diamondfox | 0355b561e5952f8392e7b2bedcf5b18a169f95aeb7ea44d75ba1082664a63173

General

Target

new.exe
Size

204KB
MD5

c967f5dec6b865b96fc2d2bd1e6b4198
SHA1

43b08a681af8f9b4d3a55993151a1a92d47826c1
SHA256

0355b561e5952f8392e7b2bedcf5b18a169f95aeb7ea44d75ba1082664a63173
SHA512

7c15efc4919cfe6b53dbc2b486970d834d6acd293a02c1572e79294e6b06f893f152caaf485bbc56029570f1af1bd04686b1216411c0002c4ecac2d0ab2753f0

Score

10^/10

diamondfox botnet infostealer stealer suricata

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox
suricata: ET MALWARE Generic gate .php GET with minimal headers
suricata: ET MALWARE Generic gate .php GET with minimal headers
suricata

DiamondFox payload 4 IoCs

Detects DiamondFox payload in file/memory.

infostealer

resource	yara_rule
behavioral1/memory/3516-130-0x0000000000400000-0x0000000000437000-memory.dmp	diamondfox
behavioral1/files/0x000300000000072b-132.dat	diamondfox
behavioral1/files/0x000300000000072b-133.dat	diamondfox
behavioral1/memory/4732-135-0x0000000000400000-0x0000000000437000-memory.dmp	diamondfox

Executes dropped EXE 1 IoCs

pid	Process
4732	MicrosoftEdgeCPS.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4744	powershell.exe
4744	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4744	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 4732	3516	new.exe	80
PID 3516 wrote to memory of 4732	3516	new.exe	80
PID 3516 wrote to memory of 4732	3516	new.exe	80
PID 4732 wrote to memory of 4744	4732	MicrosoftEdgeCPS.exe	81
PID 4732 wrote to memory of 4744	4732	MicrosoftEdgeCPS.exe	81
PID 4732 wrote to memory of 4744	4732	MicrosoftEdgeCPS.exe	81

C:\Users\Admin\AppData\Local\Temp\new.exe
"C:\Users\Admin\AppData\Local\Temp\new.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
  "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

Filesize
204KB

MD5
c967f5dec6b865b96fc2d2bd1e6b4198

SHA1
43b08a681af8f9b4d3a55993151a1a92d47826c1

SHA256
0355b561e5952f8392e7b2bedcf5b18a169f95aeb7ea44d75ba1082664a63173

SHA512
7c15efc4919cfe6b53dbc2b486970d834d6acd293a02c1572e79294e6b06f893f152caaf485bbc56029570f1af1bd04686b1216411c0002c4ecac2d0ab2753f0

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

Filesize
204KB

MD5
c967f5dec6b865b96fc2d2bd1e6b4198

SHA1
43b08a681af8f9b4d3a55993151a1a92d47826c1

SHA256
0355b561e5952f8392e7b2bedcf5b18a169f95aeb7ea44d75ba1082664a63173

SHA512
7c15efc4919cfe6b53dbc2b486970d834d6acd293a02c1572e79294e6b06f893f152caaf485bbc56029570f1af1bd04686b1216411c0002c4ecac2d0ab2753f0

Download Submit
memory/3516-130-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4732-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4744-140-0x00000000053D0000-0x0000000005436000-memory.dmp

Filesize
408KB

Download
memory/4744-144-0x000000006FC40000-0x000000006FC8C000-memory.dmp

Filesize
304KB

Download
memory/4744-137-0x00000000055C0000-0x0000000005BE8000-memory.dmp

Filesize
6.2MB

Download
memory/4744-138-0x00000000050C0000-0x00000000050E2000-memory.dmp

Filesize
136KB

Download
memory/4744-139-0x0000000005360000-0x00000000053C6000-memory.dmp

Filesize
408KB

Download
memory/4744-141-0x0000000006070000-0x000000000608E000-memory.dmp

Filesize
120KB

Download
memory/4744-142-0x0000000004F85000-0x0000000004F87000-memory.dmp

Filesize
8KB

Download
memory/4744-143-0x0000000006630000-0x0000000006662000-memory.dmp

Filesize
200KB

Download
memory/4744-136-0x0000000002770000-0x00000000027A6000-memory.dmp

Filesize
216KB

Download
memory/4744-145-0x0000000006610000-0x000000000662E000-memory.dmp

Filesize
120KB

Download
memory/4744-146-0x0000000007A10000-0x000000000808A000-memory.dmp

Filesize
6.5MB

Download
memory/4744-147-0x0000000007390000-0x00000000073AA000-memory.dmp

Filesize
104KB

Download
memory/4744-148-0x0000000007320000-0x000000000732A000-memory.dmp

Filesize
40KB

Download
memory/4744-149-0x0000000007610000-0x00000000076A6000-memory.dmp

Filesize
600KB

Download
memory/4744-150-0x0000000007550000-0x000000000755E000-memory.dmp

Filesize
56KB

Download
memory/4744-151-0x00000000076D0000-0x00000000076EA000-memory.dmp

Filesize
104KB

Download
memory/4744-152-0x0000000007600000-0x0000000007608000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing