MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f89110f497e2a39c3fc34329b16e5528564bae652fda61cd07410b27e046fdf3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f89110f497e2a39c3fc34329b16e5528564bae652fda61cd07410b27e046fdf3
SHA3-384 hash: 9434c19521fa907301bb4a08b8d46f4e8c388676096cae6ea30f7f418b81390835b7b59d19aa05b9aa5eedbe4c27b4c5
SHA1 hash: 33bbc2bdbf7caa1d5871315c6f423717ce9ca33f
MD5 hash: 208532e2a4c461ba3f8771e5f2c42965
humanhash: sink-don-mobile-seven
File name:208532e2a4c461ba3f8771e5f2c42965.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:2'606'080 bytes
First seen:2021-06-27 14:05:35 UTC
Last seen:2021-06-27 14:36:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:QRvqS0mHytg5TlXPZPJ2Jy1CKklMYpMgKiHmnk0yPP9WUz:m10mIgxd151CBlVpMeGnk0sEU
Threatray 52 similar samples on MalwareBazaar
TLSH 60C533A9E33C42F5F73D2A36525746158AB2DE57320DC9AFCE1D10490F63B026A07B7A
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://185.212.44.211/receive.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.212.44.211/receive.php https://threatfox.abuse.ch/ioc/154515/

Intelligence

File Origin
# of uploads :
2
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
208532e2a4c461ba3f8771e5f2c42965.exe
Verdict:
Malicious activity
Analysis date:
2021-06-27 14:07:32 UTC
Tags:
trojan blacknet
Link:
https://app.any.run/tasks/8ce3b324-f7cf-41dc-9120-41da5849376b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ce37d068-4258-438f-a38a-07e5f490b49e
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808557
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Detected Stratum mining protocol
Detected unpacking (overwrites its own PE header)
Drops PE files with benign system names
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: System File Execution Location Anomaly
Sigma detected: Xmrig
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 440968 Sample: hy2x7ex1Ny.exe Startdate: 27/06/2021 Architecture: WINDOWS Score: 100 163 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->163 165 Sigma detected: Xmrig 2->165 167 Malicious sample detected (through community Yara rule) 2->167 169 9 other signatures 2->169 11 hy2x7ex1Ny.exe 6 2->11         started        14 explorer.exe 2->14         started        18 svchost.exe 2->18         started        20 12 other processes 2->20 process3 dnsIp4 117 C:\Users\user\AppData\Local\...\download.exe, PE32 11->117 dropped 119 C:\Users\user\AppData\...\hy2x7ex1Ny.exe.log, ASCII 11->119 dropped 121 C:\Users\user\...\Firefox Installer.exe, PE32 11->121 dropped 22 download.exe 6 11->22         started        26 Firefox Installer.exe 3 11->26         started        139 xmr.2miners.com 51.89.96.41, 2222, 49732, 49735 OVHFR France 14->139 141 pastebin.com 104.23.98.190, 443, 49730, 49733 CLOUDFLARENETUS United States 14->141 203 System process connects to network (likely due to code injection or exploit) 14->203 205 Query firmware table information (likely to detect VMs) 14->205 207 Changes security center settings (notifications, updates, antivirus, firewall) 18->207 143 127.0.0.1 unknown unknown 20->143 145 192.168.2.1 unknown unknown 20->145 28 conhost.exe 20->28         started        30 schtasks.exe 20->30         started        file5 209 Detected Stratum mining protocol 139->209 signatures6 process7 file8 111 C:\Users\user\AppData\Local\Temp\xmr.exe, PE32+ 22->111 dropped 113 C:\Users\user\AppData\Local\Temp\Client.exe, PE32 22->113 dropped 185 Antivirus detection for dropped file 22->185 187 Multi AV Scanner detection for dropped file 22->187 189 Detected unpacking (overwrites its own PE header) 22->189 191 Machine Learning detection for dropped file 22->191 32 xmr.exe 22->32         started        36 Client.exe 14 2 22->36         started        115 C:\Users\user\AppData\...\setup-stub.exe, PE32 26->115 dropped 39 setup-stub.exe 3 62 26->39         started        signatures9 process10 dnsIp11 97 C:\Users\user\AppData\Local\...\Services.exe, PE32+ 32->97 dropped 147 Machine Learning detection for dropped file 32->147 149 Sample is not signed and drops a device driver 32->149 151 Drops PE files with benign system names 32->151 41 sihost64.exe 32->41         started        43 Services.exe 32->43         started        46 cmd.exe 32->46         started        123 185.212.44.211, 49724, 49731, 49755 SERVINGADE Sweden 36->123 153 Antivirus detection for dropped file 36->153 155 Multi AV Scanner detection for dropped file 36->155 157 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->157 99 C:\Users\user\AppData\...\WebBrowser.dll, PE32 39->99 dropped 101 C:\Users\user\AppData\Local\...\UserInfo.dll, PE32 39->101 dropped 103 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 39->103 dropped 105 3 other files (none is malicious) 39->105 dropped 159 Tries to harvest and steal browser information (history, passwords, etc) 39->159 48 iexplore.exe 39->48         started        file12 161 Detected Stratum mining protocol 123->161 signatures13 process14 signatures15 50 Services.exe 41->50         started        53 Services.exe 41->53         started        56 Services.exe 41->56         started        193 Multi AV Scanner detection for dropped file 43->193 195 Machine Learning detection for dropped file 43->195 197 Injects code into the Windows Explorer (explorer.exe) 43->197 201 4 other signatures 43->201 58 explorer.exe 43->58         started        61 cmd.exe 43->61         started        199 Uses schtasks.exe or at.exe to add and modify task schedules 46->199 63 conhost.exe 46->63         started        65 schtasks.exe 46->65         started        67 iexplore.exe 48->67         started        process16 dnsIp17 171 Injects code into the Windows Explorer (explorer.exe) 50->171 173 Writes to foreign memory regions 50->173 175 Allocates memory in foreign processes 50->175 179 2 other signatures 50->179 69 explorer.exe 50->69         started        73 cmd.exe 50->73         started        107 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 53->107 dropped 109 C:\Users\user\AppData\...\sihost64.exe, PE32+ 53->109 dropped 75 cmd.exe 53->75         started        77 sihost64.exe 53->77         started        79 cmd.exe 56->79         started        129 xmr.2miners.com 58->129 131 pastebin.com 58->131 177 Query firmware table information (likely to detect VMs) 58->177 81 conhost.exe 61->81         started        83 schtasks.exe 61->83         started        133 dzlgdtxcws9pb.cloudfront.net 13.225.83.52, 443, 49743, 49744 AMAZON-02US United States 67->133 135 firefox.com 44.236.48.31, 443, 49739, 49740 AMAZON-02US United States 67->135 137 2 other IPs or domains 67->137 file18 signatures19 process20 dnsIp21 125 xmr.2miners.com 69->125 127 pastebin.com 69->127 181 System process connects to network (likely due to code injection or exploit) 69->181 183 Query firmware table information (likely to detect VMs) 69->183 85 conhost.exe 73->85         started        87 schtasks.exe 73->87         started        89 conhost.exe 75->89         started        91 schtasks.exe 75->91         started        93 conhost.exe 79->93         started        95 schtasks.exe 79->95         started        signatures22 process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f89110f497e2a39c3fc34329b16e5528564bae652fda61cd07410b27e046fdf3/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-27 14:06:22 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7cirb5ex4krzyp6dimu3c3svfblexltff7ngdtihiefspycg7xzq._file
