diamondfox | b4fc5b365d6ccb4dc726a82c8b3f1c39ce16bf848c779706569c938d1a6855a8

Sharing

General

Target

master.zip
Size

137.8MB
Sample

250217-1l23jsvl12
MD5

0ea49cf67d7f137a795d6754c94ed083
SHA1

0be02b9e47a31775cc8b3a2d18363346ef0fd053
SHA256

b4fc5b365d6ccb4dc726a82c8b3f1c39ce16bf848c779706569c938d1a6855a8
SHA512

4034a6c9b2cc682e222eff296109e47d0e6f5b35a3b492b07fdf80fccfaf6a1cebd3b7f21b293947866d5b69c7716e09b595fb4ab086e56f868c5dd28524e50a
SSDEEP

3145728:8mi9r/A/MrzSxOsokx8IyfMvNxA0RZmhPcnZW0RlXtdfmhoiT40+6toJlZ4r:8mW/A/uz8dxYq7qJc1zH+2566+

Score

10^/10

Malware Config

Targets

- Target
  
  malware-sample-library-master/APT28 FancyBear/APT28,NATOPAPER,SOFACY2004.bin
- Size
  
  108KB
- MD5
  
  7f564a6a8910b513a851b2616af8d7ee
- SHA1
  
  aade2da992de07c233f4d2711cb4f046984a3783
- SHA256
  
  1de6d9db409bef73e3585fc08f98b30e2757ec87830e6f84ba85c39210aa962b
- SHA512
  
  9870a3ac7cd47458aa9f0a6afd9767d19460d93c9c2f20aa5fb2fe6a2ef0e2b7361e2a83d20cd91c105af34184fe3d582b5ce4200f0bea1e780481fe7928e252
- SSDEEP
  
  1536:DAo8qqfNrkdOoXL60J8s8FGBOO80+yldyVZR/HmD8TK0VGaxkGbANv:DAo8zuFjyFG8x0+ylc7RftTVGOkv
Score

10^/10

discovery persistence
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  malware-sample-library-master/APT28 FancyBear/APT28DecoyDocument.doc
- Size
  
  333KB
- MD5
  
  085be1b8b8f3e90be00f6a3bcea2879f
- SHA1
  
  cc7607015cd7a1a4452acd3d87adabdd7e005bd7
- SHA256
  
  c4be15f9ccfecf7a463f3b1d4a17e7b4f95de939e057662c3f97b52f7fa3c52f
- SHA512
  
  9d61f7fcf4543ca2e9d282df93fa604a1736a5a50da47e7c66ecaa635465fef61b26c94af5f6204601668e646b6a140f0e248e01ad79fce056b671a3f6d8c6af
- SSDEEP
  
  6144:yaZ5a2auBso4RCTS8I7Dh4tkX7rETf1I3pS:35a2bBso6qGf7AT9I3pS
Score

4^/10

discovery
behavioral3 behavioral4
- Target
  
  malware-sample-library-master/APT28 FancyBear/APT28DropperExcelDoc.xls
- Size
  
  1.1MB
- MD5
  
  5debb3535cba6615526c64e44d0f5e2b
- SHA1
  
  abaa744d9504c7f23a237f8220ac6a441016d518
- SHA256
  
  5bac7a020f173d6c35f73d76cd3745a36564dbb3dd32f2d5fc5021c353e76a54
- SHA512
  
  4435f4deebc2f03c3a5659d1a870699d22fdb52525829373cf3bc0592db04da967e14f1e3f001b1cc0b974f8bddb96887480bcb7f14f3172caba1382866676c0
- SSDEEP
  
  12288:/bkdb1vJu/xtIIcnIE9A3HfOoV+4qF2KhaLZA6H/EHagqNC9:TkdbVJupvSmHfOoaF2KhaLZTx89
Score

10^/10

defense_evasion discovery
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Executes dropped EXE
- Loads dropped DLL
- Deobfuscate/Decode Files or Information
  Payload decoded via CertUtil.
  defense_evasion
behavioral5 behavioral6
- Target
  
  malware-sample-library-master/APT28 FancyBear/APT28Hospital.doc
- Size
  
  76KB
- MD5
  
  9b10685b774a783eabfecdb6119a8aa3
- SHA1
  
  f293a2bfb728060c54efeeb03c5323893b5c80df
- SHA256
  
  a4a455db9f297e2b9fe99d63c9d31e827efb2cda65be445625fa64f4fce7f797
- SHA512
  
  26a0f0dd37439da543526704b5a689ed9f9317baf357d9a7a4d885855d80b5745a07972da3a1c5b06f39fcbbbff9e94f0729edbdba8963b0dcb8c650addbdc48
- SSDEEP
  
  1536:009J0E4v13p/gL7Jj4P9bvzKGXpIiUvh23oKRO/HhcKmFoR:fb4v13pYL7J49bvr5Iias32Jc5FoR
Score

10^/10

discovery persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Loads dropped DLL
- Registers new Windows logon scripts automatically executed at logon.
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Process spawned suspicious child process
  This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
behavioral7 behavioral8
- Target
  
  malware-sample-library-master/APT28 FancyBear/APT28Implant.bin
- Size
  
  175KB
- MD5
  
  6e52b4466cf1dcedf82c8f7463114469
- SHA1
  
  32996f2b03ba76412b3160231352a3f06306c203
- SHA256
  
  489a1b13b5ec415f24bc4f1b4ed6c6e0bdc50ae95513645a839655bc75d4d9d6
- SHA512
  
  06c08f1444c1e49aada3dca91573e36321aaa8d94749293bb3b1a569d1d76297089bf22d44106a16f5714e56cff95cfc40b5144c150fc263e058cd37f07534a3
- SSDEEP
  
  3072:VLz69Ofiiw7n7dMgfIe0/T2Bk3FdEFSwSGSnII3mVt:NZwb7ygU/fFdEFPSnnrmV
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  malware-sample-library-master/APT28 FancyBear/APT28wmsApplication.exe
- Size
  
  192KB
- MD5
  
  92b90b0208805daaa8ab45fa19d36b14
- SHA1
  
  657b3e726b56618577f4fb2cbe7c8b7f9bab8dcf
- SHA256
  
  6f2589be92c2d0fa6050e52fbedb967c2590a8abbc4a9459fb7f78bc52407195
- SHA512
  
  21290d68aca3ac47e48d9ba04290bf8ac5824fdd6cd29c135aadd6bc138cf3a37782cfbce231dc63fab4ed3343de5ff0766383ee784c07628e3ba23b964a8715
- SSDEEP
  
  3072:Flnoi11sepXwT57rrr+sjvbGADINlGVSvWej5fe:Po4+eU52qb1DGs6Wk
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  malware-sample-library-master/APT28 FancyBear/Backdoor.XTunnel.exe
- Size
  
  1.8MB
- MD5
  
  9e7053a4b6c9081220a694ec93211b4e
- SHA1
  
  f09780ba9eb7f7426f93126bc198292f5106424b
- SHA256
  
  4845761c9bed0563d0aa83613311191e075a9b58861e80392914d61a21bad976
- SHA512
  
  f231dc71616aa96a5d44bf4ceef8855ca367ba4bfde1fc82af1b383c89699a66c656758fb049cf012a25e3bff82db506e0cdfada87d7d71273eddb1a4ce42bac
- SSDEEP
  
  24576:JKw4ZZ6rTIBJwqEaxChz52shpktYlecs5ZCo+jlxf1NTfkYJ+nbgEvrZmDxcP+4F:Iw4ZMrTeJKisRki+F8q24eZxtP
Score

1^/10
behavioral13 behavioral14
- Target
  
  malware-sample-library-master/APT28 FancyBear/FancyBearZekapab.bin
- Size
  
  776KB
- MD5
  
  1bcf064650aef06d83484d991bdf6750
- SHA1
  
  fa67e97c52788de5dea0959d455362aa4843eff0
- SHA256
  
  19be1aedc36a6f7d1fcbd9c689757d3d09b7dad7136b4f419a45e6187f54f772
- SHA512
  
  03f0c777f26391cadb1e1754e0405f518976390948bd83f8be63897f6127af9dd2ca8cc2297197fd207cf1241d184e9d85e37a5780de1a5e6256e0f7dc4a1bbd
- SSDEEP
  
  24576:P7AKkolpDEI+UTUqCg5D5WmQW9Ulg/bdG:PblVfP9+gzA
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  malware-sample-library-master/APT28 FancyBear/FancyBearZekapabImplant.bin
- Size
  
  785KB
- MD5
  
  d1755976a6f7e1cbf21132ac4fdcf553
- SHA1
  
  a4e6f56a67149cd1d96eb03317098188c8f673a1
- SHA256
  
  963c3bf38e90c2971e6875490e9d2393b9567f5cc3ee5e4c098b988bd2b852c5
- SHA512
  
  6a58f404feaec1f33b0ce2f0c87eac5939184bc33a069d1f66ee4602715ecbeb8604b9b0af5657eaccff7f97b8b911c6da6484c34aa7628945411e5bc7cbd8a8
- SSDEEP
  
  12288:9sFTxmLKQENZn8k+UYOHp2hh0nYsuCY2WmQCiDz/jaLRQq36GmXQfBWy:QUOQENik+uQhhUYqWmQCioiowy
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  malware-sample-library-master/APT28 FancyBear/FancyImplant.bin
- Size
  
  682KB
- MD5
  
  2c27f24939144655677bb73d2790d668
- SHA1
  
  78167e4cfcb96536138a46984f6208c5c7780d2b
- SHA256
  
  044f8ab501090fd77ae6e9ebf57e7fba9041be7ab986ce58f38583f4839a5126
- SHA512
  
  3c86f84481678a6b5e58e09394b0e924aff3f33c0e1b7ac66569ef03208140abaec97a7cbbfa161784e53fd1bb08fdf5e347b42a61781d9f9a333d8b24f08d1c
- SSDEEP
  
  12288:GGrBnWo0y/2n0kEgLYxsboEOEoWlnrCFUVWmQui6PIk21tBN9k:x3g0MLYxsbwPWt+2WmQui6wkQ6
Score

3^/10

discovery
behavioral19 behavioral20
- Target
  
  malware-sample-library-master/APT28 FancyBear/LoJaxInfo_EFI.exe
- Size
  
  334KB
- MD5
  
  e00216958f15f1db6371b583a3ea438a
- SHA1
  
  4b9e71615b37aea1eaeb5b1cfa0eee048118ff72
- SHA256
  
  81e96c07e6c9cb02f72c0943a42ff9f8f09a09c508f8bbaa1142a9ee4f1326cf
- SHA512
  
  9d46b4fbf26c775929e95e145b390f0d12566e482920f629b342db2aaa37c5a40a789226ecfe51ba0f0b94fce827b9f53180232cda48bae510cce1e3b37bed16
- SSDEEP
  
  3072:/1sLvFfS/tB4NebyKwhlUHMjIV8JEmoXIpVoJEmoXIpVoJEmoXIpVoJEmoXIpVoW:/qFMtSLKwhAooXzoXzoXzoXzoXzoX
Score

8^/10

discovery
- Drops file in Drivers directory
behavioral21 behavioral22
- Target
  
  malware-sample-library-master/APT28 FancyBear/LoJaxSmallAgent.exe
- Size
  
  17KB
- MD5
  
  595aff5212df3534fb8af6a587c6038e
- SHA1
  
  1771e435ba25f9cdfa77168899490d87681f2029
- SHA256
  
  dcbfd12321fa7c4fa9a72486ced578fdc00dcee79e6d95aa481791f044a55af3
- SHA512
  
  281d601178ac8a1e589a3ae8ba0e324b180aa3dde121eee399448beb6752b67c0cf0add7a99913816e23d9985bf9a2b1dee7495ca018f1583cab52b30d7607e0
- SSDEEP
  
  384:R1Wx2a/j+qDaF400vvnIPxAvDJ1SvAPnXnG1l:R1I2ab+qq400nnIpAN1SvAP36
Score

7^/10

discovery
- Loads dropped DLL
behavioral23 behavioral24
- Target
  
  malware-sample-library-master/APT28 FancyBear/LoJaxSmall_AgentDLL.exe
- Size
  
  17KB
- MD5
  
  10036063be45f92a9a743425fbf5abc7
- SHA1
  
  d70db6a6d660aae58ccfc688a2890391fd873bfb
- SHA256
  
  3f48dbbf86f29e01809550f4272a894ff4b09bd48b0637bd6745db84d2cec2b6
- SHA512
  
  a2fc426489193993e97fe3cedd529f52702c1f0d7a348960cbe5955b173cb8e1b77d117f389afd1db55a8bd33a81a72ceb6088fe5175927921e120f9fea82493
- SSDEEP
  
  384:x1Wx2a/j+qDaF400vvnIPxAvDJ1SvAPnXnG1l:x1I2ab+qq400nnIpAN1SvAP36
Score

3^/10

discovery
behavioral25 behavioral26
- Target
  
  malware-sample-library-master/APT28 FancyBear/MacOSKomplexFancyBear.bin
- Size
  
  131KB
- MD5
  
  4400ec9c4732a32149ca58e7c5806178
- SHA1
  
  d9bcd2f745acca38c403dd9131b3d2cdf23c2b3c
- SHA256
  
  96a19a90caa41406b632a2046f3a39b5579fbf730aca2357f84bf23f2cbc1fd3
- SHA512
  
  fadb351bf1d11c977b62e2b5143ed4afe59cb36918dfc5f259150875992b9e21285e05f3c541b1e6afddb572aa6538a1db0fac984540a3be50dd20982a20606b
- SSDEEP
  
  1536:mmuG6zRg+/Hfx0X2zTCDsQvGVSzNPMihlv72zVXB6Yjzral1Y:zujRHfxm2zTCgQOg00vKzVXB6YjzK1Y
Score

1^/10
behavioral27
- Target
  
  malware-sample-library-master/APT28 FancyBear/X-AgentTrojan.bin
- Size
  
  325KB
- MD5
  
  4fa6cd01571905b9c7c8fc9a359b655e
- SHA1
  
  46e2957e699fae6de1a212dd98ba4e2bb969497d
- SHA256
  
  b814fdbb7cfe6e5192fe1126835b903354d75bfb15a6c262ccc2caf13a8ce4b6
- SHA512
  
  186a479db30c2e026ca6cae5ff452e48f9bf38a494c2aa774ef0248a5803704dfed418482650fe972c73069524e28b1d3e1da4cb90ba8fa9ca6779c7a22d1027
- SSDEEP
  
  6144:XqlcrjJaCmu1DbUZgiKUYhTRiVGr2ud+iDQgTOjORmoQAG:XqlcxavCvUZeUYfiyDQ2Rmo9G
Score

1^/10
behavioral28 behavioral29
- Target
  
  malware-sample-library-master/APT28 FancyBear/Xagent64.bin
- Size
  
  276KB
- MD5
  
  cc9e6578a47182a941a478b276320e06
- SHA1
  
  0b3852ae641df8ada629e245747062f889b26659
- SHA256
  
  fd39d2837b30e7233bc54598ff51bdc2f8c418fa5b94dea2cadb24cf40f395e5
- SHA512
  
  6cc6bdd0edd4b14d7f87b6c8a91cb563b7a2b1e6e2d26357b77c50e1c22a451e64a3224e6c8307623e44b626ba47d0c179114bf1137a453ab2f8ae61425a1659
- SSDEEP
  
  3072:0TrTaRcOsbAZo/DWEx9SYCTfyTcCuUtBwXO1HYF9GQkgYKON4hz46Gyi:+rT4cL/l9lofyTmUtBwX64FgKdhxGy
Score

8^/10
- Blocklisted process makes network request
behavioral30 behavioral31
- Target
  
  malware-sample-library-master/APT28 FancyBear/ZekaAPT28.bin
- Size
  
  853KB
- MD5
  
  c6e95fb89df8e84eb21b3ce6b8947ce2
- SHA1
  
  e3d9ac6aa3d828e75e1d941862b2b1df866cc618
- SHA256
  
  0320298eea0206b71d12f3a69730bbbec9768c5c323dfe131047f7ba4f4a8868
- SHA512
  
  7bb209d6caf7031c099311a984684fd2ce8aac57e90eaf795a9cce86f84e0588e35f9f617759a4fd07409d1e9335c08c75c09154feea3aac0ff1bc6a376989b0
- SSDEEP
  
  24576:C7AKkolpDEI+UTUqCg5D5WmQW9Ulg/oSG:CblVfP9+gQr
Score

5^/10

discovery upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Boot or Logon Initialization Scripts

T1037

Logon Script (Windows)

T1037.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Boot or Logon Initialization Scripts

T1037

Logon Script (Windows)

T1037.001

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Adds autorun key to be loaded by Explorer.exe on startup

Checks computer location settings

Drops file in System32 directory

Process spawned unexpected child process

Executes dropped EXE

Loads dropped DLL

Deobfuscate/Decode Files or Information

Process spawned unexpected child process

Blocklisted process makes network request

Loads dropped DLL

Registers new Windows logon scripts automatically executed at logon.

Maps connected drives based on registry

Process spawned suspicious child process

Drops file in Drivers directory

Loads dropped DLL

Blocklisted process makes network request

UPX packed file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32

We care about your privacy.