General

  • Target

    1B59.tmp.bin.zip

  • Size

    174KB

  • Sample

    210209-x8za62r1f2

  • MD5

    4ce927ec63605909c069b331c2e100f6

  • SHA1

    2256e1a5db34d011f57df2be257c5665dffda453

  • SHA256

    71c7eb818509ce499f6f870cd785d5b215a264e2d28e9606b1ba6b955bd2b9d4

  • SHA512

    199e7937578f05ce939428c678ce46dcb79a1e7cc19f47ae6733bd2408775f2224936f79796bf8113f9b0b553d47c276589c7733b5f2b33f7ef9a49cd8b7c4e3

Malware Config

Targets

    • Target

      1B59.tmp.bin

    • Size

      376KB

    • MD5

      160844e5811ca8258e61cf44bf8587e5

    • SHA1

      215bfc756f944e36c53e73e4be99c68b8d36df04

    • SHA256

      f0498105de4bca70065bac976d8da9cb153a174dedbf0e3d932abae2eb94f152

    • SHA512

      e92082ad2a68292622c2cff0ea7d77e034c1c4118947dcf6c3cf390aa21f03c0cd72602a41f896534af5cfec3087d6e0e7a1a9b6ce3f88a9d468ec910a0048a8

    • DiamondFox

      DiamondFox is a multipurpose botnet with many capabilities.

    • DiamondFox payload

      Detects DiamondFox payload in file/memory.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Tasks