MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f568bf60419b138108940953ad0786358b89607db140c3a109f335a12f4c1b72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f568bf60419b138108940953ad0786358b89607db140c3a109f335a12f4c1b72
SHA3-384 hash: 6c4fba31d2aebf1b23e12477d9468969285c19e5959f1d2eaa2f41a96f3df084eba080ae9789fad277d2d422219aa982
SHA1 hash: 26316a6cd2e656ccae27f352da375b6028efd8cf
MD5 hash: 2968feea18f8b80dd184794dd697ab33
humanhash: artist-three-mirror-indigo
File name:arty.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:242'688 bytes
First seen:2020-04-16 14:54:27 UTC
Last seen:2020-04-16 17:39:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0ec15c646d304efa4b9e6e84af834529 (1 x DiamondFox)
ssdeep 3072:A+saQhdmWgoC8Tw1pO1Yc/LFGmAzGOLC8ch9:5+Lk2wg1TAqu8
Threatray 110 similar samples on MalwareBazaar
TLSH 3D348D2134D48072F6AFD63489B5DAB54A7ABC764F6471CB3BF91A3A2F342D18630346
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox malspam, various sending IPs. Example:

HELO: replysstrangesecurenetwork.us
Sending IP: 185.17.122.106
From: "Brio Trade Ltd" <ratification@replysstrangesecuretoday.us>
Subhect: Invoice pending payment
Attachment: invoice_9.xls

DiamondFox payload URL:
http://217.8.117.60/arty.exe

DiamondFox C2:
http://217.8.117.60/mh/gate.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BScope.Trojan.Zbot.01439.9592.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-16 15:35:36 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6vul6ycbtmjycceubfj22b4ggwfysyd5wfamhiij6m22cl2mdnza._file
Verdict:
malicious
Similar samples:
03dcc84a1b2387ef18e82b9deeaa45da311890d27b3d28d022d43924201b7bcc
DiamondFox
1a1b8083cfab8ef2963afb1d6f9007936962245e0b990b29e23e3cdb8595589e
DiamondFox
1d54082d540ab23f276aafeb6bad1b8c7b0c435fc539dcda3be3f6423da0d8f4
DiamondFox
5a888d05804d06190f7fc408bede9da0423678c8f6eca37ecce83791de4df83d
DiamondFox
6d0ea7f49d0cfc2e0ee87a860e99381955f73e0b70a294281c213bb9d3e91822
DiamondFox
c9b99232e093a959beaecf8d48616b40716fa2b9b6eaf25fed234dfe28e8f2fe
DiamondFox
e1e2aa5d444fe7edc7021040a8a0a9c2d0cc2a2cc1c9bd92c40af2d2cd3a3324
DiamondFox
ef0e8df5c700e64d5d2e8dde4c9b5c117abfc919c676ff383019c585e8e367b0
DiamondFox
f7ca26d121ee9ccd739a78656ce737c0c48e0d1c6cca667da547fa2bd3c6c80e
DiamondFox
f7cd954387c8bb7d14853752c5a02477efc296ae06481ed4367e4e322907e428
DiamondFox
+ 100 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DiamondFox

Excel file xls 7e8617404aaa7d47535acb814f560663784a393dbb321566cea12b7acdc31a0f

DiamondFox

Executable exe f568bf60419b138108940953ad0786358b89607db140c3a109f335a12f4c1b72

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/341407/
  
Dropped by
MD5 4fc79022d4fb12a2f5e8d163c6a8ecfa
  
Dropped by
SHA256 7e8617404aaa7d47535acb814f560663784a393dbb321566cea12b7acdc31a0f
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA

Comments