Verdict:
malicious
Similar samples:
06ae265d022abb3efb56a9aaf1b4cbee322817434b6dbebd93afa4e2869a2236
DiamondFox
0b279fc61a4f1c8ba65633d4e39d88bdaf060ffe3b73a43146e66da4b71cc2db
DiamondFox
1ed5337566938228ee9afcad29b1f722d55f4f8172a3157af4d4ad913541b2ea
DiamondFox
5066020c9801057b9e6e6e5ced5ef8d35854cb58118e4aae55d7d3b532ebcecd
DiamondFox
64ddaec35ffff60526ab760aea8d1a631a5c1b77c18d6054a1d36e95a7e4c8b1
DiamondFox
e0e20159839ff7fa71278a67d90b7fa685733d19c3eb36de406669e6c070c60e
DiamondFox
e8c4bcdcf46f101cc7126f7bde6955f6a971d06dc2bea9f6499594b475b091e2
DiamondFox
f635354e86b28a65eb77122574493cfe2e37efeca2d3df316a4880db6e3786b9
DiamondFox
f970fb9186f287b64997d76b1d4ddc5121b42e4bf697734ae1855a641e95b923
DiamondFox
feb12de92aa1536ba75f69b41bf74cc3bd8438df7eb0f0705ebbd1de73994624
DiamondFox
+ 42 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:blacknet family:xmrig discovery evasion miner spyware stealer trojan upx
Link:
https://tria.ge/reports/210627-8psyx1gsds/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
XMRig Miner Payload
BlackNET
xmrig
Unpacked files
SH256 hash:
6b553f94ac133d8e70fac0fcaa01217fae24f85d134d3964c1beea278191cf83
MD5 hash:
d4f7b4f9c296308e03a55cb0896a92fc
SHA1 hash:
63065bed300926a5b39eabf6efdf9296ed46e0cc
Link:
https://www.unpac.me/results/150df568-d64a-46a3-b70d-92da01919911/
SH256 hash:
bcb6572fcb846d5b4459459a2ef9bde97628782b983eb23fadacbaec76528e6f
MD5 hash:
2979f933cbbac19cfe35b1fa02cc95a4
SHA1 hash:
4f208c9c12199491d7ba3c1ee640fca615e11e92
Link:
https://www.unpac.me/results/150df568-d64a-46a3-b70d-92da01919911/
SH256 hash:
64b3efdf3de54e338d4db96b549a7bdb7237bb88a82a0a63aef570327a78a6fb
MD5 hash:
f4d89d9a2a3e2f164aea3e93864905c9
SHA1 hash:
4d4e05ee5e4e77a0631a3dd064c171ba2e227d4a
Link:
https://www.unpac.me/results/150df568-d64a-46a3-b70d-92da01919911/
SH256 hash:
a9bf0f70b6e4ed960399731e1ce736e0449c7607dc09bfb7db6b80fba4e690ce
MD5 hash:
42e30e49bb85dd66ebc2a4cdd4a3df6c
SHA1 hash:
e4571789a8236e8bc049e8abe1e15f399f10ca1b
Link:
https://www.unpac.me/results/150df568-d64a-46a3-b70d-92da01919911/
SH256 hash:
a109246188d710887c0924381381ec20b74ededd016a8f5a5626ad949ad39138
MD5 hash:
74a77d0e9dab705ad23722d1f0c8b1cd
SHA1 hash:
ca04585d3ded102725b39ed0b236497790af3cc3
Link:
https://www.unpac.me/results/150df568-d64a-46a3-b70d-92da01919911/
SH256 hash:
04ebb447d60fab93a220bfed6e4cfbe6820c25dce0255580b8504503c741f8d6
MD5 hash:
5ac94b1fb96214e7dcf97ae8b45210c8
SHA1 hash:
8ee8a678d586947924060472f7178ff08bc90770
Link:
https://www.unpac.me/results/150df568-d64a-46a3-b70d-92da01919911/
SH256 hash:
6cef0afc150fff4c26f5b4bfd5d948bfc3522fb7931c66d3c9492a5e99fb575b
MD5 hash:
ac825ddae5c44ddbfb8188468b13c3e7
SHA1 hash:
4a07a6d5e521005c75d257bcced1c523633707c6
Link:
https://www.unpac.me/results/150df568-d64a-46a3-b70d-92da01919911/
SH256 hash:
94e14f320caf63ca323ea32d23df7d622ccc6376324922de284c09dfdc7502b3
MD5 hash:
ccaa58a26ae7dcfaaf9f912282a6ee2f
SHA1 hash:
b34ff64f28f3a1cedadb7836caec7592c89844f8
Link:
https://www.unpac.me/results/150df568-d64a-46a3-b70d-92da01919911/
SH256 hash:
6e3c625851476716aca183bdc8b86c64259c08d4689cb96b8ce3563658948cce
MD5 hash:
59c5e5f9d32a66d4ec6b5a5bad09d01e
SHA1 hash:
e026adc2bc311a97a8121049feea3c8c1bb9d4a0
Link:
https://www.unpac.me/results/150df568-d64a-46a3-b70d-92da01919911/
SH256 hash:
e7c193e48e09c367bdeb54b1272b05bd0c7c6f470625bf9192e8c8c437c6e728
MD5 hash:
29d4b18290997722e6d9015e73e8c308
SHA1 hash:
d9bf95717a54f01c36d13f0e0894deed63d6a26e
Link:
https://www.unpac.me/results/150df568-d64a-46a3-b70d-92da01919911/
SH256 hash:
8c09f6ea1fb5525c6a0a11d593f1e69783ba0cee7675f4bacc42ee278bc973d7
MD5 hash:
288b51dc87f36e693ae984f2817cc38e
SHA1 hash:
5a7963d2382b6151e778c79fd752333cad971eb3
Link:
https://www.unpac.me/results/150df568-d64a-46a3-b70d-92da01919911/
SH256 hash:
f89110f497e2a39c3fc34329b16e5528564bae652fda61cd07410b27e046fdf3
MD5 hash:
208532e2a4c461ba3f8771e5f2c42965
SHA1 hash:
33bbc2bdbf7caa1d5871315c6f423717ce9ca33f
Link:
https://www.unpac.me/results/150df568-d64a-46a3-b70d-92da01919911/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f89110f497e2a39c3fc34329b16e5528564bae652fda61cd07410b27e046fdf3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cryptocoin_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:HKTL_NET_GUID_BlackNET
Create hunting rule
Author:Arnim Rupp
Description:Detects VB.NET red/black-team tools via typelibguid
Reference:https://github.com/BlackHacker511/BlackNET
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:pe_imphash
Create hunting rule
Rule name:PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20
Create hunting rule
Author:Florian Roth
Description:Detects XMRIG crypto coin miners
Reference:https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:XMRIG_Miner
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DiamondFox

Executable exe f89110f497e2a39c3fc34329b16e5528564bae652fda61cd07410b27e046fdf3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1404251/
  
Delivery method
Distributed via web download

Comments