diamondfox | 040

Sharing

Copy URL

Twitter E-mail

General

Target

040
Size

212KB
MD5

433d77782664455b950e1508c0787f1a
SHA1

181103f2b8dd9a8bf954f22670f08c7193cb8e8f
SHA256

e3be8bb6d3f2e7bd860e41df6a60e1a5698bec5670ea127b627ef8b16fb0d254
SHA512

5c8da80d17e2a023d2bb2621ec14d97412fd02a9c645044e1c4818c4e55c29e8fc5ad4cae30817d4e6e45d52e3fdd44b8581be0e411b74fff26e7ae44008d390
SSDEEP

6144:BOHeBWJdskGtgUSxE916KEqYmFjvTBi9g6l:BO+B4it8xokZmFjvToKA

Score

10^/10

infostealer diamondfox

Malware Config

Signatures

DiamondFox payload 1 IoCs

Detects DiamondFox payload in file/memory.

infostealer

resource	yara_rule
sample	diamondfox

Diamondfox family
diamondfox

Files

040
.exe windows x86

8316bcd12417e59032ab566efaeaa8d5

Code Sign

01
Certificate

Issuer

CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

01-01-2004 00:00

Not After

31-12-2028 23:59

Subject

CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01-01-2021 00:00

Not After

06-01-2031 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07-01-2016 12:00

Not After

07-01-2031 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

39:72:44:3a:f9:22:b7:51:d7:d3:6c:10:dd:31:35:95
Certificate

Issuer

CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

12-03-2019 00:00

Not After

31-12-2028 23:59

Subject

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

79:77:ba:de:f6:83:54:84:b8:ce:b0:dd:2b:58:f4:08
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

29-01-2020 00:00

Not After

28-01-2030 23:59

Subject

CN=TrustOcean Organization Software Vendor CA,O=TrustOcean Limited,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

06:62:76:af:2f:2c:7e:24:6d:3b:1c:ab:1b:4a:a4:2e
Certificate

Issuer

CN=TrustOcean Organization Software Vendor CA,O=TrustOcean Limited,C=US

Not Before

25-03-2021 00:00

Not After

25-03-2022 23:59

Subject

CN=IQ Trade ApS,O=IQ Trade ApS,POSTALCODE=2610,STREET=Prøvensvej 26,L=Rødovre,C=DK

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3c:71:28:e2:75:15:16:ba:12:59:82:2e:8e:e0:74:20:e3:48:d2:ea
Signer

Actual PE Digest

3c:71:28:e2:75:15:16:ba:12:59:82:2e:8e:e0:74:20:e3:48:d2:ea

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

true

Verification

Signing Certificate

CN=IQ Trade ApS,O=IQ Trade ApS,POSTALCODE=2610,STREET=Prøvensvej 26,L=Rødovre,C=DK

30-04-2021 12:43
Valid: true

Chain 1

CN=IQ Trade ApS,O=IQ Trade ApS,POSTALCODE=2610,STREET=Prøvensvej 26,L=Rødovre,C=DK

CN=TrustOcean Organization Software Vendor CA,O=TrustOcean Limited,C=US

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Chain 2

CN=IQ Trade ApS,O=IQ Trade ApS,POSTALCODE=2610,STREET=Prøvensvej 26,L=Rødovre,C=DK

CN=TrustOcean Organization Software Vendor CA,O=TrustOcean Limited,C=US

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

memset
memcpy
wcslen
wcscpy
wcscat
wcscmp
memmove
wcschr
_CIlog
floor
ceil
_CIpow
strstr
strlen
_strnicmp
strcmp
strncpy
strcpy
sprintf
_wcsicmp
tolower
wcsncpy
fabs
malloc
free
fseek
ftell
fread
fclose
pow
??3@YAXPAX@Z
wcsncmp
wcsstr
_wcsnicmp
_wcsdup
_isnan
_vsnwprintf
cos
fmod
sin
abs

kernel32

GetModuleHandleW
HeapCreate
CreateMutexW
GetLastError
HeapDestroy
ExitProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
GetCurrentProcessId
CloseHandle
GetTickCount
LoadLibraryW
GetDiskFreeSpaceExW
GetSystemPowerStatus
CreateProcessW
GetThreadContext
ReadProcessMemory
VirtualAllocEx
WriteProcessMemory
SetThreadContext
ResumeThread
TerminateProcess
GetModuleFileNameW
VirtualFree
VirtualAlloc
FreeLibrary
VirtualProtect
IsBadReadPtr
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
WaitForSingleObject
CreateThread
GetEnvironmentVariableW
SetEnvironmentVariableW
GetCurrentProcess
DuplicateHandle
CreatePipe
GetStdHandle
HeapAlloc
HeapFree
PeekNamedPipe
GetEnvironmentStringsW
FreeEnvironmentStringsW
ReadFile
HeapReAlloc
TlsAlloc
TlsSetValue
GetCurrentThreadId
TlsGetValue
GetProcAddress
Sleep
GetSystemInfo
GlobalMemoryStatusEx
GetComputerNameW
CreateDirectoryW
SetFileAttributesW
CopyFileW
DeleteFileW
GetTempPathW
GetDriveTypeW
FindFirstFileW
FindClose
GetFileAttributesW
WriteFile
CreateFileW
SetFilePointer
GetFileSize
WideCharToMultiByte
GetVersionExW
MultiByteToWideChar
HeapSize
TlsFree
DeleteCriticalSection
InterlockedCompareExchange
InterlockedExchange
SetLastError
UnregisterWait
GetCurrentThread
RegisterWaitForSingleObject

gdiplus

GdiplusStartup
GdipCreateBitmapFromFile
GdipSaveImageToFile
GdipDisposeImage
GdiplusShutdown
GdipDeleteFont
GdipDeleteGraphics
GdipDeletePath
GdipDeleteMatrix
GdipDeletePen
GdipDeleteStringFormat
GdipFree
GdipGetDpiX
GdipGetDpiY

user32

GetSystemMetrics
GetCursorPos
GetDC
ReleaseDC
DestroyIcon
FillRect
CharUpperW
CharLowerW
GetIconInfo
DrawIconEx

gdi32

BitBlt
GetObjectType
DeleteObject
GetObjectW
CreateCompatibleDC
SelectObject
CreateSolidBrush
DeleteDC
GdiGetBatchLimit
GdiSetBatchLimit
CreateDIBSection
CreateBitmap
SetPixel
GetStockObject
GetDIBits
CreateDCW
GetDeviceCaps
GetTextExtentPoint32W
SetBkMode
SetTextAlign
SetBkColor
SetTextColor
TextOutW
SetStretchBltMode
SetBrushOrgEx
StretchBlt
CreateFontIndirectW
GetTextMetricsW
CreateCompatibleBitmap
GetPixel

advapi32

RegOpenKeyExW
RegCloseKey
RegQueryInfoKeyW
RegEnumKeyExW
RegQueryValueExW
GetUserNameW

shell32

SHGetSpecialFolderLocation
SHGetPathFromIDListW
ShellExecuteExW

wsock32

closesocket
WSACleanup
WSAStartup

winmm

timeBeginPeriod

shlwapi

PathFileExistsW

ole32

CoInitialize
CoCreateInstance
CoUninitialize
CoTaskMemFree

ntdll

ZwUnmapViewOfSection

setupapi

IsUserAdmin

urlmon

URLDownloadToFileW

wininet

InternetOpenW
InternetSetOptionW
InternetConnectW
HttpOpenRequestW
HttpAddRequestHeadersW
HttpSendRequestW
InternetReadFile
InternetCloseHandle
InternetGetConnectedState

Sections

.code
Size: 38KB - Virtual size: 37KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.text
Size: 124KB - Virtual size: 123KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 26KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

8316bcd12417e59032ab566efaeaa8d5

Code Sign

01Certificate

Key Usages

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:ddCertificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

39:72:44:3a:f9:22:b7:51:d7:d3:6c:10:dd:31:35:95Certificate

Key Usages

79:77:ba:de:f6:83:54:84:b8:ce:b0:dd:2b:58:f4:08Certificate

Extended Key Usages

Key Usages

06:62:76:af:2f:2c:7e:24:6d:3b:1c:ab:1b:4a:a4:2eCertificate

Extended Key Usages

Key Usages

3c:71:28:e2:75:15:16:ba:12:59:82:2e:8e:e0:74:20:e3:48:d2:eaSigner

Signature Validations

Verification

30-04-2021 12:43 Valid: true

Chain 1

Chain 2

Headers

File Characteristics

Imports

msvcrt

kernel32

gdiplus

user32

gdi32

advapi32

shell32

wsock32

winmm

shlwapi

ole32

ntdll

setupapi

urlmon

wininet

Sections

.code Size: 38KB - Virtual size: 37KB

.text Size: 124KB - Virtual size: 123KB

.rdata Size: 26KB - Virtual size: 25KB

.data Size: 14KB - Virtual size: 17KB

01
Certificate

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

39:72:44:3a:f9:22:b7:51:d7:d3:6c:10:dd:31:35:95
Certificate

79:77:ba:de:f6:83:54:84:b8:ce:b0:dd:2b:58:f4:08
Certificate

06:62:76:af:2f:2c:7e:24:6d:3b:1c:ab:1b:4a:a4:2e
Certificate

3c:71:28:e2:75:15:16:ba:12:59:82:2e:8e:e0:74:20:e3:48:d2:ea
Signer

30-04-2021 12:43
Valid: true

.code
Size: 38KB - Virtual size: 37KB

.text
Size: 124KB - Virtual size: 123KB

.rdata
Size: 26KB - Virtual size: 25KB

.data
Size: 14KB - Virtual size: 17KB