diamondfox | 83c80745049df08a9ce97ede3ce47531f88b5796b30290aa0e31b074c403fc59

General

Target

83c80745049df08a9ce97ede3ce47531f88b5796b30290aa0e31b074c403fc59.exe
Size

185KB
MD5

98fb3b4baacd9008282ba0e6028ce604
SHA1

beac13ccac2ac620c31dcc5b2882b28df4f444f9
SHA256

83c80745049df08a9ce97ede3ce47531f88b5796b30290aa0e31b074c403fc59
SHA512

c363f38222cc29a75ead651768822c9edf18ae654fbbe3422fbf6a89a237ffc85311f19653b181f2329cbd4ed73be9a7c2a087ce329923a0fb92a359ab192d86

Score

10^/10

diamondfox botnet infostealer stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 3 IoCs

Detects DiamondFox payload in file/memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/4740-133-0x00000000001C0000-0x00000000001D8000-memory.dmp	diamondfox
behavioral2/memory/4740-134-0x0000000000400000-0x0000000002DE4000-memory.dmp	diamondfox
behavioral2/memory/5052-153-0x0000000000400000-0x0000000002DE4000-memory.dmp	diamondfox

Executes dropped EXE 1 IoCs

Processes:

SearchIndexer.exe

pid	Process
5052	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid	Process
4648	powershell.exe
4648	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	4648	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

83c80745049df08a9ce97ede3ce47531f88b5796b30290aa0e31b074c403fc59.exeSearchIndexer.exe

pid	Process
4740	83c80745049df08a9ce97ede3ce47531f88b5796b30290aa0e31b074c403fc59.exe
5052	SearchIndexer.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

83c80745049df08a9ce97ede3ce47531f88b5796b30290aa0e31b074c403fc59.exepowershell.exe

description	pid	Process	procid_target
PID 4740 wrote to memory of 4648	4740	83c80745049df08a9ce97ede3ce47531f88b5796b30290aa0e31b074c403fc59.exe	80
PID 4740 wrote to memory of 4648	4740	83c80745049df08a9ce97ede3ce47531f88b5796b30290aa0e31b074c403fc59.exe	80
PID 4740 wrote to memory of 4648	4740	83c80745049df08a9ce97ede3ce47531f88b5796b30290aa0e31b074c403fc59.exe	80
PID 4648 wrote to memory of 5052	4648	powershell.exe	88
PID 4648 wrote to memory of 5052	4648	powershell.exe	88
PID 4648 wrote to memory of 5052	4648	powershell.exe	88

C:\Users\Admin\AppData\Local\Temp\83c80745049df08a9ce97ede3ce47531f88b5796b30290aa0e31b074c403fc59.exe
"C:\Users\Admin\AppData\Local\Temp\83c80745049df08a9ce97ede3ce47531f88b5796b30290aa0e31b074c403fc59.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\83c80745049df08a9ce97ede3ce47531f88b5796b30290aa0e31b074c403fc59.exe' -Destination 'C:\Users\Admin\AppData\Local\rexednIhcraeS\SearchIndexer.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\rexednIhcraeS\SearchIndexer.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Users\Admin\AppData\Local\rexednIhcraeS\SearchIndexer.exe
    "C:\Users\Admin\AppData\Local\rexednIhcraeS\SearchIndexer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\rexednIhcraeS\SearchIndexer.exe

Filesize
185KB

MD5
98fb3b4baacd9008282ba0e6028ce604

SHA1
beac13ccac2ac620c31dcc5b2882b28df4f444f9

SHA256
83c80745049df08a9ce97ede3ce47531f88b5796b30290aa0e31b074c403fc59

SHA512
c363f38222cc29a75ead651768822c9edf18ae654fbbe3422fbf6a89a237ffc85311f19653b181f2329cbd4ed73be9a7c2a087ce329923a0fb92a359ab192d86

Download Submit
C:\Users\Admin\AppData\Local\rexednIhcraeS\SearchIndexer.exe

Filesize
185KB

MD5
98fb3b4baacd9008282ba0e6028ce604

SHA1
beac13ccac2ac620c31dcc5b2882b28df4f444f9

SHA256
83c80745049df08a9ce97ede3ce47531f88b5796b30290aa0e31b074c403fc59

SHA512
c363f38222cc29a75ead651768822c9edf18ae654fbbe3422fbf6a89a237ffc85311f19653b181f2329cbd4ed73be9a7c2a087ce329923a0fb92a359ab192d86

Download Submit
memory/4648-142-0x0000000007780000-0x0000000007816000-memory.dmp

Filesize
600KB

Download
memory/4648-143-0x0000000006AF0000-0x0000000006B0A000-memory.dmp

Filesize
104KB

Download
memory/4648-136-0x0000000005060000-0x0000000005096000-memory.dmp

Filesize
216KB

Download
memory/4648-137-0x0000000005780000-0x0000000005DA8000-memory.dmp

Filesize
6.2MB

Download
memory/4648-138-0x0000000005730000-0x0000000005752000-memory.dmp

Filesize
136KB

Download
memory/4648-139-0x0000000005E20000-0x0000000005E86000-memory.dmp

Filesize
408KB

Download
memory/4648-140-0x0000000005FC0000-0x0000000006026000-memory.dmp

Filesize
408KB

Download
memory/4648-141-0x0000000006600000-0x000000000661E000-memory.dmp

Filesize
120KB

Download
memory/4648-146-0x0000000008A00000-0x000000000907A000-memory.dmp

Filesize
6.5MB

Download
memory/4648-135-0x0000000000000000-mapping.dmp

Download
memory/4648-144-0x0000000006B40000-0x0000000006B62000-memory.dmp

Filesize
136KB

Download
memory/4648-145-0x0000000007DD0000-0x0000000008374000-memory.dmp

Filesize
5.6MB

Download
memory/4740-132-0x0000000002E42000-0x0000000002E4E000-memory.dmp

Filesize
48KB

Download
memory/4740-134-0x0000000000400000-0x0000000002DE4000-memory.dmp

Filesize
41.9MB

Download
memory/4740-133-0x00000000001C0000-0x00000000001D8000-memory.dmp

Filesize
96KB

Download
memory/5052-147-0x0000000000000000-mapping.dmp

Download
memory/5052-152-0x0000000002FA3000-0x0000000002FAF000-memory.dmp

Filesize
48KB

Download
memory/5052-153-0x0000000000400000-0x0000000002DE4000-memory.dmp

Filesize
41.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads