MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4
SHA3-384 hash: 7e74dcedd4bf3d393633f5cd70a6685b15311091f7315f477b20057d018edf37619cc1efcd64da0c3f2ab3c7f5664b20
SHA1 hash: 8c1f068d5dda6b53db1c0ba23fd300ac2f2197c4
MD5 hash: 8887a710e57cf4b3fe841116e9a0dfdd
humanhash: twenty-quebec-maryland-pluto
File name:8887A710E57CF4B3FE841116E9A0DFDD.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:776'061 bytes
First seen:2021-08-30 02:36:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'460 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 12288:VQi3O2g0v6m6URA3Ph7Wp1hf39Wkv8xwJC/:VQie2BChhapdUMC/
Threatray 1'398 similar samples on MalwareBazaar
TLSH T1EEF4DF36F5158032EC05AE7678568CA13BA27EE91E291006369F3F6F767F84CB914372
dhash icon c3726281ca3d99be (1 x DiamondFox)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://5.181.156.252/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.181.156.252/ https://threatfox.abuse.ch/ioc/201911/

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-08-29 17:41:41 UTC
Tags:
trojan rat redline loader evasion stealer opendir raccoon
Link:
https://app.any.run/tasks/03fcb4ba-3525-4be3-8198-4f5c12e4a15d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183367/
Detection(s):
Win.Malware.Passteal-9853623-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Application.Agent.AIQ.2330.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
DNS request
Connection attempt
Sending an HTTP GET request
Creating a process with a hidden window
Sending a UDP request
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Creating a file
Adding an access-denied ACE
Launching a process
Sending an HTTP POST request
Using the Windows Management Instrumentation requests
Deleting a recently created file
Sending a custom TCP request
Launching cmd.exe command interpreter
Creating a file in the %AppData% subdirectories
Modifying a system file
Running batch commands
Searching for the window
Reading critical registry keys
Possible injection to a system process
Unauthorized injection to a recently created process
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Setting a single autorun event
Launching a tool to kill processes
Blocking the Windows Defender launch
Unauthorized injection to a system process
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/433ca3f0-d3a5-4b36-a6f2-2bc0c6c96e0a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841209
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates autostart registry keys with suspicious values (likely registry only malware)
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 473640 Sample: LJSFz5iuuf.exe Startdate: 30/08/2021 Architecture: WINDOWS Score: 100 102 a.goatgame.co 104.21.79.144 CLOUDFLARENETUS United States 2->102 104 prda.aadg.msidentity.com 2->104 106 4 other IPs or domains 2->106 132 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->132 134 Multi AV Scanner detection for domain / URL 2->134 136 Antivirus detection for URL or domain 2->136 138 6 other signatures 2->138 11 LJSFz5iuuf.exe 2 2->11         started        14 Xajudyjycy.exe 2->14         started        signatures3 process4 dnsIp5 76 C:\Users\user\AppData\...\LJSFz5iuuf.tmp, PE32 11->76 dropped 17 LJSFz5iuuf.tmp 3 19 11->17         started        128 best-link-app.com 162.0.213.132, 49751, 80 ACPCA Canada 14->128 130 google.com 14->130 78 C:\Program Files (x86)\...\Windows Update.exe, PE32 14->78 dropped 80 C:\...\Windows Update.exe.config, XML 14->80 dropped 21 Windows Update.exe 14->21         started        file6 process7 dnsIp8 90 the-flash-man.com 66.29.142.79, 49698, 49704, 49819 ADVANTAGECOMUS United States 17->90 54 C:\Users\user\AppData\Local\...\zab2our.exe, PE32 17->54 dropped 56 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 17->56 dropped 58 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 17->58 dropped 60 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 17->60 dropped 23 zab2our.exe 20 20 17->23         started        92 requestimmersive.com 21->92 94 connectini.net 21->94 62 C:\Users\user\AppData\...\YTWSSDKTJE.exe, PE32 21->62 dropped 64 C:\Program Files (x86)\...