diamondfox | 0526eaaa777c6f4f30769b2c74105f32b3b70a26b960c2074168f7a7404ede51

General

Target

new.exe
Size

590KB
MD5

d0adc891c2d75a5750a0762418fa0f23
SHA1

bfbbc833f3f85d693139b43002181fab5ff8da1d
SHA256

0526eaaa777c6f4f30769b2c74105f32b3b70a26b960c2074168f7a7404ede51
SHA512

4ee8af5e556ef6ccefdfecbe43c89c66c9244ea7db1e35b987d35e15090a1e7b8135590544d27dbc37f164bfbb5e7e82aa0463f16618b80fe993cb6b7bff245f

Score

10^/10

diamondfox botnet infostealer stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 2 IoCs

Detects DiamondFox payload in file/memory.

infostealer

resource	yara_rule
behavioral1/files/0x0006000000023157-133.dat	diamondfox
behavioral1/files/0x0006000000023157-132.dat	diamondfox

Executes dropped EXE 1 IoCs

pid	Process
4804	MicrosoftEdgeCPS.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4920	powershell.exe
4920	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4920	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 4804	4264	new.exe	82
PID 4264 wrote to memory of 4804	4264	new.exe	82
PID 4264 wrote to memory of 4804	4264	new.exe	82
PID 4804 wrote to memory of 4920	4804	MicrosoftEdgeCPS.exe	83
PID 4804 wrote to memory of 4920	4804	MicrosoftEdgeCPS.exe	83
PID 4804 wrote to memory of 4920	4804	MicrosoftEdgeCPS.exe	83

C:\Users\Admin\AppData\Local\Temp\new.exe
"C:\Users\Admin\AppData\Local\Temp\new.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
  "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

Filesize
590KB

MD5
d0adc891c2d75a5750a0762418fa0f23

SHA1
bfbbc833f3f85d693139b43002181fab5ff8da1d

SHA256
0526eaaa777c6f4f30769b2c74105f32b3b70a26b960c2074168f7a7404ede51

SHA512
4ee8af5e556ef6ccefdfecbe43c89c66c9244ea7db1e35b987d35e15090a1e7b8135590544d27dbc37f164bfbb5e7e82aa0463f16618b80fe993cb6b7bff245f

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

Filesize
590KB

MD5
d0adc891c2d75a5750a0762418fa0f23

SHA1
bfbbc833f3f85d693139b43002181fab5ff8da1d

SHA256
0526eaaa777c6f4f30769b2c74105f32b3b70a26b960c2074168f7a7404ede51

SHA512
4ee8af5e556ef6ccefdfecbe43c89c66c9244ea7db1e35b987d35e15090a1e7b8135590544d27dbc37f164bfbb5e7e82aa0463f16618b80fe993cb6b7bff245f

Download Submit
memory/4920-142-0x00000000741A0000-0x00000000741EC000-memory.dmp

Filesize
304KB

Download
memory/4920-143-0x00000000062D0000-0x00000000062EE000-memory.dmp

Filesize
120KB

Download
memory/4920-136-0x0000000004F10000-0x0000000005538000-memory.dmp

Filesize
6.2MB

Download
memory/4920-137-0x0000000004E70000-0x0000000004E92000-memory.dmp

Filesize
136KB

Download
memory/4920-138-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/4920-139-0x00000000056E0000-0x0000000005746000-memory.dmp

Filesize
408KB

Download
memory/4920-140-0x0000000005D20000-0x0000000005D3E000-memory.dmp

Filesize
120KB

Download
memory/4920-141-0x0000000006EE0000-0x0000000006F12000-memory.dmp

Filesize
200KB

Download
memory/4920-135-0x00000000023F0000-0x0000000002426000-memory.dmp

Filesize
216KB

Download
memory/4920-144-0x0000000007660000-0x0000000007CDA000-memory.dmp

Filesize
6.5MB

Download
memory/4920-145-0x0000000006000000-0x000000000601A000-memory.dmp

Filesize
104KB

Download
memory/4920-146-0x00000000070A0000-0x00000000070AA000-memory.dmp

Filesize
40KB

Download
memory/4920-147-0x00000000072B0000-0x0000000007346000-memory.dmp

Filesize
600KB

Download
memory/4920-148-0x0000000007020000-0x000000000702E000-memory.dmp

Filesize
56KB

Download
memory/4920-149-0x0000000004EA0000-0x0000000004EBA000-memory.dmp

Filesize
104KB

Download
memory/4920-150-0x0000000000690000-0x0000000000698000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing