MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be
SHA3-384 hash: b90a706ba99d7626b2f0635b61d6fbc3d9734bbe81f854c1cbc8109adea5b346650e399abb616c40a5f32931e32a4a06
SHA1 hash: 7f2e2d4656ae4a5e6015c51184e19ef26510fb12
MD5 hash: 0a313a73aac1905c6ef571c4e700554a
humanhash: one-twelve-green-iowa
File name:0A313A73AAC1905C6EF571C4E700554A.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:5'802'713 bytes
First seen:2021-09-05 10:00:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xorRBQQyUroZi+nTf55/2UJ70UsjVk+io3McLpN3SQXB/uz7h4sWsjFe5qx:xorR3rETfjB70Ush9io3MeDOl4sW8+qx
Threatray 497 similar samples on MalwareBazaar
TLSH T17D4633223DF20D31CC590171A2E93FF7A2F9CFA8AB1514C7AF51635E97B89D0801AE91
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://94.158.245.173/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.158.245.173/ https://threatfox.abuse.ch/ioc/215894/

Intelligence

File Origin
# of uploads :
1
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0A313A73AAC1905C6EF571C4E700554A.exe
Verdict:
No threats detected
Analysis date:
2021-09-05 10:03:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/33ed9cab-57bc-4136-9501-0d2e89ddf301

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185422/
Detection(s):
Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Creating a file
Deleting a recently created file
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Sending a UDP request
Launching a process
Creating a window
Reading critical registry keys
Moving a recently created file
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Connection attempt to an infection source
Blocking the Windows Defender launch
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c9fdeda3-ac63-4905-85e3-14ec6cbfe50c
Result
Threat name:
RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845509
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Disable Windows Defender real time protection (registry)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 477940 Sample: axDZkGGzf2.exe Startdate: 05/09/2021 Architecture: WINDOWS Score: 100 88 45.90.58.90 GREENFLOID-ASUA Bulgaria 2->88 90 104.21.41.27 CLOUDFLARENETUS United States 2->90 92 4 other IPs or domains 2->92 110 Antivirus detection for URL or domain 2->110 112 Multi AV Scanner detection for dropped file 2->112 114 Multi AV Scanner detection for submitted file 2->114 116 10 other signatures 2->116 12 axDZkGGzf2.exe 8 2->12         started        signatures3 process4 file5 78 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 12->78 dropped 80 C:\Users\user\AppData\...\setup_install.exe, PE32 12->80 dropped 82 C:\Users\user\AppData\Local\...\libzip.dll, PE32 12->82 dropped 84 3 other files (none is malicious) 12->84 dropped 15 setup_install.exe 3 12->15         started        process6 file7 86 C:\Users\user\AppData\...\e6e22792e2586e.exe, PE32 15->86 dropped 18 cmd.exe 1 15->18         started        21 conhost.exe 15->21         started        process8 signatures9 106 Adds a directory exclusion to Windows Defender 18->106 23 e6e22792e2586e.exe 17 18->23         started        process10 file11 56 C:\Users\user\AppData\...\setup_install.exe, PE32 23->56 dropped 58 C:\Users\user\...