MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e98c43697773e717610341e0a6f514f165dae8744e0376aef6dfd4054aa50bf9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DiamondFox

Vendor detections: 10

Intelligence 10 IOCs 1 YARA File information Comments

SHA256 hash:	e98c43697773e717610341e0a6f514f165dae8744e0376aef6dfd4054aa50bf9
SHA3-384 hash:	0b684d7d952d386775e8d6eaf3b696ee8d9bf395051782a3c56f2108330752f67ddf3f739d5ac6a2aa13f8ac1a9d7d5b
SHA1 hash:	01bbb437ad2fe657624988076fc078084205b170
MD5 hash:	aad837c26c32c147e23e49abac741d0b
humanhash:	robin-lake-queen-uncle
File name:	aad837c26c32c147e23e49abac741d0b.exe
Download:	download sample
Signature	DiamondFox Create hunting rule
File size:	3'504'783 bytes
First seen:	2021-08-14 10:26:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep	98304:yT2BTGbKnq/c2JBNGgDW7UPc1gOv9ApdY9yXRisu:yaBpnE5GMW7UPqvip29D
Threatray	329 similar samples on MalwareBazaar
TLSH	T134F533989354E97ECD1F737528F0387C217DA232028A67F219E42F9D6B72989DA43D43
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	DiamondFox exe

abuse_ch

DiamondFox C2:
http://45.153.230.19/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://45.153.230.19/	https://threatfox.abuse.ch/ioc/185490/

Intelligence

File Origin

# of uploads :

# of downloads :

181

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

aad837c26c32c147e23e49abac741d0b.exe

Verdict:

No threats detected

Analysis date:

2021-08-14 10:29:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/675942f0-f83b-4df4-a693-91617becf382

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/179217/

Detection(s):

Win.Packed.Barys-9859531-0

Win.Trojan.Jaik-9862236-0

Win.Malware.Generic-9863888-0

Win.Packed.Jaik-9863991-0

Win.Malware.Jaik-9885385-0

Win.Malware.Jaik-9885415-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Searching for the window

Running batch commands

Connection attempt

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Deleting a recently created file

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8c0c6307-7614-4b25-b4b8-0710dce741cc

Result

Threat name:

Coinhive RedLine Socelars Vidar

Detection:

malicious

Classification:

troj.spyw.evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/832849

Signature

.NET source code contains very large strings

.NET source code references suspicious native API functions

Antivirus detection for dropped file

Antivirus detection for URL or domain

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Detected VMProtect packer

Disable Windows Defender real time protection (registry)

Drops PE files to the document folder of the user

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Sample is protected by VMProtect

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Coinhive miner

Yara detected Costura Assembly Loader

Yara detected RedLine Stealer

Yara detected Socelars

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

raccoon

Link:

https://mwdb.cert.pl/sample/e98c43697773e717610341e0a6f514f165dae8744e0376aef6dfd4054aa50bf9/

Threat name:

Win32.Infostealer.Passteal

Status:

Malicious

First seen:

2021-08-12 14:06:04 UTC

AV detection:

22 of 46 (47.83%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5ggeg2lxoptroyidihqkn5iu6fs5v2dujybxnlxw37kaksvfbp4q._file

Verdict:

unknown

DiamondFox

6e19816cb41452f85a6f40216c40140066ea8bc999d81e378dd3b5daefd26347

DiamondFox

799cb4b1d385475c155fae6fc0c214b059f191ed06b9229f287a8d9225ba8a21

DiamondFox

854e5c0dbeb31b0953c41b36dc88fa4e959c00c848fb723dc2f9223aeb5a359a

DiamondFox

bae14391cbc9ddb999947b70f3975a7309f73d422a02aaa13ae9100baaa0652c

DiamondFox

cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1

DiamondFox

cfdcbcca4f75f287d6389cda895571530ddb9a2bbdf54cce52c1c65e969ac0a3

DiamondFox

f9029a8f9164bd1b7ec115bb9fbc556bee6b60c61dfefbe16ffb434d1151d5f9

DiamondFox

+ 319 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:937 aspackv2 backdoor infostealer spyware stealer suricata themida trojan vmprotect

Link:

https://tria.ge/reports/210814-an1xlnfelj/

Behaviour

Checks SCSI registry key(s)

Creates scheduled task(s)

Delays execution with timeout.exe

Kills process with taskkill

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

VMProtect packed file

Vidar Stealer

Process spawned unexpected child process

RedLine

RedLine Payload

SmokeLoader

Socelars

Socelars Payload

Vidar

suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

Malware Config

C2 Extraction:

https://lenak513.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/

Dropper Extraction:

http://193.56.146.55/Api/GetFile2

Unpacked files

SH256 hash:

df6d674013ce24f66df320faf829d720fda51294f673ab12e6ca660d4f5a0d93

MD5 hash:

ed22a008628e35cdaa23b15d6cc1fac7

SHA1 hash:

7a05e54bd591efa7e2b53112f76ec74effdb59c0

Link:

https://www.unpac.me/results/084609e2-01c5-46d2-92e1-f6afe73633ef/

SH256 hash:

c2b57b7467e0847649cfd47c0a22bd8801fa86f920e89c71e99a6896659d2047

MD5 hash:

1a21b6bd3fff783f6b63d512988104ec

SHA1 hash:

442dff9a2584873af7443c1153dc9a670731d877

Link:

https://www.unpac.me/results/084609e2-01c5-46d2-92e1-f6afe73633ef/

SH256 hash:

c3f668640e10b6eb17e155cf7f564c54af57b2719ea5f97ce4bd6cbab92bad7f

MD5 hash:

4ea74e00b361ebbe8f5e06d7a104c697

SHA1 hash:

115fb2bb0ca9aeeb597fc3259371a4f77678322b

Link:

https://www.unpac.me/results/084609e2-01c5-46d2-92e1-f6afe73633ef/

SH256 hash:

6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568

MD5 hash:

6e088927a17d87c498f7011b1e26fa3a

SHA1 hash:

7f58e9a788c520a7c299af00f97252ce3c4d7131

Link:

https://www.unpac.me/results/084609e2-01c5-46d2-92e1-f6afe73633ef/

Parent samples :

365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2

SH256 hash:

207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9

MD5 hash:

4955a27a03f35933fdbd801f425b6c58

SHA1 hash:

97f3b8f33fd1a49cf9db5a246d996047beef3c12

Link:

https://www.unpac.me/results/084609e2-01c5-46d2-92e1-f6afe73633ef/

Parent samples :

db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
269d2ae2661789f8929d934a7f7e44b6d6fa2e2fc3799fd53b44988aed906b1f

SH256 hash:

f6e8a89445d39406106ec40f51ec6bf2c7dc34641482960d440bc2f8802652b0

MD5 hash:

e54a6986056249a0490915cba0ba0ef4

SHA1 hash:

44892df4238ff4f008606ddafbb09fadd8c28794

Link:

https://www.unpac.me/results/084609e2-01c5-46d2-92e1-f6afe73633ef/

SH256 hash:

859652ead95300f7f186d7ee96d731e7dc09271bb6b5a6e3da24e6fc7865cbe5

MD5 hash:

8af735f5bc6bd037d1819b551ae63048

SHA1 hash:

3f6907f45f188c4222f671e9d900d2bc05dddf0f

Link:

https://www.unpac.me/results/084609e2-01c5-46d2-92e1-f6afe73633ef/

SH256 hash:

78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

MD5 hash:

c0d18a829910babf695b4fdaea21a047

SHA1 hash:

236a19746fe1a1063ebe077c8a0553566f92ef0f

Link:

https://www.unpac.me/results/084609e2-01c5-46d2-92e1-f6afe73633ef/

SH256 hash:

430ed661f3be61265c7b657a641032b28c5a38495e6b37149b93428b9efa48a9

MD5 hash:

c465c7eb89a23837379e37046ec398e6

SHA1 hash:

00f6f8b48667dfe44d354953158c6915efd6d260

Link:

https://www.unpac.me/results/084609e2-01c5-46d2-92e1-f6afe73633ef/

SH256 hash:

442e68b6cd18bc8d8b5e59a67c3b469c75bf9cf9996704e6a59bc5ba189e3462

MD5 hash:

de1772e62d6679ce3c928dd58c9b4895

SHA1 hash:

ea13dc11ba492492bdd9ffa6ac82c2d54b0521e7

Link:

https://www.unpac.me/results/084609e2-01c5-46d2-92e1-f6afe73633ef/

SH256 hash:

1522e719a446e405b7ee0ab7c05bfd7948512ba99c99f349c8e8233e869c6c63

MD5 hash:

5003ff4fc36ea04e6bd3799b6695ac0d

SHA1 hash:

b76d7f79d31316014d09c9b2f01e65042e70987b

Link:

https://www.unpac.me/results/084609e2-01c5-46d2-92e1-f6afe73633ef/

SH256 hash:

12d24747ccb7b79dd0fdc8736bd1bf1036ceaa6d5017ab810dc6df330c911dc5

MD5 hash:

13dc8699bae41bc634fe40b8676bc074

SHA1 hash:

b13974c11038c0abc6ad7a843114c94046e8e2a3

Link:

https://www.unpac.me/results/084609e2-01c5-46d2-92e1-f6afe73633ef/

SH256 hash:

5d68cc5e6e1570c3bde0abe3d1abe869b250798237c6b8c20c6f483d07c6e263

MD5 hash:

350543ae11bfb689123001960341ed44

SHA1 hash:

41e1bc3f6550800c462ac0cbb2dff96c89ae81ef

Link:

https://www.unpac.me/results/084609e2-01c5-46d2-92e1-f6afe73633ef/

SH256 hash:

d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6

MD5 hash:

5b8639f453da7c204942d918b40181de

SHA1 hash:

2daed225238a9b1fe2359133e6d8e7e85e7d6995

Link:

https://www.unpac.me/results/084609e2-01c5-46d2-92e1-f6afe73633ef/

SH256 hash:

e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963

MD5 hash:

f707252b9c9579677fffb013e0cfc646

SHA1 hash:

8ab483023fa8773afb8c13464c39c5b8e687f126

Link:

https://www.unpac.me/results/084609e2-01c5-46d2-92e1-f6afe73633ef/

SH256 hash:

ec32b38e5ad5c285c1d6d8237341a99772709e8e4ea23db953d63ab8f078379c

MD5 hash:

ccf4a60623b784b084855d0468d76eab

SHA1 hash:

9419cc65a1bb70e8780f6da7cedd169eb333db88

Link:

https://www.unpac.me/results/084609e2-01c5-46d2-92e1-f6afe73633ef/

SH256 hash:

23d175b5994b630ed79677b7953dc77573d1f4e146640ec937e61dfbb295d9d2

MD5 hash:

529d64a389dbf466575bbdcf3a0b3e8a

SHA1 hash:

8d5540ad1f655c87ee7b9a9bb4b9313d2c6a5775

Link:

https://www.unpac.me/results/084609e2-01c5-46d2-92e1-f6afe73633ef/

SH256 hash:

cf5a630009ba631218b72ea71aa8bbaa9713a30dbbf1f4c57ed3c4102cad54f9

MD5 hash:

858296cbc3eba1fcb0f365363ea609d2

SHA1 hash:

b10d8de7bad85a5ee45c38449f999ef8abdbedc5

Link:

https://www.unpac.me/results/084609e2-01c5-46d2-92e1-f6afe73633ef/

SH256 hash:

e98c43697773e717610341e0a6f514f165dae8744e0376aef6dfd4054aa50bf9

MD5 hash:

aad837c26c32c147e23e49abac741d0b

SHA1 hash:

01bbb437ad2fe657624988076fc078084205b170

Link:

https://www.unpac.me/results/084609e2-01c5-46d2-92e1-f6afe73633ef/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e98c43697773e717610341e0a6f514f165dae8744e0376aef6dfd4054aa50bf9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/179217/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample