diamondfox | 0ccb874e6f1679d4cb9a285698490423495e53e1034407fe2f038603e3a38b95

General

Target

0ccb874e6f1679d4cb9a285698490423495e53e1034407fe2f038603e3a38b95.exe
Size

2.5MB
MD5

045d0eb447c5699ac0cbf14c7c71fd65
SHA1

b439144c304664b71944c2c42319f8f7c29d0fa5
SHA256

0ccb874e6f1679d4cb9a285698490423495e53e1034407fe2f038603e3a38b95
SHA512

88cabe12d935bc54c08a497a12cc383f557200d54b162227dde2f6d11101159dc645d2ce81418b24656be187684ba428458c17bacbaa2630f7464b5a15821652

Score

10^/10

diamondfox botnet stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox stealer 2 IoCs

resource	yara_rule
behavioral2/files/0x000600000001ed0d-131.dat	diamondfox_stealer
behavioral2/files/0x000600000001ed0d-130.dat	diamondfox_stealer

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/files/0x000400000001ed17-132.dat	MailPassView
behavioral2/files/0x000400000001ed17-133.dat	MailPassView
behavioral2/memory/832-136-0x0000000000620000-0x0000000000878000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/files/0x000400000001ed17-132.dat	WebBrowserPassView
behavioral2/files/0x000400000001ed17-133.dat	WebBrowserPassView
behavioral2/memory/832-136-0x0000000000620000-0x0000000000878000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

resource	yara_rule
behavioral2/files/0x000400000001ed17-132.dat	Nirsoft
behavioral2/files/0x000400000001ed17-133.dat	Nirsoft
behavioral2/memory/832-136-0x0000000000620000-0x0000000000878000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

pid	Process
360	LOADER.EXE
832	PREDATOR_V13_-_CRACKED.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	0ccb874e6f1679d4cb9a285698490423495e53e1034407fe2f038603e3a38b95.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
360	LOADER.EXE
360	LOADER.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
360	LOADER.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 360	648	0ccb874e6f1679d4cb9a285698490423495e53e1034407fe2f038603e3a38b95.exe	65
PID 648 wrote to memory of 360	648	0ccb874e6f1679d4cb9a285698490423495e53e1034407fe2f038603e3a38b95.exe	65
PID 648 wrote to memory of 360	648	0ccb874e6f1679d4cb9a285698490423495e53e1034407fe2f038603e3a38b95.exe	65
PID 648 wrote to memory of 832	648	0ccb874e6f1679d4cb9a285698490423495e53e1034407fe2f038603e3a38b95.exe	67
PID 648 wrote to memory of 832	648	0ccb874e6f1679d4cb9a285698490423495e53e1034407fe2f038603e3a38b95.exe	67

C:\Users\Admin\AppData\Local\Temp\0ccb874e6f1679d4cb9a285698490423495e53e1034407fe2f038603e3a38b95.exe
"C:\Users\Admin\AppData\Local\Temp\0ccb874e6f1679d4cb9a285698490423495e53e1034407fe2f038603e3a38b95.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:648
- C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
  "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:360
- C:\Users\Admin\AppData\Local\Temp\PREDATOR_V13_-_CRACKED.EXE
  "C:\Users\Admin\AppData\Local\Temp\PREDATOR_V13_-_CRACKED.EXE"
  2⤵
  - Executes dropped EXE
  PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/832-135-0x00007FFDB5773000-0x00007FFDB5775000-memory.dmp

Filesize
8KB

Download
memory/832-136-0x0000000000620000-0x0000000000878000-memory.dmp

Filesize
2.3MB

Download
memory/832-138-0x000000001B510000-0x000000001B512000-memory.dmp

Filesize
8KB

Download
memory/832-139-0x000000001B512000-0x000000001B514000-memory.dmp

Filesize
8KB

Download
memory/832-140-0x000000001B514000-0x000000001B515000-memory.dmp

Filesize
4KB

Download
memory/832-141-0x000000001B515000-0x000000001B517000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing