diamondfox | atiedxx[.]bin | Triage

Sharing

Reason

config extraction: DiamondFox: pe: invalid address

General

Target

atiedxx.bin
Size

90KB
MD5

4dddf0bfbb7fff60a92926426a0754e4
SHA1

423f4f6b9c0805222b9577b52862af684030c002
SHA256

f24b905fb50dd08805caa0d357b3c43149a5174c745797af98d0c4f111f85788
SHA512

713fec6b0a8067dd39579ad9280442bf215efb95b628e9b2f3cdb61fb4bc796bfb2857810fe393757a25006ba7203878ce9c4763ed15db6d8a5785badbc21744
SSDEEP

1536:Y4VCaYZdr/Wl2pB6mOL1fNzsqGzLkGkRQZbK:YyPYylOBU5VzMkRQK

Score

10^/10

infostealer diamondfox

Malware Config

Signatures

DiamondFox payload 1 IoCs

Detects DiamondFox payload in file/memory.

resource	yara_rule
sample	diamondfox

Diamondfox family
diamondfox

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
atiedxx.bin

Files

atiedxx.bin
.exe windows:4 windows x86 arch:x86

6896c381286479424e77ae2151589c5e

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

MethCallEngine
ord516
ord517
ord626
ord519
ord667
ord593
ord594
ord702
ord598
ord631
EVENT_SINK_AddRef
ord529
ord560
DllFunctionCall
ord567
EVENT_SINK_Release
ord600
ord601
EVENT_SINK_QueryInterface
__vbaExceptHandler
ord710
ord711
ord712
ord606
ord714
ord716
ord531
ord717
ProcCallEngine
ord537
ord644
ord570
ord648
ord573
ord681
ord578
ord685
ord100
ord579
ord616
ord618
ord580

Sections

.text
Size: 89KB - Virtual size: 88KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