diamondfox | 7065e6eec89b53663d4d4544faf89b95d45090d484c83a3615edee72c4b252ea

General

Target

d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe
Size

34KB
MD5

5eb3277e4b057015e82ecf8b7d4d201d
SHA1

25abcee80291edf1092d146bd233854ba7e205b7
SHA256

d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc
SHA512

2600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18
SSDEEP

768:MRr1TNaD5ksyOcwTLFSwMxECyDiJHjRv5AmGRIp+nbcuyD7UMI:arTaD5kEJ1SwjCyDiJTAmGRIp+nouy8L

Score

10^/10

diamondfox botnet infostealer stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 3 IoCs

Detects DiamondFox payload in file/memory.

infostealer

Processes:

resource	yara_rule
behavioral1/memory/1136-24-0x0000000000400000-0x000000000041F010-memory.dmp	diamondfox
behavioral1/memory/1964-26-0x0000000000400000-0x000000000041F010-memory.dmp	diamondfox
behavioral1/memory/1964-30-0x0000000000400000-0x000000000041F010-memory.dmp	diamondfox

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2212	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

AnyDesk.exe

pid	Process
1964	AnyDesk.exe

Loads dropped DLL 2 IoCs

Processes:

d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe

pid	Process
1136	d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe
1136	d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2764	PING.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exeAnyDesk.exe

pid	Process
1136	d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe
1964	AnyDesk.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.execmd.exe

description	pid	Process	procid_target
PID 1136 wrote to memory of 1964	1136	d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe	30
PID 1136 wrote to memory of 1964	1136	d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe	30
PID 1136 wrote to memory of 1964	1136	d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe	30
PID 1136 wrote to memory of 1964	1136	d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe	30
PID 1136 wrote to memory of 2212	1136	d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe	31
PID 1136 wrote to memory of 2212	1136	d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe	31
PID 1136 wrote to memory of 2212	1136	d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe	31
PID 1136 wrote to memory of 2212	1136	d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe	31
PID 2212 wrote to memory of 2764	2212	cmd.exe	33
PID 2212 wrote to memory of 2764	2212	cmd.exe	33
PID 2212 wrote to memory of 2764	2212	cmd.exe	33
PID 2212 wrote to memory of 2764	2212	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe
"C:\Users\Admin\AppData\Local\Temp\d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe
  "C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe" 0
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\823D7E804740.cmd" 0"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 4 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\823D7E804740.cmd

Filesize
210B

MD5
f07ec6af99fa82ea3353804ce368209d

SHA1
04287a3c2cb8542c6d7ddf49289b7db2e9df3215

SHA256
e825ea34edec43e53db660ca4f9e0ac9d7f17be450b7b5f05f9bed08ec9a3b97

SHA512
26947840147681a46053178db2059831e3368e845245d6e2e0b2dc1b3178a5323a1797b74a6cd4a771b3e814732db4501951684e99e5bdb3cb70cc69da5357f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\823D7E804740.cmd

Filesize
210B

MD5
f07ec6af99fa82ea3353804ce368209d

SHA1
04287a3c2cb8542c6d7ddf49289b7db2e9df3215

SHA256
e825ea34edec43e53db660ca4f9e0ac9d7f17be450b7b5f05f9bed08ec9a3b97

SHA512
26947840147681a46053178db2059831e3368e845245d6e2e0b2dc1b3178a5323a1797b74a6cd4a771b3e814732db4501951684e99e5bdb3cb70cc69da5357f0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe

Filesize
34KB

MD5
5eb3277e4b057015e82ecf8b7d4d201d

SHA1
25abcee80291edf1092d146bd233854ba7e205b7

SHA256
d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc

SHA512
2600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe

Filesize
34KB

MD5
5eb3277e4b057015e82ecf8b7d4d201d

SHA1
25abcee80291edf1092d146bd233854ba7e205b7

SHA256
d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc

SHA512
2600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18

Download Submit
\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe

Filesize
34KB

MD5
5eb3277e4b057015e82ecf8b7d4d201d

SHA1
25abcee80291edf1092d146bd233854ba7e205b7

SHA256
d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc

SHA512
2600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18

Download Submit
\Users\Admin\AppData\Roaming\AnyDesk Network\AnyDesk.exe

Filesize
34KB

MD5
5eb3277e4b057015e82ecf8b7d4d201d

SHA1
25abcee80291edf1092d146bd233854ba7e205b7

SHA256
d4eda8c3a64fb7ef7252d80f8eebcda30cc2bd2ca894970524f21b7064647afc

SHA512
2600d4b469608071d84e481776147bac1bd1d0e9761b1c322d31c856941ce988b4cd08c44acdc3979d4b33f080957bfe287148dda09b3563e50d5f88bb31ae18

Download Submit
memory/1136-0-0x0000000000400000-0x000000000041F010-memory.dmp

Filesize
124KB

Download
memory/1136-12-0x0000000001E40000-0x0000000001E60000-memory.dmp

Filesize
128KB

Download
memory/1136-24-0x0000000000400000-0x000000000041F010-memory.dmp

Filesize
124KB

Download
memory/1964-26-0x0000000000400000-0x000000000041F010-memory.dmp

Filesize
124KB

Download
memory/1964-30-0x0000000000400000-0x000000000041F010-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads