MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfdb06e19260107f468834d5601f7f295ca82b31966be48f856011d9dba1f5b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bfdb06e19260107f468834d5601f7f295ca82b31966be48f856011d9dba1f5b7
SHA3-384 hash: 7d1c4078f74da3479a9929e64ccd91b68be928e632747c491fc45f4ab6a648182f4be07c965eda532bf155fa789cc092
SHA1 hash: dc3ac1f47fe9d06e847fcb0ddf26190add45b839
MD5 hash: 66d13537ed49e50fb83673f7632c0e5e
humanhash: california-apart-leopard-beryllium
File name:66D13537ED49E50FB83673F7632C0E5E.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:2'600'410 bytes
First seen:2021-09-07 02:41:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 49152:9gFBlMFeWIvkLRoj9xuL5daZ1MzvgQza2Mv14mkE2NHGBF2E8r1TAHzNxy8zX5FT:y3lMTrLujc5wjMzlzbAhr2hGAE8RsHHr
Threatray 135 similar samples on MalwareBazaar
TLSH T13FC533455D10C327DA9069F24791C237BEB0019A9275D14FC9FA73FA7FA26BD120B38A
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://45.142.215.237/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.142.215.237/ https://threatfox.abuse.ch/ioc/216755/

Intelligence

File Origin
# of uploads :
1
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
66D13537ED49E50FB83673F7632C0E5E.exe
Verdict:
No threats detected
Analysis date:
2021-09-07 02:42:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/16477868-da93-424f-8ca6-e4be1eaa6fc5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185782/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Connection attempt
Sending a custom TCP request
DNS request
Running batch commands
Launching the default Windows debugger (dwwin.exe)
Launching a process
Creating a window
Sending an HTTP GET request
Sending a UDP request
Creating a file in the %AppData% directory
Deleting a recently created file
Creating a process with a hidden window
Reading critical registry keys
Using the Windows Management Instrumentation requests
Delayed reading of the file
Creating a file in the Program Files subdirectories
Unauthorized injection to a recently created process
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Blocking the Windows Defender launch
Sending an HTTP GET request to an infection source
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8cd591e0-484e-4a08-90ac-9a25080af260
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846207
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 478638 Sample: 8ft2Xvqgx2.exe Startdate: 07/09/2021 Architecture: WINDOWS Score: 100 137 104.21.84.135 CLOUDFLARENETUS United States 2->137 139 172.67.194.30 CLOUDFLARENETUS United States 2->139 141 5.230.68.37 ASGHOSTNETDE Germany 2->141 173 Multi AV Scanner detection for domain / URL 2->173 175 Antivirus detection for URL or domain 2->175 177 Multi AV Scanner detection for dropped file 2->177 179 11 other signatures 2->179 12 8ft2Xvqgx2.exe 10 2->12         started        signatures3 process4 file5 113 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->113 dropped 15 setup_installer.exe 15 12->15         started        process6 file7 115 C:\Users\user\AppData\...\setup_install.exe, PE32 15->115 dropped 117 C:\Users\user\AppData\...\Fri12e21d8598.exe, PE32 15->117 dropped 119 C:\Users\user\AppData\...\Fri12a1855208d3.exe, PE32 15->119 dropped 121 10 other files (2 malicious) 15->121 dropped 18 setup_install.exe 1 15->18         started        process8 dnsIp9 143 8.8.8.8 GOOGLEUS United States 18->143 145 127.0.0.1 unknown unknown 18->145 181 Adds a directory exclusion to Windows Defender 18->181 22 cmd.exe 18->22         started        24 cmd.exe 1 18->24         started        26 cmd.exe 1 18->26         started        28 8 other processes 18->28 signatures10 process11 dnsIp12 32 Fri1229966ae2.exe 22->32         started        37 Fri12a1855208d3.exe 24->37         started        39 Fri1269b50f53f6d35.exe 15 7 26->39         started        155 20.189.173.20 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->155 183 Adds a directory exclusion to Windows Defender 28->183 41 Fri12e21d8598.exe 28->41         started        43 Fri12716cec7fe.exe 28->43         started        45 Fri12c29e55e121906.exe 2 28->45         started        47 2 other processes 28->47 signatures13 process14 dnsIp15 123 37.0.10.214 WKD-ASIE Netherlands 32->123 125 185.183.96.3 HSAE Netherlands 32->125 135 9 other IPs or domains 32->135 75 C:\Users\...\zsxHVmVUl6SnjRn0QnSDIk0d.exe, PE32 32->75 dropped 77 C:\Users\...\zocWgkFIl3itjN51ELs_TXEF.exe, PE32 32->77 dropped 79 C:\Users\...\v2QHQpgC9grU2czf83HiYkAW.exe, PE32 32->79 dropped 91 61 other files (44 malicious) 32->91 dropped 157 Drops PE files to the document folder of the user 32->157 159 Tries to harvest and steal browser information (history, passwords, etc) 32->159 161 Disable Windows Defender real time protection (registry) 32->161 163 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 37->163 165 Maps a DLL or memory area into another process 37->165 167 Checks if the current machine is a virtual machine (disk enumeration) 37->167 49 explorer.exe 37->49 injected 127 88.99.66.31 HETZNER-ASDE Germany 39->127 129 172.67.195.219 CLOUDFLARENETUS United States 39->129 81 C:\Users\user\AppData\Roaming\8688070.exe, PE32 39->81 dropped 83 C:\Users\user\AppData\Roaming\6106766.exe, PE32 39->83 dropped 85 C:\Users\user\AppData\Roaming\4081631.exe, PE32 39->85 dropped 169 Detected unpacking (changes PE section rights) 39->169 51 8688070.exe 39->51         started        54 4081631.exe 39->54         started        171 Creates processes via WMI 41->171 56 Fri12e21d8598.exe 41->56         started        131 162.159.129.233 CLOUDFLARENETUS United States 43->131 133 192.168.2.1 unknown unknown 43->133 87 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 43->87 dropped 59 LzmwAqmV.exe 43->59         started        89 C:\Users\user\...\Fri12c29e55e121906.tmp, PE32 45->89 dropped 61 Fri12c29e55e121906.tmp 45->61         started        63 WerFault.exe 47->63         started        file16 signatures17 process18 dnsIp19 93 C:\Users\user\AppData\...\WinHoster.exe, PE32 51->93 dropped 147 104.21.79.144 CLOUDFLARENETUS United States 56->147 95 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 56->95 dropped 65 conhost.exe 56->65         started        97 C:\Users\user\AppData\Local\...\setup_2.exe, PE32 59->97 dropped 99 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 59->99 dropped 101 C:\Users\user\AppData\Local\Temp\jhuuee.exe, PE32+ 59->101 dropped 107 6 other files (none is malicious) 59->107 dropped 67 Chrome 5.exe 59->67         started        70 PublicDwlBrowser1100.exe 59->70         started        149 162.0.213.132 ACPCA Canada 61->149 103 C:\Users\user\AppData\Local\...\zab2our.exe, PE32 61->103 dropped 105 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 61->105 dropped 109 2 other files (none is malicious) 61->109 dropped 72 zab2our.exe 61->72         started        file20 process21 dnsIp22 111 C:\Users\user\AppData\...\services64.exe, PE32+ 67->111 dropped 151 173.222.108.226 AKAMAI-ASN1EU United States 72->151 153 162.0.210.44 ACPCA Canada 72->153 file23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bfdb06e19260107f468834d5601f7f295ca82b31966be48f856011d9dba1f5b7/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-09-03 23:38:41 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x7nqnymsmaih6ruigtkwah37ffokqkzrszv6jd4fmai5tw5b6w3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0fc23c2e005cdfed1a0380dd7a06dda83b882f8d392c7f157b783822d21d78a1
DiamondFox
15e0683d932a4c4896482a9ad0ac354ad129f656803245a3cccc12cec9621559
DiamondFox
2ff77816fa6b9e2fdbc630e06a003b09228f39887f8dfea7f8020d9346bd2324
DiamondFox
4468428f16aeb36c8c1a53f40c68806473201d37d94b6ac8f1c0d324d1e17006
DiamondFox
44afe27cba5bc69958b37c9315d8de1c24324415883bbd7e368f9cc744639ed0
DiamondFox
6ac8f87ce26a0a9ad330c8b42342b6891d12df43be535f9c487855182a39aa1f
DiamondFox
aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e
DiamondFox
d2d90f02ccd7c3fd1b46d667081529a1af8172e4a51feda461c8d250081c3548
DiamondFox
+ 125 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:vidar botnet:706 botnet:pub aspackv2 backdoor infostealer stealer suricata trojan
Link:
https://tria.ge/reports/210907-c62qhsehcj/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Vidar
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
Malware Config
C2 Extraction:
https://romkaxarit.tumblr.com/
193.56.146.78:51487
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/a5a1e27e-cf10-4aae-b928-9dacb50c9818/
SH256 hash:
e198edcb4ef8222caaeaf8895ef247133b5a972960f7f77c5c2cefa4e5a07888
MD5 hash:
b07c598589308a5c5baf11bea2a0c78b
SHA1 hash:
00f3d36fe9abefd9fa011c21fd35840e2488c93d
Link:
https://www.unpac.me/results/a5a1e27e-cf10-4aae-b928-9dacb50c9818/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/a5a1e27e-cf10-4aae-b928-9dacb50c9818/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
36d36bf735b2ab1079c6ca72d24f1491d47c122804046f1c7f86f544d09b01cc
MD5 hash:
71cf2841f2e39282e1051510082c4b35
SHA1 hash:
b67839763b177433c86ff9eaaa703c5607d3a843
Detections:
win_oski_g0
Create hunting rule
Link:
https://www.unpac.me/results/a5a1e27e-cf10-4aae-b928-9dacb50c9818/
Parent samples :
baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15
bfdb06e19260107f468834d5601f7f295ca82b31966be48f856011d9dba1f5b7
d0ed9b5279618e628f62a80cd1abdd208bdd3899cb6865b51591478ca03e46c6
5774f205b3abcd5adc225b26b5ce546c2e7eb3490d03aa13c15234370dc42e27
cd7445464e18fd8260e6a924e0795c9b09696eb2dbc7dd9f62794b6530ecca9d
SH256 hash:
344e0a7168d5919ef733159a0ee58481d8f62feac33a5af49be2ace0d66a850c
MD5 hash:
ba431fef742b97b7937f155c7dc16b09
SHA1 hash:
ecc1a667f16b7c7f852e0b2014bc824d667a7188
Link:
https://www.unpac.me/results/a5a1e27e-cf10-4aae-b928-9dacb50c9818/
SH256 hash:
cfa16bc4a2542abc5fa86cff613ba98f4423e8b41a935a9e614281fb46c85a38
MD5 hash:
6c7b5a0e183f6e35c9b3f43f83027c45
SHA1 hash:
d766108ec47e141900d2769ed38081ac96dce4f5
Link:
https://www.unpac.me/results/a5a1e27e-cf10-4aae-b928-9dacb50c9818/
SH256 hash:
b4b8f4e14f170c0b54f903abd64cd870ec0dc662d51df65179a5e83ecf950acf
MD5 hash:
0d828fae2159455fb154112a28d403a3
SHA1 hash:
d64930f5490b6972ac89b166f82446b7dfc382b3
Link:
https://www.unpac.me/results/a5a1e27e-cf10-4aae-b928-9dacb50c9818/
SH256 hash:
606d3d9365f40fee12e9fc577ae5bf4cd42d502f4758320cdab01b53a7e0d4b8
MD5 hash:
51894ed4e7fec456b08027e2e6620386
SHA1 hash:
bbffdd90f9a5644086006734e03c15ac28db1ae9
Link:
https://www.unpac.me/results/a5a1e27e-cf10-4aae-b928-9dacb50c9818/
SH256 hash:
b9ae73b5bbafa9c4907ea6f783bd52bb1446b0d19ff26174b9453f467e4dbf70
MD5 hash:
87e9dd59201739365b2d3dd4a884aa35
SHA1 hash:
a05af00715244236db008731c1e7e1a515cfa776
Link:
https://www.unpac.me/results/a5a1e27e-cf10-4aae-b928-9dacb50c9818/
SH256 hash:
dd216eff181eba613bad8be71b179cc7bb7cdd8de4fbe35f378b702c7ae49c22
MD5 hash:
f3dd9ae9948b5484306fe79fa871bb93
SHA1 hash:
9bd9fd2b0c0d36cce53a3784007cae9f7b96b076
Link:
https://www.unpac.me/results/a5a1e27e-cf10-4aae-b928-9dacb50c9818/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/a5a1e27e-cf10-4aae-b928-9dacb50c9818/
SH256 hash:
db1b60551c1cbb502a518467371b7b9a9968974b082735ad25394f03fbe88e1d
MD5 hash:
f411faf1583e612aee0b2775800110b4
SHA1 hash:
7071fc867d3916633fca3f8ae2eea37d82e72346
Link:
https://www.unpac.me/results/a5a1e27e-cf10-4aae-b928-9dacb50c9818/
SH256 hash:
9dc77ea1abd72256c2cf906cf433610f48661779a1416b8546d4f9af09f26a5a
MD5 hash:
14d77d404de21055cfaa98fd20623c72
SHA1 hash:
0f32b94e597b1a42e0f5ba36fc8b25c1ee0ef21b
Link:
https://www.unpac.me/results/a5a1e27e-cf10-4aae-b928-9dacb50c9818/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/a5a1e27e-cf10-4aae-b928-9dacb50c9818/
SH256 hash:
26c10da13313eaec5dcd1c109271918006b8232cd318a20d1e07ea5d0272bba4
MD5 hash:
43c06b10de6663d436c7af9dd1c90901
SHA1 hash:
85815665797e5d1c666f9c3f80c3ba17026c4848
Link:
https://www.unpac.me/results/a5a1e27e-cf10-4aae-b928-9dacb50c9818/
SH256 hash:
f30b1ec43a98258722b0ecd90a4d22bd1dc595d60cbc660dc86eafa5006d0bba
MD5 hash:
9252c8562e8383e30671404af16e61cb
SHA1 hash:
6205bb639cc68266e3f13af951a3b838ff7e9762
Link:
https://www.unpac.me/results/a5a1e27e-cf10-4aae-b928-9dacb50c9818/
SH256 hash:
010fc1840c9df3635afe6d872deb95cf6ee370500bfc512fe4a3f6b5869336eb
MD5 hash:
02d2591b8aea73e5266dbe24f15f744e
SHA1 hash:
d81503ebb749704a5ccc77823a44aac0c0c74d6b
Link:
https://www.unpac.me/results/a5a1e27e-cf10-4aae-b928-9dacb50c9818/
SH256 hash:
bc804862f2d115bf760e6ec38dada45e66765cafae52728aa4e1e347044d1900
MD5 hash:
2b8975f4dd44e031f0b803a3076643b2
SHA1 hash:
088340db7ab3759d2d6e5aeb62d0e36d39a1033d
Link:
https://www.unpac.me/results/a5a1e27e-cf10-4aae-b928-9dacb50c9818/
SH256 hash:
bfdb06e19260107f468834d5601f7f295ca82b31966be48f856011d9dba1f5b7
MD5 hash:
66d13537ed49e50fb83673f7632c0e5e
SHA1 hash:
dc3ac1f47fe9d06e847fcb0ddf26190add45b839
Link:
https://www.unpac.me/results/a5a1e27e-cf10-4aae-b928-9dacb50c9818/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bfdb06e19260/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bfdb06e19260107f468834d5601f7f295ca82b31966be48f856011d9dba1f5b7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185782/

Comments