Malware Analysis Report

2024-07-11 07:28

Sample ID 230829-d94jyshg96
Target 4c4da7ca3fc9b71ecd8f9e8f0b676a2fb2d4c9428abee2abfac827495f94c8c6.zip
SHA256 e3c00e33f7bf7854f47a38918c8d38115808b80e2dbae41c78d45c4ae913d3cd
Tags
diamondfox botnet infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e3c00e33f7bf7854f47a38918c8d38115808b80e2dbae41c78d45c4ae913d3cd

Threat Level: Known bad

The file 4c4da7ca3fc9b71ecd8f9e8f0b676a2fb2d4c9428abee2abfac827495f94c8c6.zip was found to be: Known bad.

Malicious Activity Summary

diamondfox botnet infostealer stealer

DiamondFox

DiamondFox payload

Loads dropped DLL

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-08-29 03:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-29 03:43

Reported

2023-08-29 03:46

Platform

win7-20230712-en

Max time kernel

142s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4c4da7ca3fc9b71ecd8f9e8f0b676a2fb2d4c9428abee2abfac827495f94c8c6.exe"

Signatures

DiamondFox

botnet stealer diamondfox

DiamondFox payload

infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\4c4da7ca3fc9b71ecd8f9e8f0b676a2fb2d4c9428abee2abfac827495f94c8c6.exe

"C:\Users\Admin\AppData\Local\Temp\4c4da7ca3fc9b71ecd8f9e8f0b676a2fb2d4c9428abee2abfac827495f94c8c6.exe"

C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

"C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe" 0

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
N/A 100.113.212.77:80 www.microsoft.com tcp
US 8.8.8.8:53 rusav1.icu udp
N/A 100.71.94.88:80 rusav1.icu tcp
US 8.8.8.8:53 rusav2.icu udp
N/A 100.73.180.208:80 rusav2.icu tcp
US 8.8.8.8:53 rusav3.icu udp
N/A 100.98.146.149:80 rusav3.icu tcp
US 8.8.8.8:53 rusav4.icu udp
N/A 100.111.109.190:80 rusav4.icu tcp
US 8.8.8.8:53 rusav5.icu udp
N/A 100.98.87.16:80 rusav5.icu tcp

Files

memory/2296-0-0x0000000000400000-0x000000000044E000-memory.dmp

\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

MD5 08bbb8edf7b5007130f68cbdd34a2fea
SHA1 1d4b99ce9623326a0b38e340262aa781f3f7772b
SHA256 4c4da7ca3fc9b71ecd8f9e8f0b676a2fb2d4c9428abee2abfac827495f94c8c6
SHA512 176b9ae412c494c773218f15a0b564b62466f85218503930349f52b0ab7fbcc39fb535afa0e263a4e0985a89e18d761f21c9c3647c3b3d7c0e424c20d7f12d05

C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

MD5 08bbb8edf7b5007130f68cbdd34a2fea
SHA1 1d4b99ce9623326a0b38e340262aa781f3f7772b
SHA256 4c4da7ca3fc9b71ecd8f9e8f0b676a2fb2d4c9428abee2abfac827495f94c8c6
SHA512 176b9ae412c494c773218f15a0b564b62466f85218503930349f52b0ab7fbcc39fb535afa0e263a4e0985a89e18d761f21c9c3647c3b3d7c0e424c20d7f12d05

C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

MD5 08bbb8edf7b5007130f68cbdd34a2fea
SHA1 1d4b99ce9623326a0b38e340262aa781f3f7772b
SHA256 4c4da7ca3fc9b71ecd8f9e8f0b676a2fb2d4c9428abee2abfac827495f94c8c6
SHA512 176b9ae412c494c773218f15a0b564b62466f85218503930349f52b0ab7fbcc39fb535afa0e263a4e0985a89e18d761f21c9c3647c3b3d7c0e424c20d7f12d05

memory/2296-13-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2296-12-0x0000000002D50000-0x0000000002D9E000-memory.dmp

\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

MD5 08bbb8edf7b5007130f68cbdd34a2fea
SHA1 1d4b99ce9623326a0b38e340262aa781f3f7772b
SHA256 4c4da7ca3fc9b71ecd8f9e8f0b676a2fb2d4c9428abee2abfac827495f94c8c6
SHA512 176b9ae412c494c773218f15a0b564b62466f85218503930349f52b0ab7fbcc39fb535afa0e263a4e0985a89e18d761f21c9c3647c3b3d7c0e424c20d7f12d05

memory/1216-16-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1216-18-0x0000000000400000-0x000000000044E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-29 03:43

Reported

2023-08-29 03:46

Platform

win10v2004-20230703-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4c4da7ca3fc9b71ecd8f9e8f0b676a2fb2d4c9428abee2abfac827495f94c8c6.exe"

Signatures

DiamondFox

botnet stealer diamondfox

DiamondFox payload

infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\4c4da7ca3fc9b71ecd8f9e8f0b676a2fb2d4c9428abee2abfac827495f94c8c6.exe

"C:\Users\Admin\AppData\Local\Temp\4c4da7ca3fc9b71ecd8f9e8f0b676a2fb2d4c9428abee2abfac827495f94c8c6.exe"

C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

"C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe" 0

Network

Country Destination Domain Proto
US 8.8.8.8:53 44.167.81.100.in-addr.arpa udp
US 8.8.8.8:53 241.176.80.100.in-addr.arpa udp
US 8.8.8.8:53 183.74.72.100.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
N/A 100.83.158.138:80 www.microsoft.com tcp
US 8.8.8.8:53 rusav1.icu udp
N/A 100.95.22.158:80 rusav1.icu tcp
US 8.8.8.8:53 138.158.83.100.in-addr.arpa udp
US 8.8.8.8:53 158.22.95.100.in-addr.arpa udp
US 8.8.8.8:53 94.157.75.100.in-addr.arpa udp
US 8.8.8.8:53 49.200.107.100.in-addr.arpa udp
US 8.8.8.8:53 rusav2.icu udp
N/A 100.84.160.57:80 rusav2.icu tcp
US 8.8.8.8:53 57.160.84.100.in-addr.arpa udp
US 8.8.8.8:53 rusav3.icu udp
N/A 100.90.58.215:80 rusav3.icu tcp
US 8.8.8.8:53 215.58.90.100.in-addr.arpa udp
US 8.8.8.8:53 17.233.70.100.in-addr.arpa udp
US 8.8.8.8:53 rusav4.icu udp
N/A 100.120.28.190:80 rusav4.icu tcp
US 8.8.8.8:53 190.28.120.100.in-addr.arpa udp
US 8.8.8.8:53 rusav5.icu udp
N/A 100.85.68.55:80 rusav5.icu tcp
US 8.8.8.8:53 55.68.85.100.in-addr.arpa udp
US 8.8.8.8:53 80.22.120.100.in-addr.arpa udp

Files

memory/5112-0-0x0000000000400000-0x000000000044E000-memory.dmp

C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

MD5 08bbb8edf7b5007130f68cbdd34a2fea
SHA1 1d4b99ce9623326a0b38e340262aa781f3f7772b
SHA256 4c4da7ca3fc9b71ecd8f9e8f0b676a2fb2d4c9428abee2abfac827495f94c8c6
SHA512 176b9ae412c494c773218f15a0b564b62466f85218503930349f52b0ab7fbcc39fb535afa0e263a4e0985a89e18d761f21c9c3647c3b3d7c0e424c20d7f12d05

C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

MD5 08bbb8edf7b5007130f68cbdd34a2fea
SHA1 1d4b99ce9623326a0b38e340262aa781f3f7772b
SHA256 4c4da7ca3fc9b71ecd8f9e8f0b676a2fb2d4c9428abee2abfac827495f94c8c6
SHA512 176b9ae412c494c773218f15a0b564b62466f85218503930349f52b0ab7fbcc39fb535afa0e263a4e0985a89e18d761f21c9c3647c3b3d7c0e424c20d7f12d05

C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

MD5 08bbb8edf7b5007130f68cbdd34a2fea
SHA1 1d4b99ce9623326a0b38e340262aa781f3f7772b
SHA256 4c4da7ca3fc9b71ecd8f9e8f0b676a2fb2d4c9428abee2abfac827495f94c8c6
SHA512 176b9ae412c494c773218f15a0b564b62466f85218503930349f52b0ab7fbcc39fb535afa0e263a4e0985a89e18d761f21c9c3647c3b3d7c0e424c20d7f12d05

memory/5112-12-0x0000000000400000-0x000000000044E000-memory.dmp

memory/3864-15-0x0000000000400000-0x000000000044E000-memory.dmp