\Wed17f6f9bbb339c2.exe, PE32 23->58 dropped 60 C:\Users\user\...\Wed1785e69fa9997.exe, PE32 23->60 dropped 62 12 other files (1 malicious) 23->62 dropped 26 setup_install.exe 1 23->26         started        process12 dnsIp13 100 8.8.8.8 GOOGLEUS United States 26->100 102 172.67.142.91 CLOUDFLARENETUS United States 26->102 104 127.0.0.1 unknown unknown 26->104 126 Adds a directory exclusion to Windows Defender 26->126 30 cmd.exe 26->30         started        32 cmd.exe 1 26->32         started        34 cmd.exe 1 26->34         started        37 6 other processes 26->37 signatures14 process15 signatures16 39 Wed1785e69fa9997.exe 30->39         started        44 Wed17f6f9bbb339c2.exe 2 32->44         started        108 Adds a directory exclusion to Windows Defender 34->108 46 powershell.exe 26 34->46         started        48 Wed1723a697f7.exe 37->48         started        50 Wed1714d285085.exe 37->50         started        52 Wed171b4c251d7.exe 37->52         started        54 Wed17d4eac5c83e204dc.exe 37->54         started        process17 dnsIp18 94 37.0.10.214 WKD-ASIE Netherlands 39->94 96 31.210.20.251 PLUSSERVER-ASN1DE Netherlands 39->96 98 9 other IPs or domains 39->98 64 C:\Users\user\AppData\...\toolspab2[1].exe, PE32 39->64 dropped 66 C:\Users\user\AppData\Local\...\setup[1].exe, PE32 39->66 dropped 68 C:\Users\user\AppData\Local\...\file2[1].exe, PE32 39->68 dropped 76 49 other files (13 malicious) 39->76 dropped 118 Tries to harvest and steal browser information (history, passwords, etc) 39->118 120 Disable Windows Defender real time protection (registry) 39->120 122 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 44->122 124 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 44->124 70 C:\Users\user\AppData\...\sfx_123_400.exe, PE32 48->70 dropped 72 C:\Users\user\AppData\Local\...\KiffApp2.exe, PE32 48->72 dropped 74 C:\Users\user\AppData\...\Wed1714d285085.tmp, PE32 50->74 dropped file19 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-09-02 04:56:33 UTC
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6jpeee2vlozokv7wn64z3enahfzmdcbmvdbkzb2i4jp4bf4y4k7a._file
Verdict:
unknown
Similar samples:
077ac4018bc25a85796c54e06872071d561df272188dde34daca7e5d01e950fd
DiamondFox
3b15547e53d7254ec42974dc5a1d7b72cffd722a41114944b5606a845be7b76d
DiamondFox
6bd2d5f2630ce91d3d93d5a686d0ea381b6efa2b25d0dbd0f509a17f7ed3788d
DiamondFox
987a2417a285a7e885e5acdd635d3e2dfa1cf00bb98b6a39fbc17bc7c3fb4993
DiamondFox
a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409
DiamondFox
d2d90f02ccd7c3fd1b46d667081529a1af8172e4a51feda461c8d250081c3548
DiamondFox
ecc23ade7514bff1e172b9a02c27572a66e0d16bb68b4927198dc091abf1c982
DiamondFox
+ 487 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:redline botnet:pab777 aspackv2 backdoor dropper infostealer loader trojan
Link:
https://tria.ge/reports/210905-l19cvahea8/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Glupteba
Glupteba Payload
MetaSploit
Process spawned unexpected child process
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.15:6043
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/bbde34bf-1bba-450d-950c-26cd399f42ef/
SH256 hash:
3a82d7283a7d129ed2472a4a05f4c6482b8f399d513131de8fab3b8fc43dc3bc
MD5 hash:
4c48b9d4bacd286de91f6987c7438943
SHA1 hash:
f9c47969c194c0f4bed06b89cd9394bca8166685
Link:
https://www.unpac.me/results/bbde34bf-1bba-450d-950c-26cd399f42ef/
SH256 hash:
c6b27043e32354f111a6080ca0e96b8fa0a334f92b538cdfc8dc297380479d08
MD5 hash:
10c90ba5a47c8c640e814a37f5901a9e
SHA1 hash:
de2b4ac96d10e59b0abe48c660b6d74dcdbe2f50
Link:
https://www.unpac.me/results/bbde34bf-1bba-450d-950c-26cd399f42ef/
SH256 hash:
606d3d9365f40fee12e9fc577ae5bf4cd42d502f4758320cdab01b53a7e0d4b8
MD5 hash:
51894ed4e7fec456b08027e2e6620386
SHA1 hash:
bbffdd90f9a5644086006734e03c15ac28db1ae9
Link:
https://www.unpac.me/results/bbde34bf-1bba-450d-950c-26cd399f42ef/
SH256 hash:
b385065e867c1a4c692e5635447edc7371847db3c977116e396166fca0cdad3f
MD5 hash:
03fa526f69670059fd22233dc4c67ead
SHA1 hash:
9c83d226cd466282660c7d4c9d8e2ee7aa59ff2d
Link:
https://www.unpac.me/results/bbde34bf-1bba-450d-950c-26cd399f42ef/
SH256 hash:
33bf28aaaae40fba092c417031655257839dba134d1cfec6fd40fb2b2ac745ab
MD5 hash:
510140b98bbbe8630713d99ada2a2286
SHA1 hash:
8ee579aa42fbe64e62fa8753af46562d0bd871ff
Link:
https://www.unpac.me/results/bbde34bf-1bba-450d-950c-26cd399f42ef/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/bbde34bf-1bba-450d-950c-26cd399f42ef/
SH256 hash:
9e676d1e69c30c163c1613124d01bdc73cf40d0a2eb9133af60b30b30dc787a4
MD5 hash:
56a57b5606aef0dfa3f0a6f1b13ac4bb
SHA1 hash:
6c33f2b6bd1636bcd10de094d6dfcc9a1e534ad6
Link:
https://www.unpac.me/results/bbde34bf-1bba-450d-950c-26cd399f42ef/
SH256 hash:
367591f8a40151c4d788bbaa29e20b3dd57ce22f056b51f9f0380e4fd2275c07
MD5 hash:
4e0196b3ab0d47e4a2093ffa87c7326b
SHA1 hash:
58ba603c32b3036477b615cd46a9e834cc4645d8
Link:
https://www.unpac.me/results/bbde34bf-1bba-450d-950c-26cd399f42ef/
SH256 hash:
96aebb504a87e240a46e3e6b0cdfbaf6fc1e846e22a6fc2393c45c3208184f6c
MD5 hash:
d2c1d7aae1a68dfc796d0740a341740b
SHA1 hash:
400e51592995edb266d84b0c7db1f41fdb3dc342
Link:
https://www.unpac.me/results/bbde34bf-1bba-450d-950c-26cd399f42ef/
SH256 hash:
e173de6e79423d659886704dcaaf5848078ced4e14e0772e4f1e7b3931bb0862
MD5 hash:
95f9e24e7dd90ee5892743c58801db9f
SHA1 hash:
f107fcd45e57e7b71193f1f1777b8377f5d3cda1
Link:
https://www.unpac.me/results/bbde34bf-1bba-450d-950c-26cd399f42ef/
SH256 hash:
e621e23cf07ea962557bce0f28940a8283135de86d3fd3d520d58115a8484982
MD5 hash:
35959e37d587e649357c57c2c5797a93
SHA1 hash:
b3f2ef17f1c45e34ea84a70285a14672034a97ae
Link:
https://www.unpac.me/results/bbde34bf-1bba-450d-950c-26cd399f42ef/
SH256 hash:
4266165affda48b7a0fc19e67760e2d0ff275bf5f66d463acdf89c17362c3022
MD5 hash:
6e5515bdee2907426548266c47390abc
SHA1 hash:
105000cfd2dcd2e5f5f5f9e1f5ab4eff4626473e
Link:
https://www.unpac.me/results/bbde34bf-1bba-450d-950c-26cd399f42ef/
SH256 hash:
61c5fcaa49f0d49c151aed1076625455a245150942dd292a29182d8ca1ce6bfc
MD5 hash:
b00957824ab7790185ec07c6e6face35
SHA1 hash:
1107b6a89474fe310fcdd0589a628a06eef5c264
Link:
https://www.unpac.me/results/bbde34bf-1bba-450d-950c-26cd399f42ef/
SH256 hash:
aff5052dcaceac8cc0d97983c19091be8f1d2fa3b2ea4f649adf0c16855bc8b8
MD5 hash:
b32e81cfce4fb1d3a87156891c95e35c
SHA1 hash:
9a1b6b18d71016d4b7ebe5abbfaaa204d51ece86
Link:
https://www.unpac.me/results/bbde34bf-1bba-450d-950c-26cd399f42ef/
SH256 hash:
3fccf0062245a335964b95c370581f71e24eb2c1edd231bc30ac8ddf63bbf367
MD5 hash:
721b9800ee1c7d81afbca0290b95dae9
SHA1 hash:
03dac58fa2d1aa895b37ed1d3b22fe756be73b58
Link:
https://www.unpac.me/results/bbde34bf-1bba-450d-950c-26cd399f42ef/
SH256 hash:
c8040666dfc672d25ad082c69e3ba73dd9f012e253a6a3dbb5f24d28ff816575
MD5 hash:
4cd8a3d2d2392735aa89b8d985b479a2
SHA1 hash:
ffde7e9becc0b6ce67829fa8cb7f3d25d44a7028
Detections:
win_oski_g0
Create hunting rule
Link:
https://www.unpac.me/results/bbde34bf-1bba-450d-950c-26cd399f42ef/
Parent samples :
8303c9a626d7edb090bdd8f0d128fc887b7fa36b0dfc43a7f71dcb5b34b1bbab
ecc23ade7514bff1e172b9a02c27572a66e0d16bb68b4927198dc091abf1c982
f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be
022fc71a6661ab3d6efc0f7d3e560a05cceb22b31081e7cb5d882b01921d5e38
4468428f16aeb36c8c1a53f40c68806473201d37d94b6ac8f1c0d324d1e17006
96b3a6f88bebb213230bd38f95804466296c238e0774861ceec6ad4424dcfb45
3542020f73e24ff693b50a375bbd366e6b6ca4cd4fd93bd15403e4cc70d91756
9cf8a802217928175088777f3f886dde3cba71c0a5c427ed169e24581e1c7a9b
e63f3efc1462f054169998d9bdb7e5b2ca0cb78b393e978880458965472f76de
8896b158ac271c269cfea637cd9402db48676eeef02b9d694d5c9f0eaeb3dbb0
1f2a3d598734fe566de2054f3c73fd2245fc6023f0740bdbae88a076f508ebd2
18f74890fef60f1e18d5b1d0b43f100c69b430445187d672bbedf46aff687d09
74bafd56c1fb3cdebf0a63de4ffb6f16dc1d5cee38e11ab0d2bc2614538da65f
07c18e8e0f92e75367df02c4114947b038e86fcbc7c8e5a77df739deb955263a
3d898349908143bef8f7652dada13c6075f84af469349be709b1d33d2ddf6672
SH256 hash:
6470913c58f1188acda792163f71d745975fdeaf0466a7532d1e1616ef1656c7
MD5 hash:
04b7ada872e8039fdadf78f562e8dfe0
SHA1 hash:
48b00b225cd4ef081126fef4abf6a8368dfb6d0a
Link:
https://www.unpac.me/results/bbde34bf-1bba-450d-950c-26cd399f42ef/
SH256 hash:
d8e108b1b35c57bea0f816e38bf0538aadedca9d3a082685d8fd43737c961c7b
MD5 hash:
aebd80fa08a8f0a8f5e0814867a64d55
SHA1 hash:
51d25ad30ebd3856f360885514734cc45024276c
Link:
https://www.unpac.me/results/bbde34bf-1bba-450d-950c-26cd399f42ef/
SH256 hash:
4c7e3e5ef65c76c86c499f75642a6a56b75fb7e4bcdc47c25c487cfcfb047ec8
MD5 hash:
54023a4728c46c0362429e3d8baa554d
SHA1 hash:
33b69b145a8bfae16e887e3ef9e2dad7070907f5
Link:
https://www.unpac.me/results/bbde34bf-1bba-450d-950c-26cd399f42ef/
SH256 hash:
90e0fe9e142c4f7b1aad1335bbef027d1988673fcccfea004de9c13c49bd1dcf
MD5 hash:
f2e7b491c708283189a5f0457efde715
SHA1 hash:
69c36bf56c6bf111db8dbeba291424fa227dec11
Link:
https://www.unpac.me/results/bbde34bf-1bba-450d-950c-26cd399f42ef/
SH256 hash:
990d89832816c4a36a42ec144d20990e25fd43ba04c844ec40c1d7e0d37a4f4d
MD5 hash:
decf7759417321b24d50b80f159082c0
SHA1 hash:
680eb41ddec095392cee995af813da7282d0a0da
Link:
https://www.unpac.me/results/bbde34bf-1bba-450d-950c-26cd399f42ef/
SH256 hash:
f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be
MD5 hash:
0a313a73aac1905c6ef571c4e700554a
SHA1 hash:
7f2e2d4656ae4a5e6015c51184e19ef26510fb12
Link:
https://www.unpac.me/results/bbde34bf-1bba-450d-950c-26cd399f42ef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185422/

Comments