diamondfox | 1271947b681dcb5d62fde5ee9f6bc7f7928679ae62c616932b59c9e8b73c8217 | Triage

Analysis

max time kernel
128s
max time network
144s
platform
windows10_x64
resource
win10v20201028
submitted
04-03-2021 15:00

Sharing

Report Analysis Logs

General

Target

1271947b681dcb5d62fde5ee9f6bc7f7928679ae62c616932b59c9e8b73c8217.bin.exe
Size

184KB
MD5

f6c8046085b788ade44d121bf942929a
SHA1

0c1be990a397ea94c87849d41c690e19ba563071
SHA256

1271947b681dcb5d62fde5ee9f6bc7f7928679ae62c616932b59c9e8b73c8217
SHA512

2ed67079324c14b836d9ccbd741d70c9ae67ca65ff889cc73080ce7b362436f242d087a81341645c7eed74f0dc7d4983e3db685bca77b90d207fabb32ccf7c70

Score

10^/10

diamondfox botnet stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 2 IoCs

Detects DiamondFox payload in file/memory.

resource	yara_rule
behavioral2/files/0x000300000001ab59-3.dat	diamondfox
behavioral2/files/0x000300000001ab59-4.dat	diamondfox

Executes dropped EXE 1 IoCs

pid	Process
2832	MicrosoftEdgeCPS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 2832	4680	1271947b681dcb5d62fde5ee9f6bc7f7928679ae62c616932b59c9e8b73c8217.bin.exe	77
PID 4680 wrote to memory of 2832	4680	1271947b681dcb5d62fde5ee9f6bc7f7928679ae62c616932b59c9e8b73c8217.bin.exe	77
PID 4680 wrote to memory of 2832	4680	1271947b681dcb5d62fde5ee9f6bc7f7928679ae62c616932b59c9e8b73c8217.bin.exe	77

C:\Users\Admin\AppData\Local\Temp\1271947b681dcb5d62fde5ee9f6bc7f7928679ae62c616932b59c9e8b73c8217.bin.exe
"C:\Users\Admin\AppData\Local\Temp\1271947b681dcb5d62fde5ee9f6bc7f7928679ae62c616932b59c9e8b73c8217.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
  "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
  2⤵
  - Executes dropped EXE
  PID:2832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads