Overview

overview

10

Static

static

URLScan

urlscan

http://148.163.12.10...

windows7_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    http://148.163.12.101/WMndFrdk?keyword=Others&cost=0.00040&ad_campaign_id=262704&source=0

  • Sample

    201117-h9cj6sz8s6

Score
10/10
diamondfoxbootkitbotnetpersistencestealer

Malware Config

Extracted

Family

diamondfox

C2

https://www.datanalysis.club/ms/gate.php

https://www.datanalysis.site/ms/gate.php

https://www.datanalysis.space/ms/gate.php
Mutex

cBFxpht5aCf0jy4gnUs3JgtqCB2O2tWJ

xor.plain

Targets

    • Target

      http://148.163.12.101/WMndFrdk?keyword=Others&cost=0.00040&ad_campaign_id=262704&source=0

    Score
    10/10
    diamondfoxbootkitbotnetpersistencestealer

    • DiamondFox

      DiamondFox is a multipurpose botnet with many capabilities.

      botnetstealerdiamondfox

    • DiamondFox payload

      Detects DiamondFox payload in file/memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks