MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3b142956509070653f79be7940ce14497ee3e9feef6eebbb522c1a88c5ff997. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 7


Intelligence 7 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3b142956509070653f79be7940ce14497ee3e9feef6eebbb522c1a88c5ff997
SHA3-384 hash: c09dc4a2d88cc7298c275c84f5213964e8b74f63e6896ebc28101faca258571ea6025ce565e5b8d575071a3256a402fc
SHA1 hash: 1a5bb1a99f71b0af8d9d5bf076382ab42c2ecce0
MD5 hash: 80f65788ca4a1874c2a5852050c39454
humanhash: wisconsin-uncle-muppet-fifteen
File name:80F65788CA4A1874C2A5852050C39454.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:4'033'776 bytes
First seen:2021-09-01 16:26:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xLCvLUBsgaM3xYSqe50LyGUX2neZ8vl91RxH4z3:xwLUCgaM3xCbyd2euvlTRi3
Threatray 461 similar samples on MalwareBazaar
TLSH T140163322B9C884F2CE8065318A90B7B354F962084F7A0DEFD74CDF5C5B3E5A691B6817
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://45.142.215.144/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.142.215.144/ https://threatfox.abuse.ch/ioc/204183/

Intelligence

File Origin
# of uploads :
1
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184519/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Dropper.Generickdz-9889973-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Deleting a recently created file
Launching a process
Sending a UDP request
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/17662f76-d633-4f5e-a077-8ec4eaf06047
Result
Threat name:
Glupteba Metasploit RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/843509
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Glupteba
Yara detected Metasploit Payload
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 475940 Sample: Macw2XcbeX.exe Startdate: 01/09/2021 Architecture: WINDOWS Score: 100 62 88.99.66.31 HETZNER-ASDE Germany 2->62 64 34.97.69.225 GOOGLEUS United States 2->64 66 5 other IPs or domains 2->66 86 Antivirus detection for URL or domain 2->86 88 Antivirus detection for dropped file 2->88 90 Multi AV Scanner detection for dropped file 2->90 92 14 other signatures 2->92 9 Macw2XcbeX.exe 16 2->9         started        signatures3 process4 file5 42 C:\Users\user\AppData\...\setup_install.exe, PE32 9->42 dropped 44 C:\Users\user\...\Sat16d9f114816e0976.exe, PE32 9->44 dropped 46 C:\Users\user\...\Sat16d475e654cb6a.exe, PE32 9->46 dropped 48 11 other files (6 malicious) 9->48 dropped 12 setup_install.exe 1 9->12         started        process6 dnsIp7 82 104.21.43.244 CLOUDFLARENETUS United States 12->82 84 127.0.0.1 unknown unknown 12->84 114 Adds a directory exclusion to Windows Defender 12->114 16 cmd.exe 1 12->16         started        18 cmd.exe 1 12->18         started        20 cmd.exe 1 12->20         started        22 6 other processes 12->22 signatures8 process9 signatures10 25 Sat1630bf4e7e.exe 4 64 16->25         started        30 Sat16d475e654cb6a.exe 18->30         started        32 Sat163fc336ef714f28.exe 3 20->32         started        94 Adds a directory exclusion to Windows Defender 22->94 34 Sat16600d6625.exe 1 22->34         started        36 Sat16d9f114816e0976.exe 2 22->36         started        38 Sat16c99158cc7.exe 12 22->38         started        40 powershell.exe 25 22->40         started        process11 dnsIp12 68 37.0.10.214 WKD-ASIE Netherlands 25->68 70 37.0.10.237 WKD-ASIE Netherlands 25->70 78 9 other IPs or domains 25->78 50 C:\Users\...\tY9OQsx8egC0m4bqcdR45Emu.exe, PE32 25->50 dropped 52 C:\Users\user\AppData\...\sfx_123_201[1].bmp, PE32 25->52 dropped 54 C:\Users\user\AppData\Local\...\file7[1].exe, PE32 25->54 dropped 60 41 other files (17 malicious) 25->60 dropped 96 Machine Learning detection for dropped file 25->96 98 Tries to harvest and steal browser information (history, passwords, etc) 25->98 100 Disable Windows Defender real time protection (registry) 25->100 102 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 30->102 104 Maps a DLL or memory area into another process 30->104 106 Checks if the current machine is a virtual machine (disk enumeration) 30->106 108 Creates a thread in another existing process (thread injection) 30->108 72 8.8.8.8 GOOGLEUS United States 32->72 74 172.67.146.70 CLOUDFLARENETUS United States 32->74 56 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 32->56 dropped 110 Creates processes via WMI 32->110 76 208.95.112.1 TUT-ASUS United States 34->76 80 2 other IPs or domains 34->80 58 C:\Users\user\...\Sat16d9f114816e0976.tmp, PE32 36->58 dropped 112 Antivirus detection for dropped file 36->112 file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3b142956509070653f79be7940ce14497ee3e9feef6eebbb522c1a88c5ff997/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-08-29 00:37:24 UTC
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6oyufflfbedqmu7xtptzidhbisl64pu7533o5o5vela2rdc77glq._file
Verdict:
unknown
Similar samples:
077ac4018bc25a85796c54e06872071d561df272188dde34daca7e5d01e950fd
DiamondFox
0a823cbd6a32a10c927253fa40466c8a3177e487ee7895a8a2e244a9b4c415fc
DiamondFox
186992db0748857e13271f18b519fbf2b6f016bd8d81c3ee952786de798a6dad
DiamondFox
3d7ba99d7b360819146cd6223b2d668e8b1a661023f5b36932860bc84271eecd
DiamondFox
423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110
DiamondFox
45c04168fe1e27939f2e08c178279d8c1aca5eba4ed8f6a717eb70b966cc5617
DiamondFox
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
DiamondFox
987a2417a285a7e885e5acdd635d3e2dfa1cf00bb98b6a39fbc17bc7c3fb4993
DiamondFox
a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409
DiamondFox
bbb1867666dcd3898495a36ebec4d9a00c5c4c519eab587f530f5f5c6d80cb32
DiamondFox
+ 451 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:vidar botnet:706 aspackv2 backdoor infostealer stealer suricata trojan upx
Link:
https://tria.ge/reports/210901-5tq2alwzqs/
Behaviour
Creates scheduled task(s)
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Vidar
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
https://eduarroma.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/173ee4b1-070f-4d64-b26e-a400bdbceb31/
SH256 hash:
1e47b0a87b714febf0f805a2c319a150cc8bd58d738669c76c975a64d40130ab
MD5 hash:
6cbca955ae2bb778cf9de6cef5d114a7
SHA1 hash:
527feb36a0cbd2c348df1862bb2d4516ed9bad6f
Link:
https://www.unpac.me/results/173ee4b1-070f-4d64-b26e-a400bdbceb31/
SH256 hash:
2ea36a668d45af10393ee4025a3311df8ebbb112b760437559e37b3770ad017e
MD5 hash:
b87dfc1bcc56ebbe967fbec9b0e86c04
SHA1 hash:
c6c83789d28a1fcd86269f83f1ee66849c68e6e6
Link:
https://www.unpac.me/results/173ee4b1-070f-4d64-b26e-a400bdbceb31/
SH256 hash:
a18e5d223da775448e2e111101fe1f4ab919be801fd435d3a278718aa5e6ccba
MD5 hash:
0c6cae115465a83f05d3ff391fd009ac
SHA1 hash:
066ea93bb540ae4be0d2e522d4bb59eec74053ad
Link:
https://www.unpac.me/results/173ee4b1-070f-4d64-b26e-a400bdbceb31/
Parent samples :
7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
fc2e04d392ab5e508fdf6c90ce456bfd0af6def1f10a2074f82df8f58079d5e4
f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
22275b7c5a57111aca919f6bbfae171e5e99f5ef777d1043802deb672f5136a0
d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
0a7d966e66cbd260c909de1d79038c86a071f2f10a810f5890a150b67c4fd954
1b4c7144874551beb52bc3e864822c0b803d0967531addf9612f61898cf2394d
090f1369dc856e37b73969d22799341b1d328a235470ee608d3e32dd34df7022
4879803b6326f27bb8b68448fe7394b2358c2eeb25ec2c4c6a176313d003c29a
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
ada6977abf5caa24a75f0db17220267f6b05f11ed949757e8fc8beab3c720fc1
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
fc47acd0c86b1510370552a19a75f52cb9d098ddf5b12a70f874d2b5403a862a
MD5 hash:
74bb0e6c3c298e0599556ffa1635387b
SHA1 hash:
fee74682276182c0277f3de3f573fc8b9b44a829
Link:
https://www.unpac.me/results/173ee4b1-070f-4d64-b26e-a400bdbceb31/
SH256 hash:
5d38f54804ec1bd00185ffe8fd18e38f2366aea04005b61d5abe521c904a0a9c
MD5 hash:
9ab0846a78cec2040cad518bfc736fd6
SHA1 hash:
f9e18fe97760cf77b0372b43119b59334e2d0b2a
Link:
https://www.unpac.me/results/173ee4b1-070f-4d64-b26e-a400bdbceb31/
SH256 hash:
835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3
MD5 hash:
6961557695f34a53cf8224be7c265fbe
SHA1 hash:
f52d34d0b1dbd181f2acb21f42d875d514afb6f7
Link:
https://www.unpac.me/results/173ee4b1-070f-4d64-b26e-a400bdbceb31/
SH256 hash:
91213a8ad39b4333e99ef150f78c4d79275ed984d39abe2a4c307246a3f3a7e0
MD5 hash:
e8fa73c828b931f612686329afbc90fe
SHA1 hash:
e5624be3ef0ed49dc03d0e552c5fafe0053d0ee2
Link:
https://www.unpac.me/results/173ee4b1-070f-4d64-b26e-a400bdbceb31/
SH256 hash:
9887dad0391ab1b93b6a6754cd14ef4539e7194c74ddc4b0c993797795809d2e
MD5 hash:
e8ef2639c0578b17ac611a7d5464ef9b
SHA1 hash:
c6c4916d373fd2ccbdfda0e5eafc28f48e1d802b
Link:
https://www.unpac.me/results/173ee4b1-070f-4d64-b26e-a400bdbceb31/
SH256 hash:
ed2ac847e8f4f6044b760de445d41d4298bc192046b95c3d76831bc599826289
MD5 hash:
f5024be48c7da3c414953ca9b4957e4e
SHA1 hash:
c1d711f2147a4cf292398938308d1312799b6d58
Link:
https://www.unpac.me/results/173ee4b1-070f-4d64-b26e-a400bdbceb31/
SH256 hash:
8ee293f61a3ca66da916da30dfd3541d3f61298d05e1bde8fa1350635b7717ee
MD5 hash:
83afd2f0a2681f56b3907a8221446dcb
SHA1 hash:
bcb76bd1a0521bdfea11fb0fa74781988f4308e3
Link:
https://www.unpac.me/results/173ee4b1-070f-4d64-b26e-a400bdbceb31/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/173ee4b1-070f-4d64-b26e-a400bdbceb31/
SH256 hash:
24da4be8c1d9ca77f30cfea2e4fa4113d2be3497a1efba8c2465605dccf20166
MD5 hash:
698f103458a664e57eae14b914673934
SHA1 hash:
71f6f414b92fc5daf178e5b0d49a24fd4890439b
Link:
https://www.unpac.me/results/173ee4b1-070f-4d64-b26e-a400bdbceb31/
SH256 hash:
ef9d13a3818fa8b00a1811856ea7b939c1ac85e1f5433a6732c394b5b0e7f9f5
MD5 hash:
10851eee5c6fd370d51f74db512c65b2
SHA1 hash:
639f6b0efd061998962f03687ff3dba32415e696
Link:
https://www.unpac.me/results/173ee4b1-070f-4d64-b26e-a400bdbceb31/
SH256 hash:
77c107737db79074273d8c2ecdec5952897d556ea5123f443326c963fcc83148
MD5 hash:
36c9153f23fca5635f988aa144cd9dfa
SHA1 hash:
6182f15a7b9d72c522ef4e5a3e11b0c34ac49eb1
Link:
https://www.unpac.me/results/173ee4b1-070f-4d64-b26e-a400bdbceb31/
SH256 hash:
02a30b92d3582909f971294c4d2d7668b28df48a4d17458d15c3ef9bbfeca9f6
MD5 hash:
d7d2aa194d9bbd23a94c01640d8832f7
SHA1 hash:
b8ebd8298d0960ce0d32f828e26bc24f60189f66
Link:
https://www.unpac.me/results/173ee4b1-070f-4d64-b26e-a400bdbceb31/
SH256 hash:
e7954726d3eff97d552f2b8f0572ef0c5df4a1b8d539084571bf91d36b3467ee
MD5 hash:
8be1be65f4f4e2297cc80b79ca0e9034
SHA1 hash:
964ecf613a805dbddc470f59a4f0d418ad275dc5
Link:
https://www.unpac.me/results/173ee4b1-070f-4d64-b26e-a400bdbceb31/
SH256 hash:
f3b142956509070653f79be7940ce14497ee3e9feef6eebbb522c1a88c5ff997
MD5 hash:
80f65788ca4a1874c2a5852050c39454
SHA1 hash:
1a5bb1a99f71b0af8d9d5bf076382ab42c2ecce0
Link:
https://www.unpac.me/results/173ee4b1-070f-4d64-b26e-a400bdbceb31/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f3b142956509/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f3b142956509070653f79be7940ce14497ee3e9feef6eebbb522c1a88c5ff997

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/184519/

Comments