\Xajudyjycy.exe, PE32 21->64 dropped file9 process10 dnsIp11 112 connectini.net 162.0.210.44, 443, 49699, 49707 ACPCA Canada 23->112 114 requestimmersive.com 162.0.220.187, 49705, 49804, 49830 ACPCA Canada 23->114 116 the-flash-man.com 23->116 68 C:\Users\user\AppData\...\Rafaekehalae.exe, PE32 23->68 dropped 70 C:\...\Xajudyjycy.exe.config, XML 23->70 dropped 72 C:\Users\user\AppData\...behaviorgraphylonydeda.exe, PE32 23->72 dropped 74 C:\Program Files\...\ultramediaburner.exe, PE32 23->74 dropped 140 Creates autostart registry keys with suspicious values (likely registry only malware) 23->140 28 Rafaekehalae.exe 23->28         started        32 Gylonydeda.exe 14 5 23->32         started        34 ultramediaburner.exe 2 23->34         started        file12 signatures13 process14 dnsIp15 118 fsstoragecloudservice.com 111.90.156.46 VERDINABZ Malaysia 28->118 120 iplogger.org 88.99.66.31 HETZNER-ASDE Germany 28->120 126 8 other IPs or domains 28->126 142 Multi AV Scanner detection for dropped file 28->142 122 www.google.com 142.250.186.132, 443, 49706, 49792 GOOGLEUS United States 32->122 124 connectini.net 32->124 37 chrome.exe 32->37         started        40 chrome.exe 32->40         started        42 chrome.exe 32->42         started        47 6 other processes 32->47 66 C:\Users\user\...\ultramediaburner.tmp, PE32 34->66 dropped 44 ultramediaburner.tmp 27 18 34->44         started        file16 signatures17 process18 dnsIp19 108 192.168.2.1 unknown unknown 37->108 110 239.255.255.250 unknown Reserved 37->110 49 chrome.exe 37->49         started        82 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 44->82 dropped 84 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 44->84 dropped 86 C:\...\unins000.exe (copy), PE32 44->86 dropped 88 3 other files (none is malicious) 44->88 dropped 52 UltraMediaBurner.exe 44->52         started        file20 process21 dnsIp22 96 mc.yandex.ru 93.158.134.119, 443, 49729, 49759 YANDEXRU Russian Federation 49->96 98 spdc-global.pbp.gysm.yahoodns.net 212.82.100.181, 443, 49791 YAHOO-IRDGB United Kingdom 49->98 100 89 other IPs or domains 49->100
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-08-27 01:14:00 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4bc3jioj6zsaqfhw4omqhypqh4wh6hr3huog3pyhuqexgjsv572a._file
Verdict:
suspicious
Similar samples:
3b3af3c0c0ccff93c1f62d0e00a25e76b856392c604e209f93e987a7a913a727
DiamondFox
4d04f5f44c21f9ccda28433bddea30ce2fba7a548d7d40a46332e0d2b70079d0
DiamondFox
5ad7bfb790fc652df60360024af60578790930bb78489aabf352eae3fff103fb
DiamondFox
5e1a4b9ced78b15872e2723b231e3934c4874c6ea28ebf6c983a61f5040b5f96
DiamondFox
6647ec66a0bc49efe7b873499aeb5feb9abe8c18e0ab078e40d6eb7f00654244
DiamondFox
908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
DiamondFox
9bb77fb3b462b7b52694f0326b83b4f0f47969240e296129cd23da3b2fe98fb0
DiamondFox
9dbdfabbc99542e1c94b7a29eaf437b7fa4c898c4add1a677b126257ae54f94e
DiamondFox
f06e544f16fabf2d2755185ac267926cc300e142feb2e3b987fa403f6202c860
DiamondFox
f8c0350d71e5dd14438d477f73915c4845290c7f0620656624722183b76013f5
DiamondFox
+ 1'388 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:redline family:socelars botnet:292.08 botnet:norman discovery evasion infostealer persistence stealer themida
Link:
https://tria.ge/reports/210830-s9b552n5a2/
Behaviour
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Themida packer
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Checks for common network interception software
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
Malware Config
C2 Extraction:
45.14.49.184:25321
95.181.152.47:15089
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/c667e8ed-9bda-42fc-b5ee-ded0fc393879/
SH256 hash:
4b672a0eb1b299ec8ef381f1e8912c80122eaa9f922627c7d7df5be74beaef7e
MD5 hash:
8cfc4f1ee70573cf0ad5cf65de7c5f6e
SHA1 hash:
7f3bc915576b56a01479df81b19386a62de4fe37
Link:
https://www.unpac.me/results/c667e8ed-9bda-42fc-b5ee-ded0fc393879/
SH256 hash:
e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4
MD5 hash:
8887a710e57cf4b3fe841116e9a0dfdd
SHA1 hash:
8c1f068d5dda6b53db1c0ba23fd300ac2f2197c4
Link:
https://www.unpac.me/results/c667e8ed-9bda-42fc-b5ee-ded0fc393879/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/183367/

Comments