diamondfox | e3be8bb6d3f2e7bd860e41df6a60e1a5698bec5670ea127b627ef8b16fb0d254

General

Target

foo.exe
Size

212KB
MD5

433d77782664455b950e1508c0787f1a
SHA1

181103f2b8dd9a8bf954f22670f08c7193cb8e8f
SHA256

e3be8bb6d3f2e7bd860e41df6a60e1a5698bec5670ea127b627ef8b16fb0d254
SHA512

5c8da80d17e2a023d2bb2621ec14d97412fd02a9c645044e1c4818c4e55c29e8fc5ad4cae30817d4e6e45d52e3fdd44b8581be0e411b74fff26e7ae44008d390

Score

10^/10

diamondfox botnet stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 2 IoCs

Detects DiamondFox payload in file/memory.

resource	yara_rule
behavioral2/files/0x000300000001ab4f-115.dat	diamondfox
behavioral2/files/0x000300000001ab4f-116.dat	diamondfox

Executes dropped EXE 1 IoCs

pid	Process
496	MicrosoftEdgeCPS.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
512	powershell.exe
512	powershell.exe
512	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	512	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 496	740	foo.exe	77
PID 740 wrote to memory of 496	740	foo.exe	77
PID 740 wrote to memory of 496	740	foo.exe	77
PID 496 wrote to memory of 512	496	MicrosoftEdgeCPS.exe	78
PID 496 wrote to memory of 512	496	MicrosoftEdgeCPS.exe	78
PID 496 wrote to memory of 512	496	MicrosoftEdgeCPS.exe	78

C:\Users\Admin\AppData\Local\Temp\foo.exe
"C:\Users\Admin\AppData\Local\Temp\foo.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:740
- C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
  "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:496
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/512-126-0x0000000007CA0000-0x0000000007CA1000-memory.dmp

Filesize
4KB

Download
memory/512-128-0x00000000080E0000-0x00000000080E1000-memory.dmp

Filesize
4KB

Download
memory/512-121-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/512-122-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/512-123-0x0000000004822000-0x0000000004823000-memory.dmp

Filesize
4KB

Download
memory/512-124-0x0000000007240000-0x0000000007241000-memory.dmp

Filesize
4KB

Download
memory/512-125-0x0000000007A50000-0x0000000007A51000-memory.dmp

Filesize
4KB

Download
memory/512-127-0x0000000007D10000-0x0000000007D11000-memory.dmp

Filesize
4KB

Download
memory/512-120-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/512-129-0x0000000008130000-0x0000000008131000-memory.dmp

Filesize
4KB

Download
memory/512-130-0x0000000008450000-0x0000000008451000-memory.dmp

Filesize
4KB

Download
memory/512-138-0x0000000009390000-0x00000000093C3000-memory.dmp

Filesize
204KB

Download
memory/512-145-0x0000000009370000-0x0000000009371000-memory.dmp

Filesize
4KB

Download
memory/512-146-0x000000007F270000-0x000000007F271000-memory.dmp

Filesize
4KB

Download
memory/512-151-0x00000000094E0000-0x00000000094E1000-memory.dmp

Filesize
4KB

Download
memory/512-152-0x00000000096B0000-0x00000000096B1000-memory.dmp

Filesize
4KB

Download
memory/512-185-0x0000000004823000-0x0000000004824000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing