diamondfox | e3be8bb6d3f2e7bd860e41df6a60e1a5698bec5670ea127b627ef8b16fb0d254

General

Target

foo.exe
Size

212KB
MD5

433d77782664455b950e1508c0787f1a
SHA1

181103f2b8dd9a8bf954f22670f08c7193cb8e8f
SHA256

e3be8bb6d3f2e7bd860e41df6a60e1a5698bec5670ea127b627ef8b16fb0d254
SHA512

5c8da80d17e2a023d2bb2621ec14d97412fd02a9c645044e1c4818c4e55c29e8fc5ad4cae30817d4e6e45d52e3fdd44b8581be0e411b74fff26e7ae44008d390

Score

10^/10

diamondfox botnet stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 3 IoCs

Detects DiamondFox payload in file/memory.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe	diamondfox

Executes dropped EXE 1 IoCs

Processes:

MicrosoftEdgeCPS.exe

pid process

1308 MicrosoftEdgeCPS.exe
Loads dropped DLL 2 IoCs

Processes:

foo.exe

pid process

1104 foo.exe
1104 foo.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1624 powershell.exe
1624 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1624 powershell.exe

pid	process
1308	MicrosoftEdgeCPS.exe

pid	process
1104	foo.exe
1104	foo.exe

pid	process
1624	powershell.exe
1624	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1624	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

foo.exeMicrosoftEdgeCPS.exe

description	pid	process	target process
PID 1104 wrote to memory of 1308	1104	foo.exe	MicrosoftEdgeCPS.exe
PID 1104 wrote to memory of 1308	1104	foo.exe	MicrosoftEdgeCPS.exe
PID 1104 wrote to memory of 1308	1104	foo.exe	MicrosoftEdgeCPS.exe
PID 1104 wrote to memory of 1308	1104	foo.exe	MicrosoftEdgeCPS.exe
PID 1308 wrote to memory of 1624	1308	MicrosoftEdgeCPS.exe	powershell.exe
PID 1308 wrote to memory of 1624	1308	MicrosoftEdgeCPS.exe	powershell.exe
PID 1308 wrote to memory of 1624	1308	MicrosoftEdgeCPS.exe	powershell.exe
PID 1308 wrote to memory of 1624	1308	MicrosoftEdgeCPS.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\foo.exe
"C:\Users\Admin\AppData\Local\Temp\foo.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 1
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
433d77782664455b950e1508c0787f1a

SHA1
181103f2b8dd9a8bf954f22670f08c7193cb8e8f

SHA256
e3be8bb6d3f2e7bd860e41df6a60e1a5698bec5670ea127b627ef8b16fb0d254

SHA512
5c8da80d17e2a023d2bb2621ec14d97412fd02a9c645044e1c4818c4e55c29e8fc5ad4cae30817d4e6e45d52e3fdd44b8581be0e411b74fff26e7ae44008d390

Download Submit
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
433d77782664455b950e1508c0787f1a

SHA1
181103f2b8dd9a8bf954f22670f08c7193cb8e8f

SHA256
e3be8bb6d3f2e7bd860e41df6a60e1a5698bec5670ea127b627ef8b16fb0d254

SHA512
5c8da80d17e2a023d2bb2621ec14d97412fd02a9c645044e1c4818c4e55c29e8fc5ad4cae30817d4e6e45d52e3fdd44b8581be0e411b74fff26e7ae44008d390

Download Submit
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
433d77782664455b950e1508c0787f1a

SHA1
181103f2b8dd9a8bf954f22670f08c7193cb8e8f

SHA256
e3be8bb6d3f2e7bd860e41df6a60e1a5698bec5670ea127b627ef8b16fb0d254

SHA512
5c8da80d17e2a023d2bb2621ec14d97412fd02a9c645044e1c4818c4e55c29e8fc5ad4cae30817d4e6e45d52e3fdd44b8581be0e411b74fff26e7ae44008d390

Download Submit
memory/1104-60-0x0000000076E11000-0x0000000076E13000-memory.dmp

Filesize
8KB

Download
memory/1308-63-0x0000000000000000-mapping.dmp

Download
memory/1624-72-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/1624-76-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/1624-69-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/1624-70-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/1624-71-0x00000000048D2000-0x00000000048D3000-memory.dmp

Filesize
4KB

Download
memory/1624-66-0x0000000000000000-mapping.dmp

Download
memory/1624-73-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/1624-68-0x0000000001E10000-0x0000000001E11000-memory.dmp

Filesize
4KB

Download
memory/1624-81-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/1624-82-0x00000000061E0000-0x00000000061E1000-memory.dmp

Filesize
4KB

Download
memory/1624-89-0x0000000006170000-0x0000000006171000-memory.dmp

Filesize
4KB

Download
memory/1624-90-0x0000000006130000-0x0000000006131000-memory.dmp

Filesize
4KB

Download
memory/1624-104-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/1624-105-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/1624-106-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads