diamondfox | 02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b

General

Target

02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe
Size

3.3MB
MD5

77ab7e4dc7dcc201aabca121245d37de
SHA1

05276c0f69e0cb1b0acfd125604eaa703d442f30
SHA256

02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b
SHA512

307e460a5fb0c06b44beea2e826d89434a71daba30210efd558d1b0a6b2b8fb75171d1d064c2703e1297c032fb8eb84a3c77c08747b2b5483017d648331d4b0b

Score

10^/10

diamondfox botnet persistence stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox stealer 4 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000500000000072b-131.dat	diamondfox_stealer
behavioral2/files/0x000500000000072b-132.dat	diamondfox_stealer
behavioral2/files/0x000400000001e72e-133.dat	diamondfox_stealer
behavioral2/files/0x000400000001e72e-134.dat	diamondfox_stealer

NirSoft MailPassView 5 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/files/0x000500000000072b-131.dat	MailPassView
behavioral2/files/0x000500000000072b-132.dat	MailPassView
behavioral2/files/0x000500000001e72d-135.dat	MailPassView
behavioral2/files/0x000500000001e72d-136.dat	MailPassView
behavioral2/memory/4948-140-0x00000000005D0000-0x0000000000828000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 5 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/files/0x000500000000072b-131.dat	WebBrowserPassView
behavioral2/files/0x000500000000072b-132.dat	WebBrowserPassView
behavioral2/files/0x000500000001e72d-135.dat	WebBrowserPassView
behavioral2/files/0x000500000001e72d-136.dat	WebBrowserPassView
behavioral2/memory/4948-140-0x00000000005D0000-0x0000000000828000-memory.dmp	WebBrowserPassView

Nirsoft 5 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000500000000072b-131.dat	Nirsoft
behavioral2/files/0x000500000000072b-132.dat	Nirsoft
behavioral2/files/0x000500000001e72d-135.dat	Nirsoft
behavioral2/files/0x000500000001e72d-136.dat	Nirsoft
behavioral2/memory/4948-140-0x00000000005D0000-0x0000000000828000-memory.dmp	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

._cache_02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exeLOADER.EXEPREDATOR_V13_-_CRACKED.EXESynaptics.exe

pid	Process
2360	._cache_02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe
388	LOADER.EXE
4948	PREDATOR_V13_-_CRACKED.EXE
876	Synaptics.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe._cache_02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	._cache_02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

LOADER.EXE

pid	Process
388	LOADER.EXE
388	LOADER.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LOADER.EXE

pid	Process
388	LOADER.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe._cache_02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe

description	pid	Process	procid_target
PID 4392 wrote to memory of 2360	4392	02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe	83
PID 4392 wrote to memory of 2360	4392	02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe	83
PID 4392 wrote to memory of 2360	4392	02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe	83
PID 2360 wrote to memory of 388	2360	._cache_02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe	85
PID 2360 wrote to memory of 388	2360	._cache_02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe	85
PID 2360 wrote to memory of 388	2360	._cache_02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe	85
PID 2360 wrote to memory of 4948	2360	._cache_02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe	86
PID 2360 wrote to memory of 4948	2360	._cache_02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe	86
PID 4392 wrote to memory of 876	4392	02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe	87
PID 4392 wrote to memory of 876	4392	02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe	87
PID 4392 wrote to memory of 876	4392	02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe	87

C:\Users\Admin\AppData\Local\Temp\02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe
"C:\Users\Admin\AppData\Local\Temp\02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Users\Admin\AppData\Local\Temp\._cache_02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
    "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:388
- - C:\Users\Admin\AppData\Local\Temp\PREDATOR_V13_-_CRACKED.EXE
    "C:\Users\Admin\AppData\Local\Temp\PREDATOR_V13_-_CRACKED.EXE"
    3⤵
    - Executes dropped EXE
    PID:4948
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  PID:876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

MD5
a6e29babac0921af730b922c31b4fc11

SHA1
05afe6dda4c7c0990c2661ae326db517b01a39a7

SHA256
eafaa54399a4bcea7aef9ad793e1f916b312bd573289b66a735c034be677f37f

SHA512
fb6ec87efa9ebeb6200fe0b87c8b93ab0256edf656e6719b533915aad49e1886d4c3d43bd1f4837ab02f0f4f321962a548c2727d850f44a1c01a509ef11254dd

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

MD5
a6e29babac0921af730b922c31b4fc11

SHA1
05afe6dda4c7c0990c2661ae326db517b01a39a7

SHA256
eafaa54399a4bcea7aef9ad793e1f916b312bd573289b66a735c034be677f37f

SHA512
fb6ec87efa9ebeb6200fe0b87c8b93ab0256edf656e6719b533915aad49e1886d4c3d43bd1f4837ab02f0f4f321962a548c2727d850f44a1c01a509ef11254dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe

MD5
045d0eb447c5699ac0cbf14c7c71fd65

SHA1
b439144c304664b71944c2c42319f8f7c29d0fa5

SHA256
0ccb874e6f1679d4cb9a285698490423495e53e1034407fe2f038603e3a38b95

SHA512
88cabe12d935bc54c08a497a12cc383f557200d54b162227dde2f6d11101159dc645d2ce81418b24656be187684ba428458c17bacbaa2630f7464b5a15821652

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_02b4623f56f979b9082818d613cac29a56aba763288eacaee74e063469aca61b.exe

MD5
045d0eb447c5699ac0cbf14c7c71fd65

SHA1
b439144c304664b71944c2c42319f8f7c29d0fa5

SHA256
0ccb874e6f1679d4cb9a285698490423495e53e1034407fe2f038603e3a38b95

SHA512
88cabe12d935bc54c08a497a12cc383f557200d54b162227dde2f6d11101159dc645d2ce81418b24656be187684ba428458c17bacbaa2630f7464b5a15821652

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOADER.EXE

MD5
2487bf51db360a851d5abb8bbfc526f0

SHA1
7767d4133ab6d641357e51a607177383fffbb5ba

SHA256
4b09681c66f0c5c1b3a3bafaaa55e20287d144043b16a5de07e0246538f119e7

SHA512
dffd79f811387328c9a6e76b29c5d4a178f77fb3e513a32db35b6ee29e2b2c6b24d8cc2192fe90a6cba6d7994f653728de07d68f54d05eecca56554fbfe877f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOADER.EXE

MD5
2487bf51db360a851d5abb8bbfc526f0

SHA1
7767d4133ab6d641357e51a607177383fffbb5ba

SHA256
4b09681c66f0c5c1b3a3bafaaa55e20287d144043b16a5de07e0246538f119e7

SHA512
dffd79f811387328c9a6e76b29c5d4a178f77fb3e513a32db35b6ee29e2b2c6b24d8cc2192fe90a6cba6d7994f653728de07d68f54d05eecca56554fbfe877f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\PREDATOR_V13_-_CRACKED.EXE

MD5
e02abacb924b4ce0595218e7a0fad489

SHA1
a50b5f9909c2dd09dcad17c93d733574468c2aad

SHA256
6be8beb86169c5766e63913263f743ccb9ecc3b970b2031ae06bdcfe0e726457

SHA512
1506413a4cc2c56ec0b1b26a769442b20b8a2a44fc84bd911c24c186283e3bccd8a6e8bcf965041cc79a3310b5974bea8d8784ab05fe9cfa7e83d4564c4a6872

Download Submit
C:\Users\Admin\AppData\Local\Temp\PREDATOR_V13_-_CRACKED.EXE

MD5
e02abacb924b4ce0595218e7a0fad489

SHA1
a50b5f9909c2dd09dcad17c93d733574468c2aad

SHA256
6be8beb86169c5766e63913263f743ccb9ecc3b970b2031ae06bdcfe0e726457

SHA512
1506413a4cc2c56ec0b1b26a769442b20b8a2a44fc84bd911c24c186283e3bccd8a6e8bcf965041cc79a3310b5974bea8d8784ab05fe9cfa7e83d4564c4a6872

Download Submit
memory/876-143-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/4392-130-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/4948-140-0x00000000005D0000-0x0000000000828000-memory.dmp

Filesize
2.3MB

Download
memory/4948-144-0x0000000000E60000-0x0000000000E62000-memory.dmp

Filesize
8KB

Download
memory/4948-142-0x00007FF803C53000-0x00007FF803C55000-memory.dmp

Filesize
8KB

Download
memory/4948-145-0x0000000000E62000-0x0000000000E64000-memory.dmp

Filesize
8KB

Download
memory/4948-146-0x0000000000E65000-0x0000000000E67000-memory.dmp

Filesize
8KB

Download
memory/4948-147-0x0000000000E64000-0x0000000000E65000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads