MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c49db28c90989f14866faa6781fc5e6531c8a63d3c3f3d245b4c4d752ce5ebf0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c49db28c90989f14866faa6781fc5e6531c8a63d3c3f3d245b4c4d752ce5ebf0
SHA3-384 hash: 7d23db7b64e011b4ec36ab92ae923a7a2372a491cee41dd4283484e65a59f71e13967fd73311142cbb0dec31ca93da23
SHA1 hash: 242e12edbe1a9fd6ba663099c1432df12b9a2064
MD5 hash: f7cded298cdf3671d5be20511ca4fcb1
humanhash: two-illinois-leopard-yellow
File name:F7CDED298CDF3671D5BE20511CA4FCB1.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:1'186'304 bytes
First seen:2021-08-01 17:20:16 UTC
Last seen:2021-08-01 17:34:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4b1a0cc0d6c71b1f1abf86a8693fc16e (1 x ClipBanker, 1 x DiamondFox, 1 x RedLineStealer)
ssdeep 24576:Jq5mFG/nW3aTDtFj3RbjBN9fmuyXtw/4TL2lDNY/to4:45fuKT7jxj9foTylD2o4
Threatray 260 similar samples on MalwareBazaar
TLSH T1EE459E10F652D060ECE200B536A57B7A906E2C38477056EFB7C42E759B326D2BB31B5B
dhash icon f0a8bab082828292 (8 x AgentTesla, 3 x RedLineStealer, 3 x PrivateLoader)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
176.57.69.178:59510

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
176.57.69.178:59510 https://threatfox.abuse.ch/ioc/165172/

Intelligence

File Origin
# of uploads :
2
# of downloads :
619
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
F7CDED298CDF3671D5BE20511CA4FCB1.exe
Verdict:
No threats detected
Analysis date:
2021-08-01 17:22:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1135101f-f88f-4775-9acb-dd00677829db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175583/
Detection(s):
SecuriteInfo.com.Variant.Zusy.395690.3833.12562.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Sending an HTTP POST request
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Deleting a recently created file
Sending a UDP request
Running batch commands
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Launching the default Windows debugger (dwwin.exe)
Searching for analyzing tools
Searching for the window
Creating a file in the Windows subdirectories
Using the Windows Management Instrumentation requests
Connection attempt to an infection source
Creating a file in the %AppData% directory
Launching a process
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Launching a tool to kill processes
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e5f1ee0b-2767-4239-af3d-1e2938a78a49
Result
Threat name:
Backstage Stealer Glupteba RedLine Socel
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825143
Signature
.NET source code contains very large strings
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
May modify the system service descriptor table (often done to hook functions)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Performs DNS TXT record lookups
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected Backstage Stealer
Yara detected Glupteba
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 457555 Sample: O3h9kRdG7d.exe Startdate: 01/08/2021 Architecture: WINDOWS Score: 100 79 186.2.171.3 DDOS-GUARDCORPBZ Belize 2->79 81 zertypelil.xyz 2->81 83 18 other IPs or domains 2->83 101 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->101 103 Antivirus detection for URL or domain 2->103 105 Antivirus detection for dropped file 2->105 107 23 other signatures 2->107 8 O3h9kRdG7d.exe 4 61 2->8         started        13 svchost.exe 1 2->13         started        15 svchost.exe 2->15         started        signatures3 process4 dnsIp5 95 www.gzsfgjj.com 8->95 97 37.0.11.9, 49741, 80 WKD-ASIE Netherlands 8->97 99 12 other IPs or domains 8->99 65 C:\Users\...\tmxgQIuoWJEVMR2ZmZuv1eNI.exe, PE32 8->65 dropped 67 C:\Users\...\qyBMo7uTi9YHJ1qNKKq5oTZZ.exe, PE32 8->67 dropped 69 C:\Users\...\mjWE5cHO47kF3raN0Lcfurzt.exe, PE32 8->69 dropped 71 39 other files (21 malicious) 8->71 dropped 129 Drops PE files to the document folder of the user 8->129 131 May check the online IP address of the machine 8->131 133 Creates HTML files with .exe extension (expired dropper behavior) 8->133 135 Disable Windows Defender real time protection (registry) 8->135 17 kRBj1F4oDRtlIlTz4YEwZaxv.exe 8->17         started        20 PXo9Z2IMRjGaZGVtN9tSPAD2.exe 8->20         started        24 hubWf03swzAEupxERKBxET56.exe 8->24         started        26 18 other processes 8->26 file6 137 Performs DNS queries to domains with low reputation 95->137 signatures7 process8 dnsIp9 41 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 17->41 dropped 43 C:\Users\user\AppData\Local\...\System.dll, PE32 17->43 dropped 45 C:\Users\user\AppData\Local\...\Dialer.dll, PE32 17->45 dropped 53 130 other files (none is malicious) 17->53 dropped 85 116.202.183.50 HETZNER-ASDE Germany 20->85 87 xeronxikxxx.tumblr.com 74.114.154.22 AUTOMATTICUS Canada 20->87 55 12 other files (none is malicious) 20->55 dropped 109 Detected unpacking (changes PE section rights) 20->109 111 Detected unpacking (overwrites its own PE header) 20->111 113 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->113 125 2 other signatures 20->125 115 Contains functionality to inject code into remote processes 24->115 117 Injects a PE file into a foreign processes 24->117 28 hubWf03swzAEupxERKBxET56.exe 24->28         started        89 77.220.213.35 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 26->89 91 95.181.179.21 NEOHOST-ASUA Russian Federation 26->91 93 16 other IPs or domains 26->93 47 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 26->47 dropped 49 C:\Program Files (x86)\...\md8_8eus.exe, PE32 26->49 dropped 51 C:\Program Files (x86)\Company\...\jooyu.exe, PE32 26->51 dropped 57 4 other files (1 malicious) 26->57 dropped 119 Query firmware table information (likely to detect VMs) 26->119 121 May check the online IP address of the machine 26->121 123 Tries to detect sandboxes and other dynamic analysis tools (window names) 26->123 127 3 other signatures 26->127 31 11111.exe 26->31         started        33 customer3.exe 26->33         started        37 conhost.exe 26->37         started        39 6 other processes 26->39 file10 signatures11 process12 dnsIp13 139 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 28->139 141 Checks if the current machine is a virtual machine (disk enumeration) 28->141 143 Tries to harvest and steal browser information (history, passwords, etc) 31->143 73 staticimg.youtuuee.com 33->73 75 s.lletlee.com 33->75 77 ip-api.com 33->77 59 C:\Users\user\AppData\...\fastsystem2021.exe, PE32+ 33->59 dropped 61 C:\Users\user\AppData\Local\Temp\22222.exe, PE32 33->61 dropped 63 C:\Users\user\AppData\...\aaa_v006[1].dll, DOS 33->63 dropped file14 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c49db28c90989f14866faa6781fc5e6531c8a63d3c3f3d245b4c4d752ce5ebf0/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-07-29 03:00:21 UTC
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yso3fdeqtcprjbtpvjtyd7c6muy4rjr5hq7t2jc3jrgxklhf5pya._file
Verdict:
malicious
Similar samples:
08c672cbfc638f1cde4a502afb6b0b907b0a665a6b487a9552cbf48abcb516a1
DiamondFox
21aad53d28c5415465bef9cd7b36d0d4708f22b57d77f7d6aca5e2de371c1bb5
DiamondFox
71f5bb7d9ace05cfb89e95843499c1c19ca1d6c8b1cd66561d24ceb9ffa94862
DiamondFox
72b24e99cdd46d7cee31af6d8858782b775db1753d4ed954774a2b1306d5dd89
DiamondFox
88c98c6871442d02b5f26dc7625926c1dcd4de88a7d31bc53786f6182204c902
DiamondFox
91949edb9145bda3b1336a5513c44707a86300ca5a378411c9bf8800b8127db9
DiamondFox
b8338eda2c7390860da3bd4a37104b409235131406d9b4d30a78b5d4189cf317
DiamondFox
d72dd5663947fc7e1bd8903030b3e2fd551d8d938fdc6417d8513a1c4cc49702
DiamondFox
+ 250 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:redline family:smokeloader family:socelars family:vidar botnet:30_7_rz botnet:5k_black_hole botnet:921 botnet:937 botnet:forinstalls botnet:sel24 backdoor discovery dropper evasion infostealer loader spyware stealer suricata themida trojan upx vmprotect
Link:
https://tria.ge/reports/210801-2y76tthpb6/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Download via BitsAdmin
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks for any installed AV software in registry
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
Malware Config
C2 Extraction:
salkefard.xyz:80
77.220.213.35:52349
45.14.49.117:14251
zertypelil.xyz:80
https://xeronxikxxx.tumblr.com/
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Unpacked files
SH256 hash:
c49db28c90989f14866faa6781fc5e6531c8a63d3c3f3d245b4c4d752ce5ebf0
MD5 hash:
f7cded298cdf3671d5be20511ca4fcb1
SHA1 hash:
242e12edbe1a9fd6ba663099c1432df12b9a2064
Link:
https://www.unpac.me/results/0faec622-95a9-4b35-a7a2-36186bc695ca/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c49db28c90989f14866faa6781fc5e6531c8a63d3c3f3d245b4c4d752ce5ebf0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICOIUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/175583/

Comments