0c11eae9de14227141901dffc7bdbd1ecb9b0a2cb1e675f7d36ce5eff0679e
DiamondFox
f63fc658063eeba3ad2b29beffc1cb7c4e2183fd838767459216533263271e30
DiamondFox
+ 480 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:vidar botnet:706 aspackv2 backdoor discovery evasion infostealer persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210903-zhj7wsggbn/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Checks for common network interception software
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
Malware Config
C2 Extraction:
https://romkaxarit.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Unpacked files
SH256 hash:
36d36bf735b2ab1079c6ca72d24f1491d47c122804046f1c7f86f544d09b01cc
MD5 hash:
71cf2841f2e39282e1051510082c4b35
SHA1 hash:
b67839763b177433c86ff9eaaa703c5607d3a843
Detections:
win_oski_g0
Create hunting rule
Link:
https://www.unpac.me/results/d1f0e63e-7a9e-4750-87cc-d9e72b63c172/
Parent samples :
baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15
bfdb06e19260107f468834d5601f7f295ca82b31966be48f856011d9dba1f5b7
d0ed9b5279618e628f62a80cd1abdd208bdd3899cb6865b51591478ca03e46c6
5774f205b3abcd5adc225b26b5ce546c2e7eb3490d03aa13c15234370dc42e27
cd7445464e18fd8260e6a924e0795c9b09696eb2dbc7dd9f62794b6530ecca9d
SH256 hash:
d8cca96f5b275fc804d4add45e34b4c850df4359e6cff5f5f66370910a11f14d
MD5 hash:
185f2d0dc8ecd1cee598b3697c270c25
SHA1 hash:
e79f8bacbc68cb4070ec0ca63b3228947fd954eb
Link:
https://www.unpac.me/results/d1f0e63e-7a9e-4750-87cc-d9e72b63c172/
SH256 hash:
1fdb7f999c9c2056bfae626ac3624d12c52bc06a33fe03cc2910f250d95e350a
MD5 hash:
5624d547aedcd0a4b0b946970248e969
SHA1 hash:
c114ed589766c17faba216f86e743b12db6fac4c
Link:
https://www.unpac.me/results/d1f0e63e-7a9e-4750-87cc-d9e72b63c172/
SH256 hash:
606d3d9365f40fee12e9fc577ae5bf4cd42d502f4758320cdab01b53a7e0d4b8
MD5 hash:
51894ed4e7fec456b08027e2e6620386
SHA1 hash:
bbffdd90f9a5644086006734e03c15ac28db1ae9
Link:
https://www.unpac.me/results/d1f0e63e-7a9e-4750-87cc-d9e72b63c172/
SH256 hash:
7f9b4e452737d82e4a4a3c4da2543efec87a52494cb0d6cb7f732ac408b904f1
MD5 hash:
8496de91697c5143b6f2e478b0e9afe4
SHA1 hash:
8c4e97d940ba3ddc750af2cd44fac66107df0500
Link:
https://www.unpac.me/results/d1f0e63e-7a9e-4750-87cc-d9e72b63c172/
SH256 hash:
5948677b13e0254c5840216f73d379fe7ed0685f5b08e02431a64ddf9fd47023
MD5 hash:
eeaa21ff6157096f720d925e23127406
SHA1 hash:
663362c4fa852d24f58276da8cd495835e0fb2df
Link:
https://www.unpac.me/results/d1f0e63e-7a9e-4750-87cc-d9e72b63c172/
SH256 hash:
3ea9787afb96d55123f95d8b21d0235eb7003290788a0b34f32b229e4d44f19c
MD5 hash:
d7c96feec71ad9fb3d6bacae23034250
SHA1 hash:
454fa54321c32cdc636ec60a960a4cb8b2d4b312
Link:
https://www.unpac.me/results/d1f0e63e-7a9e-4750-87cc-d9e72b63c172/
SH256 hash:
9dc77ea1abd72256c2cf906cf433610f48661779a1416b8546d4f9af09f26a5a
MD5 hash:
14d77d404de21055cfaa98fd20623c72
SHA1 hash:
0f32b94e597b1a42e0f5ba36fc8b25c1ee0ef21b
Link:
https://www.unpac.me/results/d1f0e63e-7a9e-4750-87cc-d9e72b63c172/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/d1f0e63e-7a9e-4750-87cc-d9e72b63c172/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/d1f0e63e-7a9e-4750-87cc-d9e72b63c172/
SH256 hash:
e198edcb4ef8222caaeaf8895ef247133b5a972960f7f77c5c2cefa4e5a07888
MD5 hash:
b07c598589308a5c5baf11bea2a0c78b
SHA1 hash:
00f3d36fe9abefd9fa011c21fd35840e2488c93d
Link:
https://www.unpac.me/results/d1f0e63e-7a9e-4750-87cc-d9e72b63c172/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/d1f0e63e-7a9e-4750-87cc-d9e72b63c172/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
1439b467265d475f2e98dd8fcd26c02d7274b827165376b413f808a8f2b35055
MD5 hash:
6db3977d4835787d6ace452f19718422
SHA1 hash:
202f3d7f7b00c5a66b03074e34d0ec6a1ed10b82
Link:
https://www.unpac.me/results/d1f0e63e-7a9e-4750-87cc-d9e72b63c172/
SH256 hash:
9a5c3023c2a83237ae23d36c90246e3ddbf8cc8df64e36d19ecfa3264c6e5f0a
MD5 hash:
28a4cd2fb512201a3f91fda4b8a40d29
SHA1 hash:
3257d4a9e942b95775a92b5a798d0ca0015d03d1
Link:
https://www.unpac.me/results/d1f0e63e-7a9e-4750-87cc-d9e72b63c172/
SH256 hash:
b9445ee96da441ab39e0c6a6797147eb34a13983933bf2052b66033f6b1b27e6
MD5 hash:
ee91a0a52bc880d19ebdfe5896790c60
SHA1 hash:
c5601806b8968f47479e638af9fe5b149d7b617b
Link:
https://www.unpac.me/results/d1f0e63e-7a9e-4750-87cc-d9e72b63c172/
SH256 hash:
baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15
MD5 hash:
e3b3a95ef03de0de77cca7a54ea22c94
SHA1 hash:
d318d234f8f27f25de660d9881113df9d11c24ff
Link:
https://www.unpac.me/results/d1f0e63e-7a9e-4750-87cc-d9e72b63c172/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/baa381f572d2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185233/

Comments