diamondfox

General

Target

958d8e1498f1b3db2c79a62f78da66520654243f25acb19025874066b92618c7
Size

392KB
Sample

210204-5b49qdd83e
MD5

58e3dd75dabaa2d6e81118b2f7ca854a
SHA1

ccab657f017855ddf2e0ed0341f39f1036ce8523
SHA256

958d8e1498f1b3db2c79a62f78da66520654243f25acb19025874066b92618c7
SHA512

7fa5ff90c155e6370545d6226993411e2bbcca2e33f375fde72bea8437139c5f4e5c9fe4ccd18a5d5906817567b6153b1c5d4480e56a2b9d7263f5e1e657e13e

Score

10^/10

Malware Config

Targets

- Target
  
  958d8e1498f1b3db2c79a62f78da66520654243f25acb19025874066b92618c7
- Size
  
  392KB
- MD5
  
  58e3dd75dabaa2d6e81118b2f7ca854a
- SHA1
  
  ccab657f017855ddf2e0ed0341f39f1036ce8523
- SHA256
  
  958d8e1498f1b3db2c79a62f78da66520654243f25acb19025874066b92618c7
- SHA512
  
  7fa5ff90c155e6370545d6226993411e2bbcca2e33f375fde72bea8437139c5f4e5c9fe4ccd18a5d5906817567b6153b1c5d4480e56a2b9d7263f5e1e657e13e
Score

10^/10

diamondfox botnet discovery ransomware spyware stealer
- DiamondFox
  DiamondFox is a multipurpose botnet with many capabilities.
  botnet stealer diamondfox
- DiamondFox payload
  Detects DiamondFox payload in file/memory.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- JavaScript code in executable
- Enumerates physical storage devices
  Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Targets

DiamondFox payload

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

JavaScript code in executable

Enumerates physical storage devices

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2