diamondfox

General

Target

1B59.tmp.bin.zip
Size

174KB
Sample

210209-x8za62r1f2
MD5

4ce927ec63605909c069b331c2e100f6
SHA1

2256e1a5db34d011f57df2be257c5665dffda453
SHA256

71c7eb818509ce499f6f870cd785d5b215a264e2d28e9606b1ba6b955bd2b9d4
SHA512

199e7937578f05ce939428c678ce46dcb79a1e7cc19f47ae6733bd2408775f2224936f79796bf8113f9b0b553d47c276589c7733b5f2b33f7ef9a49cd8b7c4e3

Score

10^/10

Malware Config

Targets

- Target
  
  1B59.tmp.bin
- Size
  
  376KB
- MD5
  
  160844e5811ca8258e61cf44bf8587e5
- SHA1
  
  215bfc756f944e36c53e73e4be99c68b8d36df04
- SHA256
  
  f0498105de4bca70065bac976d8da9cb153a174dedbf0e3d932abae2eb94f152
- SHA512
  
  e92082ad2a68292622c2cff0ea7d77e034c1c4118947dcf6c3cf390aa21f03c0cd72602a41f896534af5cfec3087d6e0e7a1a9b6ce3f88a9d468ec910a0048a8
Score

10^/10

diamondfox botnet discovery ransomware spyware stealer
- DiamondFox
  DiamondFox is a multipurpose botnet with many capabilities.
  botnet stealer diamondfox
- DiamondFox payload
  Detects DiamondFox payload in file/memory.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates physical storage devices
  Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

DiamondFox payload

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates physical storage devices

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2