Malware Analysis Report

2024-07-11 07:31

Sample ID 230829-dl7ayacf91
Target 3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248
SHA256 3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248
Tags
upx diamondfox botnet infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248

Threat Level: Known bad

The file 3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248 was found to be: Known bad.

Malicious Activity Summary

upx diamondfox botnet infostealer stealer

DiamondFox

DiamondFox payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-08-29 03:06

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-29 03:06

Reported

2023-08-29 03:09

Platform

win7-20230712-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248.exe"

Signatures

DiamondFox

botnet stealer diamondfox

DiamondFox payload

infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248.exe

"C:\Users\Admin\AppData\Local\Temp\3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

"C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe" 0

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
N/A 100.91.107.79:80 www.microsoft.com tcp
US 8.8.8.8:53 rusav1.icu udp
N/A 100.73.75.225:80 rusav1.icu tcp
US 8.8.8.8:53 rusav2.icu udp
N/A 100.84.255.253:80 rusav2.icu tcp
US 8.8.8.8:53 rusav3.icu udp
N/A 100.89.75.221:80 rusav3.icu tcp
US 8.8.8.8:53 rusav4.icu udp
N/A 100.93.42.3:80 rusav4.icu tcp

Files

memory/2628-0-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2628-1-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2628-2-0x0000000000320000-0x0000000000335000-memory.dmp

memory/2628-3-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2628-6-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2628-7-0x0000000000400000-0x000000000049C000-memory.dmp

C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

MD5 17a1f7e98731df9b74b98accb650d50e
SHA1 64a96c0cfd3884f682b1b56f3e9e1b880849694f
SHA256 3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248
SHA512 49ad8edbd470c2fd32a1317288634b6411da106510527117808b3c2eb78685c1ceb69d93eaa2047cabce5bb7da9901a00c10e071f7482d2ee5bb6af231380917

memory/2628-15-0x0000000002FE0000-0x000000000307C000-memory.dmp

C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

MD5 17a1f7e98731df9b74b98accb650d50e
SHA1 64a96c0cfd3884f682b1b56f3e9e1b880849694f
SHA256 3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248
SHA512 49ad8edbd470c2fd32a1317288634b6411da106510527117808b3c2eb78685c1ceb69d93eaa2047cabce5bb7da9901a00c10e071f7482d2ee5bb6af231380917

memory/2916-18-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2628-19-0x0000000000320000-0x0000000000335000-memory.dmp

memory/2628-17-0x0000000000400000-0x000000000049C000-memory.dmp

\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

MD5 17a1f7e98731df9b74b98accb650d50e
SHA1 64a96c0cfd3884f682b1b56f3e9e1b880849694f
SHA256 3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248
SHA512 49ad8edbd470c2fd32a1317288634b6411da106510527117808b3c2eb78685c1ceb69d93eaa2047cabce5bb7da9901a00c10e071f7482d2ee5bb6af231380917

memory/2916-21-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2916-24-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2916-28-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2916-29-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2916-30-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2916-31-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2916-32-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2916-36-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2916-39-0x0000000000400000-0x000000000049C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-29 03:06

Reported

2023-08-29 03:09

Platform

win10v2004-20230703-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248.exe"

Signatures

DiamondFox

botnet stealer diamondfox

DiamondFox payload

infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248.exe

"C:\Users\Admin\AppData\Local\Temp\3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

"C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe" 0

Network

Country Destination Domain Proto
US 8.8.8.8:53 38.161.102.100.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 231.102.120.100.in-addr.arpa udp
US 8.8.8.8:53 23.212.90.100.in-addr.arpa udp
US 8.8.8.8:53 108.197.118.100.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
N/A 100.71.1.231:80 www.microsoft.com tcp
US 8.8.8.8:53 rusav1.icu udp
N/A 100.85.86.208:80 rusav1.icu tcp
US 8.8.8.8:53 231.1.71.100.in-addr.arpa udp
US 8.8.8.8:53 208.86.85.100.in-addr.arpa udp
US 8.8.8.8:53 rusav2.icu udp
N/A 100.103.16.183:80 rusav2.icu tcp
US 8.8.8.8:53 183.16.103.100.in-addr.arpa udp
US 8.8.8.8:53 229.216.66.100.in-addr.arpa udp
US 8.8.8.8:53 rusav3.icu udp
N/A 100.104.162.187:80 rusav3.icu tcp
US 8.8.8.8:53 187.162.104.100.in-addr.arpa udp
US 8.8.8.8:53 rusav4.icu udp
N/A 100.112.150.104:80 rusav4.icu tcp
US 8.8.8.8:53 104.150.112.100.in-addr.arpa udp
US 8.8.8.8:53 83.13.113.100.in-addr.arpa udp

Files

memory/3108-0-0x0000000000400000-0x000000000049C000-memory.dmp

memory/3108-1-0x0000000000400000-0x000000000049C000-memory.dmp

memory/3108-2-0x00000000005C0000-0x00000000005D5000-memory.dmp

memory/3108-3-0x0000000000400000-0x000000000049C000-memory.dmp

memory/3108-5-0x0000000000400000-0x000000000049C000-memory.dmp

C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

MD5 17a1f7e98731df9b74b98accb650d50e
SHA1 64a96c0cfd3884f682b1b56f3e9e1b880849694f
SHA256 3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248
SHA512 49ad8edbd470c2fd32a1317288634b6411da106510527117808b3c2eb78685c1ceb69d93eaa2047cabce5bb7da9901a00c10e071f7482d2ee5bb6af231380917

C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

MD5 17a1f7e98731df9b74b98accb650d50e
SHA1 64a96c0cfd3884f682b1b56f3e9e1b880849694f
SHA256 3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248
SHA512 49ad8edbd470c2fd32a1317288634b6411da106510527117808b3c2eb78685c1ceb69d93eaa2047cabce5bb7da9901a00c10e071f7482d2ee5bb6af231380917

C:\Users\Admin\AppData\Roaming\lsassfold\lsass.exe

MD5 17a1f7e98731df9b74b98accb650d50e
SHA1 64a96c0cfd3884f682b1b56f3e9e1b880849694f
SHA256 3ef2a739073edef534d6bbd2c426cf8e2285544d03afe33ce64526f3e5926248
SHA512 49ad8edbd470c2fd32a1317288634b6411da106510527117808b3c2eb78685c1ceb69d93eaa2047cabce5bb7da9901a00c10e071f7482d2ee5bb6af231380917

memory/3108-20-0x0000000000400000-0x000000000049C000-memory.dmp

memory/3108-21-0x00000000005C0000-0x00000000005D5000-memory.dmp

memory/4180-22-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4180-23-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4180-25-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4180-28-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4180-31-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4180-34-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4180-37-0x0000000000400000-0x000000000049C000-memory.dmp