diamondfox | d113f0b72805c9908272e053fcc5386b191254cbaf685ed66bca824d3d4a94dc

General

Target

040.exe
Size

371KB
MD5

011f82638e33b5c1df66dab43ec2fd18
SHA1

1157a0186b8010d4d5ba99008b46df6798efdb82
SHA256

d113f0b72805c9908272e053fcc5386b191254cbaf685ed66bca824d3d4a94dc
SHA512

5b141b17858a1fdf821c25f8130d7a8f88c401ff56d46eca0037b03bfad8a5470ef8a07065da36d605747d897c1d288549959539cb0fa80d3b251084aa3bea54

Score

10^/10

diamondfox botnet infostealer stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 2 IoCs

Detects DiamondFox payload in file/memory.

infostealer

resource	yara_rule
behavioral1/files/0x0009000000022eab-131.dat	diamondfox
behavioral1/files/0x0009000000022eab-132.dat	diamondfox

Executes dropped EXE 1 IoCs

pid	Process
4204	MicrosoftEdgeCPS.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4372	powershell.exe
4372	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4372	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3284 wrote to memory of 4204	3284	040.exe	85
PID 3284 wrote to memory of 4204	3284	040.exe	85
PID 3284 wrote to memory of 4204	3284	040.exe	85
PID 4204 wrote to memory of 4372	4204	MicrosoftEdgeCPS.exe	86
PID 4204 wrote to memory of 4372	4204	MicrosoftEdgeCPS.exe	86
PID 4204 wrote to memory of 4372	4204	MicrosoftEdgeCPS.exe	86

C:\Users\Admin\AppData\Local\Temp\040.exe
"C:\Users\Admin\AppData\Local\Temp\040.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3284
- C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
  "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

Filesize
371KB

MD5
011f82638e33b5c1df66dab43ec2fd18

SHA1
1157a0186b8010d4d5ba99008b46df6798efdb82

SHA256
d113f0b72805c9908272e053fcc5386b191254cbaf685ed66bca824d3d4a94dc

SHA512
5b141b17858a1fdf821c25f8130d7a8f88c401ff56d46eca0037b03bfad8a5470ef8a07065da36d605747d897c1d288549959539cb0fa80d3b251084aa3bea54

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe

Filesize
371KB

MD5
011f82638e33b5c1df66dab43ec2fd18

SHA1
1157a0186b8010d4d5ba99008b46df6798efdb82

SHA256
d113f0b72805c9908272e053fcc5386b191254cbaf685ed66bca824d3d4a94dc

SHA512
5b141b17858a1fdf821c25f8130d7a8f88c401ff56d46eca0037b03bfad8a5470ef8a07065da36d605747d897c1d288549959539cb0fa80d3b251084aa3bea54

Download Submit
memory/4372-140-0x0000000006B60000-0x0000000006B92000-memory.dmp

Filesize
200KB

Download
memory/4372-142-0x0000000006B40000-0x0000000006B5E000-memory.dmp

Filesize
120KB

Download
memory/4372-135-0x00000000058C0000-0x0000000005EE8000-memory.dmp

Filesize
6.2MB

Download
memory/4372-136-0x00000000056E0000-0x0000000005702000-memory.dmp

Filesize
136KB

Download
memory/4372-137-0x0000000005EF0000-0x0000000005F56000-memory.dmp

Filesize
408KB

Download
memory/4372-138-0x0000000005F60000-0x0000000005FC6000-memory.dmp

Filesize
408KB

Download
memory/4372-139-0x0000000006580000-0x000000000659E000-memory.dmp

Filesize
120KB

Download
memory/4372-141-0x000000006FD60000-0x000000006FDAC000-memory.dmp

Filesize
304KB

Download
memory/4372-134-0x0000000002C90000-0x0000000002CC6000-memory.dmp

Filesize
216KB

Download
memory/4372-143-0x0000000007ED0000-0x000000000854A000-memory.dmp

Filesize
6.5MB

Download
memory/4372-144-0x0000000007890000-0x00000000078AA000-memory.dmp

Filesize
104KB

Download
memory/4372-145-0x0000000007900000-0x000000000790A000-memory.dmp

Filesize
40KB

Download
memory/4372-146-0x0000000007B10000-0x0000000007BA6000-memory.dmp

Filesize
600KB

Download
memory/4372-147-0x0000000007AC0000-0x0000000007ACE000-memory.dmp

Filesize
56KB

Download
memory/4372-148-0x0000000007BD0000-0x0000000007BEA000-memory.dmp

Filesize
104KB

Download
memory/4372-149-0x0000000007BB0000-0x0000000007BB8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing