diamondfox | ee43e21fbfb66eba6ef729b0f660f8b9110c8b2d22fa8c34de4a57cb38d70f86

General

Target

new.exe
Size

204KB
MD5

8a40b88f514ef21f74052d22e2d98750
SHA1

524e636f22bb8a5c2f7947727d5f91dd3dd05972
SHA256

ee43e21fbfb66eba6ef729b0f660f8b9110c8b2d22fa8c34de4a57cb38d70f86
SHA512

cfb5416c676a84fdc291a548222650701d62832100cd5d08fb480b585ea1e76a4b2dc4b181e3ae2916a2b91a6ab09bc6178aec4d2c023396fb596d17b80cc215

Score

10^/10

diamondfox botnet infostealer stealer suricata

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox
suricata: ET MALWARE Generic gate .php GET with minimal headers
suricata: ET MALWARE Generic gate .php GET with minimal headers
suricata

DiamondFox payload 4 IoCs

Detects DiamondFox payload in file/memory.

infostealer

Processes:

resource	yara_rule
behavioral1/memory/1964-134-0x0000000000400000-0x0000000000437000-memory.dmp	diamondfox
behavioral1/files/0x000300000002060e-136.dat	diamondfox
behavioral1/files/0x000300000002060e-137.dat	diamondfox
behavioral1/memory/1228-138-0x0000000000400000-0x0000000000437000-memory.dmp	diamondfox

Executes dropped EXE 1 IoCs

Processes:

MicrosoftEdgeCPS.exe

pid	Process
1228	MicrosoftEdgeCPS.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid	Process
1768	powershell.exe
1768	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	1768	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

new.exeMicrosoftEdgeCPS.exe

description	pid	Process	procid_target
PID 1964 wrote to memory of 1228	1964	new.exe	85
PID 1964 wrote to memory of 1228	1964	new.exe	85
PID 1964 wrote to memory of 1228	1964	new.exe	85
PID 1228 wrote to memory of 1768	1228	MicrosoftEdgeCPS.exe	86
PID 1228 wrote to memory of 1768	1228	MicrosoftEdgeCPS.exe	86
PID 1228 wrote to memory of 1768	1228	MicrosoftEdgeCPS.exe	86

C:\Users\Admin\AppData\Local\Temp\new.exe
"C:\Users\Admin\AppData\Local\Temp\new.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
  "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

Filesize
204KB

MD5
8a40b88f514ef21f74052d22e2d98750

SHA1
524e636f22bb8a5c2f7947727d5f91dd3dd05972

SHA256
ee43e21fbfb66eba6ef729b0f660f8b9110c8b2d22fa8c34de4a57cb38d70f86

SHA512
cfb5416c676a84fdc291a548222650701d62832100cd5d08fb480b585ea1e76a4b2dc4b181e3ae2916a2b91a6ab09bc6178aec4d2c023396fb596d17b80cc215

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

Filesize
204KB

MD5
8a40b88f514ef21f74052d22e2d98750

SHA1
524e636f22bb8a5c2f7947727d5f91dd3dd05972

SHA256
ee43e21fbfb66eba6ef729b0f660f8b9110c8b2d22fa8c34de4a57cb38d70f86

SHA512
cfb5416c676a84fdc291a548222650701d62832100cd5d08fb480b585ea1e76a4b2dc4b181e3ae2916a2b91a6ab09bc6178aec4d2c023396fb596d17b80cc215

Download Submit
memory/1228-138-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1228-135-0x0000000000000000-mapping.dmp

Download
memory/1768-144-0x0000000005690000-0x00000000056F6000-memory.dmp

Filesize
408KB

Download
memory/1768-147-0x0000000006200000-0x0000000006232000-memory.dmp

Filesize
200KB

Download
memory/1768-140-0x0000000000EA0000-0x0000000000ED6000-memory.dmp

Filesize
216KB

Download
memory/1768-141-0x0000000004D80000-0x00000000053A8000-memory.dmp

Filesize
6.2MB

Download
memory/1768-142-0x00000000053B0000-0x00000000053D2000-memory.dmp

Filesize
136KB

Download
memory/1768-143-0x00000000055B0000-0x0000000005616000-memory.dmp

Filesize
408KB

Download
memory/1768-156-0x00000000072F0000-0x00000000072F8000-memory.dmp

Filesize
32KB

Download
memory/1768-145-0x0000000005CC0000-0x0000000005CDE000-memory.dmp

Filesize
120KB

Download
memory/1768-146-0x0000000000F25000-0x0000000000F27000-memory.dmp

Filesize
8KB

Download
memory/1768-139-0x0000000000000000-mapping.dmp

Download
memory/1768-148-0x000000006F8E0000-0x000000006F92C000-memory.dmp

Filesize
304KB

Download
memory/1768-149-0x00000000061D0000-0x00000000061EE000-memory.dmp

Filesize
120KB

Download
memory/1768-150-0x00000000075F0000-0x0000000007C6A000-memory.dmp

Filesize
6.5MB

Download
memory/1768-151-0x0000000006F70000-0x0000000006F8A000-memory.dmp

Filesize
104KB

Download
memory/1768-152-0x0000000006FC0000-0x0000000006FCA000-memory.dmp

Filesize
40KB

Download
memory/1768-153-0x00000000071D0000-0x0000000007266000-memory.dmp

Filesize
600KB

Download
memory/1768-154-0x00000000071C0000-0x00000000071CE000-memory.dmp

Filesize
56KB

Download
memory/1768-155-0x0000000007310000-0x000000000732A000-memory.dmp

Filesize
104KB

Download
memory/1964-134-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads