diamondfox | 0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8

General

Target

0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8.exe
Size

231KB
MD5

c8830b9e611ef52f5d4dcddee87c2ba1
SHA1

fc7f516a1cc9916405e1f15f0be2432b356efe86
SHA256

0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8
SHA512

dca8de414cf9d841283184931d9977a299ad7ac47019330a464c10a69e2e9c98131c2e7cfdb658494c1f32975efde3f58128f2fcaad1046c8f495b6af8d845a9

Score

10^/10

diamondfox botnet infostealer stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 3 IoCs

Detects DiamondFox payload in file/memory.

infostealer

resource	yara_rule
behavioral2/memory/4224-133-0x0000000000B30000-0x0000000000B48000-memory.dmp	diamondfox
behavioral2/memory/4224-134-0x0000000000400000-0x000000000098D000-memory.dmp	diamondfox
behavioral2/memory/4524-153-0x0000000000400000-0x000000000098D000-memory.dmp	diamondfox

Executes dropped EXE 1 IoCs

pid	Process
4524	audiodg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1940	4224	WerFault.exe	76

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4136	powershell.exe
4136	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4136	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4224	0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8.exe
4524	audiodg.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 4136	4224	0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8.exe	77
PID 4224 wrote to memory of 4136	4224	0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8.exe	77
PID 4224 wrote to memory of 4136	4224	0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8.exe	77
PID 4136 wrote to memory of 4524	4136	powershell.exe	83
PID 4136 wrote to memory of 4524	4136	powershell.exe	83
PID 4136 wrote to memory of 4524	4136	powershell.exe	83

C:\Users\Admin\AppData\Local\Temp\0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8.exe
"C:\Users\Admin\AppData\Local\Temp\0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8.exe' -Destination 'C:\Users\Admin\AppData\Local\gduaido\audiodg.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\gduaido\audiodg.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Users\Admin\AppData\Local\gduaido\audiodg.exe
    "C:\Users\Admin\AppData\Local\gduaido\audiodg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 496
  2⤵
  - Program crash
  PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4224 -ip 4224
1⤵
PID:3560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\gduaido\audiodg.exe

Filesize
231KB

MD5
c8830b9e611ef52f5d4dcddee87c2ba1

SHA1
fc7f516a1cc9916405e1f15f0be2432b356efe86

SHA256
0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8

SHA512
dca8de414cf9d841283184931d9977a299ad7ac47019330a464c10a69e2e9c98131c2e7cfdb658494c1f32975efde3f58128f2fcaad1046c8f495b6af8d845a9

Download Submit
C:\Users\Admin\AppData\Local\gduaido\audiodg.exe

Filesize
231KB

MD5
c8830b9e611ef52f5d4dcddee87c2ba1

SHA1
fc7f516a1cc9916405e1f15f0be2432b356efe86

SHA256
0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8

SHA512
dca8de414cf9d841283184931d9977a299ad7ac47019330a464c10a69e2e9c98131c2e7cfdb658494c1f32975efde3f58128f2fcaad1046c8f495b6af8d845a9

Download Submit
memory/4136-137-0x0000000005A80000-0x00000000060A8000-memory.dmp

Filesize
6.2MB

Download
memory/4136-142-0x0000000007970000-0x0000000007A06000-memory.dmp

Filesize
600KB

Download
memory/4136-136-0x0000000003080000-0x00000000030B6000-memory.dmp

Filesize
216KB

Download
memory/4136-146-0x0000000008BF0000-0x000000000926A000-memory.dmp

Filesize
6.5MB

Download
memory/4136-138-0x00000000059C0000-0x00000000059E2000-memory.dmp

Filesize
136KB

Download
memory/4136-139-0x00000000060B0000-0x0000000006116000-memory.dmp

Filesize
408KB

Download
memory/4136-140-0x0000000006120000-0x0000000006186000-memory.dmp

Filesize
408KB

Download
memory/4136-141-0x0000000006990000-0x00000000069AE000-memory.dmp

Filesize
120KB

Download
memory/4136-143-0x0000000006E60000-0x0000000006E7A000-memory.dmp

Filesize
104KB

Download
memory/4136-144-0x0000000006EC0000-0x0000000006EE2000-memory.dmp

Filesize
136KB

Download
memory/4136-145-0x0000000007FC0000-0x0000000008564000-memory.dmp

Filesize
5.6MB

Download
memory/4224-132-0x0000000000B69000-0x0000000000B75000-memory.dmp

Filesize
48KB

Download
memory/4224-134-0x0000000000400000-0x000000000098D000-memory.dmp

Filesize
5.6MB

Download
memory/4224-133-0x0000000000B30000-0x0000000000B48000-memory.dmp

Filesize
96KB

Download
memory/4524-152-0x0000000000B49000-0x0000000000B55000-memory.dmp

Filesize
48KB

Download
memory/4524-153-0x0000000000400000-0x000000000098D000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing