MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfdcbcca4f75f287d6389cda895571530ddb9a2bbdf54cce52c1c65e969ac0a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 10


Intelligence 10 IOCs 4 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cfdcbcca4f75f287d6389cda895571530ddb9a2bbdf54cce52c1c65e969ac0a3
SHA3-384 hash: 72271aa24262ecb980b0005257b9fe7f519c6dd4d6855f0feeb49f73c493610eb02f2b4d14fef23c68bb05a2f4be469d
SHA1 hash: 7b707ac1bfcc7bdd5439c606af91a5dc5a499493
MD5 hash: cceff411feab78a02a22744e2eae9ab8
humanhash: colorado-green-pasta-indigo
File name:CCEFF411FEAB78A02A22744E2EAE9AB8.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:4'087'904 bytes
First seen:2021-08-13 07:56:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:yLKnNSD/lKELv/i+b0kdcldi1culG9hOAsXl6Ctf9I0ineqI01YO:yB/Q0HFXdczrulG9hO7XBS0inH1YO
Threatray 309 similar samples on MalwareBazaar
TLSH T1B416330C10E01550F98366784F6AD6BED1F17BB406EBB5ED43181A5EB624F870E2EA73
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://ggc-partners.info/decision.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://ggc-partners.info/decision.php https://threatfox.abuse.ch/ioc/184302/
185.53.46.25:18856 https://threatfox.abuse.ch/ioc/184311/
65.21.228.92:46802 https://threatfox.abuse.ch/ioc/184313/
http://45.67.231.40/ https://threatfox.abuse.ch/ioc/184315/

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/178872/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file in the %temp% directory
Sending a UDP request
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Deleting a recently created file
Creating a process with a hidden window
Creating a window
Connection attempt to an infection source
Reading critical registry keys
Sending an HTTP POST request
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Blocking the Windows Defender launch
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8d0febe6-cbab-4b74-9ba5-975191523942
Result
Threat name:
RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832217
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Disable Windows Defender real time protection (registry)
Found C&C like URL pattern
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 464648 Sample: 8I22f8uZ81.exe Startdate: 13/08/2021 Architecture: WINDOWS Score: 100 80 pruders.info 2->80 82 116.203.127.162, 49773, 80 HETZNER-ASDE Germany 2->82 84 15 other IPs or domains 2->84 116 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->116 118 Antivirus detection for URL or domain 2->118 120 Antivirus detection for dropped file 2->120 124 14 other signatures 2->124 10 8I22f8uZ81.exe 10 2->10         started        13 svchost.exe 1 2->13         started        signatures3 122 Performs DNS queries to domains with low reputation 80->122 process4 file5 70 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->70 dropped 15 setup_installer.exe 8 10->15         started        process6 file7 72 C:\Users\user\AppData\...\setup_install.exe, PE32 15->72 dropped 74 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 15->74 dropped 76 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 15->76 dropped 78 3 other files (none is malicious) 15->78 dropped 18 setup_install.exe 10 15->18         started        process8 dnsIp9 86 watira.xyz 104.21.47.76, 49734, 80 CLOUDFLARENETUS United States 18->86 88 127.0.0.1 unknown unknown 18->88 62 C:\Users\user\AppData\...\d55cc0d45c3a05.exe, PE32 18->62 dropped 64 C:\Users\user\AppData\...\caa4baaf544.exe, PE32 18->64 dropped 66 C:\Users\user\AppData\...\c0f099be1ace2.exe, PE32 18->66 dropped 68 6 other files (4 malicious) 18->68 dropped 126 Performs DNS queries to domains with low reputation 18->126 23 cmd.exe 18->23         started        25 cmd.exe 1 18->25         started        27 cmd.exe 1 18->27         started        29 4 other processes 18->29 file10 signatures11 process12 process13 31 d55cc0d45c3a05.exe 23->31         started        36 caa4baaf544.exe 14 5 25->36         started        38 24ebc9ce784c63.exe 27->38         started        40 6f1aa71747b4a291.exe 14 8 29->40         started        42 c0f099be1ace2.exe 4 29->42         started        dnsIp14 90 37.0.10.236, 49738, 80 WKD-ASIE Netherlands 31->90 92 37.0.11.8, 49742, 49743, 80 WKD-ASIE Netherlands 31->92 96 12 other IPs or domains 31->96 44 C:\Users\...\FssYOybo04okwBoVB51P09L4.exe, PE32 31->44 dropped 46 C:\Users\user\AppData\...\toolspab2[1].exe, PE32 31->46 dropped 48 C:\Users\user\AppData\Local\...\runvd[1].exe, PE32 31->48 dropped 56 33 other files (14 malicious) 31->56 dropped 104 May check the online IP address of the machine 31->104 106 Performs DNS queries to domains with low reputation 31->106 108 Tries to harvest and steal browser information (history, passwords, etc) 31->108 110 Disable Windows Defender real time protection (registry) 31->110 98 2 other IPs or domains 36->98 50 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 36->50 dropped 112 Antivirus detection for dropped file 36->112 114 Machine Learning detection for dropped file 36->114 94 ip-api.com 208.95.112.1, 49737, 80 TUT-ASUS United States 38->94 100 2 other IPs or domains 38->100 52 C:\Users\user\AppData\...\aaa_011[1].dll, DOS 38->52 dropped 102 2 other IPs or domains 40->102 54 C:\Users\user\AppData\Roaming\8337777.exe, PE32 40->54 dropped 58 2 other files (none is malicious) 40->58 dropped 60 2 other files (none is malicious) 42->60 dropped file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cfdcbcca4f75f287d6389cda895571530ddb9a2bbdf54cce52c1c65e969ac0a3/
Threat name:
Win32.Spyware.Fbkatz
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 15:25:11 UTC
AV detection:
25 of 46 (54.35%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z7olzsspoxzipvryttnisvlrkmg5xgrlxx2uztssyhdf5fu2ycrq._file
Verdict:
unknown
Similar samples:
486d5231a35dc4e4cb3417a1353c300298824a9df98890a100c596e7c1186aa5
DiamondFox
51837836176f75bd57295071de596b18ec1a1af63681ccfdd69f5dedb0976da3
DiamondFox
65624215e9613e4922c32eb184b75ea1334a6a2fa32d45ef535918ef7b9a9eca
DiamondFox
82e531dd4163ca5716a8b2f3feb188fc7fdbf8cac0270aa76664925fdd5124e2
DiamondFox
854e5c0dbeb31b0953c41b36dc88fa4e959c00c848fb723dc2f9223aeb5a359a
DiamondFox
befd232ab8dab62c010a0a96e0e62a1ff561509877fd8acfa1507df11e092aec
DiamondFox
c5528f76191477d30f3d6451d82bf0015d9a3706565fddd37e87130635f3182c
DiamondFox
+ 299 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:vidar botnet:706 botnet:7new botnet:916 aspackv2 backdoor evasion infostealer persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210813-x2rtazcdkj/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
sytareliar.xyz:80
yabelesatg.xyz:80
ceneimarck.xyz:80
https://lenak513.tumblr.com/
Unpacked files
SH256 hash:
207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9
MD5 hash:
4955a27a03f35933fdbd801f425b6c58
SHA1 hash:
97f3b8f33fd1a49cf9db5a246d996047beef3c12
Link:
https://www.unpac.me/results/f324d17d-c0a2-4ee0-badd-54c3f4b0e630/
Parent samples :
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Link:
https://www.unpac.me/results/f324d17d-c0a2-4ee0-badd-54c3f4b0e630/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
76fd57122331c7e402c7ab4a48bb9a86529641200f391241e20f31232e5f439b
MD5 hash:
922068b48ff8abb7e513a724443c1f62
SHA1 hash:
fef5db5322dae45dade837d28a2ad1aa159c74b9
Link:
https://www.unpac.me/results/f324d17d-c0a2-4ee0-badd-54c3f4b0e630/
SH256 hash:
e51763543ade893e7423ed3f589fbe73f84ee2fb41f612cbfcbf61cf6e45d471
MD5 hash:
4352aeaf791c3bc2c18c3b00f53fd6e2
SHA1 hash:
3d3a3722e9b3811bf9b1fdf00a4f290a9396630a
Link:
https://www.unpac.me/results/f324d17d-c0a2-4ee0-badd-54c3f4b0e630/
SH256 hash:
0cfeb696a1e79a5933429e77f1d32b5d95fafbbd7053955a7ade9c0de264a904
MD5 hash:
2354ad9552eb7a2b129b6397be8fdcf1
SHA1 hash:
20218e9b1dc221230e279cdc1e33e012d38a7aeb
Link:
https://www.unpac.me/results/f324d17d-c0a2-4ee0-badd-54c3f4b0e630/
SH256 hash:
1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
MD5 hash:
0965da18bfbf19bafb1c414882e19081
SHA1 hash:
e4556bac206f74d3a3d3f637e594507c30707240
Link:
https://www.unpac.me/results/f324d17d-c0a2-4ee0-badd-54c3f4b0e630/
SH256 hash:
c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
MD5 hash:
13a289feeb15827860a55bbc5e5d498f
SHA1 hash:
e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
Link:
https://www.unpac.me/results/f324d17d-c0a2-4ee0-badd-54c3f4b0e630/
SH256 hash:
69e562f8d0968dd248d2d9dc5de0cc42495e06f8b8563b10425bd8064033be1f
MD5 hash:
80cf471e52dcc848d81092439489f12f
SHA1 hash:
5fc33906263bbb3cbf306e69b9c5ef2260ace7e5
Link:
https://www.unpac.me/results/f324d17d-c0a2-4ee0-badd-54c3f4b0e630/
SH256 hash:
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
MD5 hash:
c0d18a829910babf695b4fdaea21a047
SHA1 hash:
236a19746fe1a1063ebe077c8a0553566f92ef0f
Link:
https://www.unpac.me/results/f324d17d-c0a2-4ee0-badd-54c3f4b0e630/
SH256 hash:
37342babfd23ab30837a55886012a5125c69d2e5f883dadfc06a42cfb28e5b34
MD5 hash:
3f9f7dfccefb41726d6b99e434155467
SHA1 hash:
f5a7b26fb2aa6ebb7177b30b24a7fdbc067de8f1
Link:
https://www.unpac.me/results/f324d17d-c0a2-4ee0-badd-54c3f4b0e630/
SH256 hash:
82c8c6672ff8b2d0202650a0c4321690ec78d14a0d97882d9387a1e643e9610e
MD5 hash:
cdede828ca4a258c82d3365245696542
SHA1 hash:
9af8fbae78bebc77f6e186bedd3e35f2e6cbd0d8
Link:
https://www.unpac.me/results/f324d17d-c0a2-4ee0-badd-54c3f4b0e630/
SH256 hash:
7e1a077a3611634c40c6822cbae5b1aa8d2ce931a0ca9fc0229d3498a0848f15
MD5 hash:
f8d4214dc7cc2a2ea9c1353752f75993
SHA1 hash:
3d47a9f6c60ac1424d0ec2e9e127d61594855634
Link:
https://www.unpac.me/results/f324d17d-c0a2-4ee0-badd-54c3f4b0e630/
SH256 hash:
f79fab9bd313296dab841a58fce9532a1693cf787e020b0d336a209ee1becb46
MD5 hash:
be30982e054b43ae3464bf4e40e15683
SHA1 hash:
1b5bd2d5499d6a4c06b5fd1506d9acc3a62364a4
Link:
https://www.unpac.me/results/f324d17d-c0a2-4ee0-badd-54c3f4b0e630/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/f324d17d-c0a2-4ee0-badd-54c3f4b0e630/
SH256 hash:
91dd00e6d13dbbdc7eb668b0ae660374ec2deb41219f5b63895722259b703072
MD5 hash:
5a30e0fa8e77b59dd9f9b52db8fcd57e
SHA1 hash:
b614f3feed4fc9e97b45394b804a9bedc3b6fe1d
Link:
https://www.unpac.me/results/f324d17d-c0a2-4ee0-badd-54c3f4b0e630/
SH256 hash:
cfdcbcca4f75f287d6389cda895571530ddb9a2bbdf54cce52c1c65e969ac0a3
MD5 hash:
cceff411feab78a02a22744e2eae9ab8
SHA1 hash:
7b707ac1bfcc7bdd5439c606af91a5dc5a499493
Link:
https://www.unpac.me/results/f324d17d-c0a2-4ee0-badd-54c3f4b0e630/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cfdcbcca4f75/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cfdcbcca4f75f287d6389cda895571530ddb9a2bbdf54cce52c1c65e969ac0a3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/178872/

Comments