diamondfox | e833b7c2b0a0e1b3d9914a3e80e7738eab7453685d864e7a9668387dd0a247d0

General

Target

ISF-10+2 ?? WTXLAX200007.scr
Size

811KB
MD5

ab74af82928f328979d85af5db7debab
SHA1

07476d19fa25fafdec37767eb06ca91a4caf2ee9
SHA256

8616545829272fd918765d945bb44e610852b995be21965577b77cfea4868007
SHA512

87d6658f8a402f65897a1b83289b7bbbdc7be14f7632262175c06b34f7b6337048618c59b12de7a7c422b62ff7816bdc7f14371050bb44dc5430dd3e2fbff156

Score

10^/10

diamondfox botnet infostealer stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 3 IoCs

Detects DiamondFox payload in file/memory.

infostealer

resource	yara_rule
behavioral2/memory/1728-142-0x0000000000400000-0x000000000041A000-memory.dmp	diamondfox
behavioral2/memory/1728-144-0x0000000000400000-0x000000000041A000-memory.dmp	diamondfox
behavioral2/memory/1728-147-0x0000000000400000-0x000000000041A000-memory.dmp	diamondfox

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1676 set thread context of 1728	1676	ISF-10+2 __ WTXLAX200007.scr	91

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1676	ISF-10+2 __ WTXLAX200007.scr
1676	ISF-10+2 __ WTXLAX200007.scr
3280	powershell.exe
3280	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1676	ISF-10+2 __ WTXLAX200007.scr
Token: SeDebugPrivilege	3280	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1728	ISF-10+2 __ WTXLAX200007.scr

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 1320	1676	ISF-10+2 __ WTXLAX200007.scr	90
PID 1676 wrote to memory of 1320	1676	ISF-10+2 __ WTXLAX200007.scr	90
PID 1676 wrote to memory of 1320	1676	ISF-10+2 __ WTXLAX200007.scr	90
PID 1676 wrote to memory of 1728	1676	ISF-10+2 __ WTXLAX200007.scr	91
PID 1676 wrote to memory of 1728	1676	ISF-10+2 __ WTXLAX200007.scr	91
PID 1676 wrote to memory of 1728	1676	ISF-10+2 __ WTXLAX200007.scr	91
PID 1676 wrote to memory of 1728	1676	ISF-10+2 __ WTXLAX200007.scr	91
PID 1676 wrote to memory of 1728	1676	ISF-10+2 __ WTXLAX200007.scr	91
PID 1676 wrote to memory of 1728	1676	ISF-10+2 __ WTXLAX200007.scr	91
PID 1676 wrote to memory of 1728	1676	ISF-10+2 __ WTXLAX200007.scr	91
PID 1728 wrote to memory of 3280	1728	ISF-10+2 __ WTXLAX200007.scr	92
PID 1728 wrote to memory of 3280	1728	ISF-10+2 __ WTXLAX200007.scr	92
PID 1728 wrote to memory of 3280	1728	ISF-10+2 __ WTXLAX200007.scr	92

C:\Users\Admin\AppData\Local\Temp\ISF-10+2 __ WTXLAX200007.scr
"C:\Users\Admin\AppData\Local\Temp\ISF-10+2 __ WTXLAX200007.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Local\Temp\ISF-10+2 __ WTXLAX200007.scr
  "C:\Users\Admin\AppData\Local\Temp\ISF-10+2 __ WTXLAX200007.scr"
  2⤵
  PID:1320
- C:\Users\Admin\AppData\Local\Temp\ISF-10+2 __ WTXLAX200007.scr
  "C:\Users\Admin\AppData\Local\Temp\ISF-10+2 __ WTXLAX200007.scr"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\ISF-10+2 __ WTXLAX200007.scr' -Destination 'C:\Users\Admin\AppData\Local\hostocn\conhost.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\hostocn\conhost.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1676-134-0x00000000004E0000-0x00000000005B2000-memory.dmp

Filesize
840KB

Download
memory/1676-135-0x0000000004F70000-0x000000000500C000-memory.dmp

Filesize
624KB

Download
memory/1676-136-0x00000000055C0000-0x0000000005B64000-memory.dmp

Filesize
5.6MB

Download
memory/1676-137-0x00000000050B0000-0x0000000005142000-memory.dmp

Filesize
584KB

Download
memory/1676-138-0x0000000005010000-0x000000000501A000-memory.dmp

Filesize
40KB

Download
memory/1676-139-0x0000000005240000-0x0000000005296000-memory.dmp

Filesize
344KB

Download
memory/1728-147-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1728-142-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1728-144-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3280-151-0x0000000005960000-0x0000000005982000-memory.dmp

Filesize
136KB

Download
memory/3280-149-0x0000000003000000-0x0000000003036000-memory.dmp

Filesize
216KB

Download
memory/3280-150-0x0000000005A10000-0x0000000006038000-memory.dmp

Filesize
6.2MB

Download
memory/3280-152-0x0000000006140000-0x00000000061A6000-memory.dmp

Filesize
408KB

Download
memory/3280-153-0x00000000062A0000-0x0000000006306000-memory.dmp

Filesize
408KB

Download
memory/3280-154-0x00000000056A0000-0x00000000056BE000-memory.dmp

Filesize
120KB

Download
memory/3280-155-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

Filesize
64KB

Download
memory/3280-156-0x0000000006E80000-0x0000000006F16000-memory.dmp

Filesize
600KB

Download
memory/3280-157-0x0000000006E00000-0x0000000006E1A000-memory.dmp

Filesize
104KB

Download
memory/3280-158-0x0000000006E50000-0x0000000006E72000-memory.dmp

Filesize
136KB

Download
memory/3280-159-0x0000000008B00000-0x000000000917A000-memory.dmp

Filesize
6.5MB

Download

Analysis

Sharing