SYMBOLCOMMON_NAMEaka. SYNONYMS
win.diamondfox (Back to overview)

DiamondFox

aka: Crystal, Gorynych, Gorynch

There is no description at this point.

References
2021-07-27ZAYOTEMAbdulsamet Akinci
@techreport{akinci:20210727:diamondfox:f648c5c, author = {Abdulsamet Akinci}, title = {{Diamondfox Technical Analysis Report}}, date = {2021-07-27}, institution = {ZAYOTEM}, url = {https://github.com/samoceyn/Diamondfox-Technical-Analysis-Report/blob/6375314ccecdf3fe450f975a384bcc1b16f068a8/D%C4%B0AMONDFOX%20Technical%20Analysis%20Report.PDF}, language = {English}, urldate = {2021-08-24} } Diamondfox Technical Analysis Report
DiamondFox
2020-08-10FR3D.HKFred HK
@online{hk:20200810:diamondfox:d2a194b, author = {Fred HK}, title = {{DiamondFox - Bank Robbers will be replaced}}, date = {2020-08-10}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced}, language = {English}, urldate = {2020-08-12} } DiamondFox - Bank Robbers will be replaced
DiamondFox
2017-05-10Check PointCheck Point
@online{point:20170510:diamondfox:018fbdb, author = {Check Point}, title = {{DiamondFox modular malware – a one-stop shop}}, date = {2017-05-10}, organization = {Check Point}, url = {http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/}, language = {English}, urldate = {2019-12-18} } DiamondFox modular malware – a one-stop shop
DiamondFox
2017-04-06MalwarebytesMalwarebytes Labs
@online{labs:20170406:diamond:5788882, author = {Malwarebytes Labs}, title = {{Diamond Fox – part 2: let’s dive in the code}}, date = {2017-04-06}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/}, language = {English}, urldate = {2019-12-20} } Diamond Fox – part 2: let’s dive in the code
DiamondFox
2017-03-17MalwarebytesMalwarebytes Labs
@online{labs:20170317:diamond:67bf9e6, author = {Malwarebytes Labs}, title = {{Diamond Fox – part 1: introduction and unpacking}}, date = {2017-03-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/}, language = {English}, urldate = {2019-12-20} } Diamond Fox – part 1: introduction and unpacking
DiamondFox
2016-12-12SC MagazineSC Magazine
@online{magazine:20161212:inside:0f139d0, author = {SC Magazine}, title = {{Inside DiamondFox}}, date = {2016-12-12}, organization = {SC Magazine}, url = {https://www.scmagazine.com/inside-diamondfox/article/578478/}, language = {English}, urldate = {2020-01-13} } Inside DiamondFox
DiamondFox
2015-10-08CylanceBrian Wallace
@online{wallace:20151008:study:c8ba2d5, author = {Brian Wallace}, title = {{A Study in Bots: DiamondFox}}, date = {2015-10-08}, organization = {Cylance}, url = {https://blog.cylance.com/a-study-in-bots-diamondfox}, language = {English}, urldate = {2020-01-08} } A Study in Bots: DiamondFox
DiamondFox
Yara Rules
[TLP:WHITE] win_diamondfox_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_diamondfox_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.diamondfox"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { ff258c104000 ff2588104000 ff2508114000 ff2570104000 }
            // n = 4, score = 2000
            //   ff258c104000         | jmp                 dword ptr [0x40108c]
            //   ff2588104000         | jmp                 dword ptr [0x401088]
            //   ff2508114000         | jmp                 dword ptr [0x401108]
            //   ff2570104000         | jmp                 dword ptr [0x401070]

        $sequence_1 = { ff253c104000 ff2550104000 ff2548104000 ff2584104000 }
            // n = 4, score = 2000
            //   ff253c104000         | jmp                 dword ptr [0x40103c]
            //   ff2550104000         | jmp                 dword ptr [0x401050]
            //   ff2548104000         | jmp                 dword ptr [0x401048]
            //   ff2584104000         | jmp                 dword ptr [0x401084]

        $sequence_2 = { ff25bc104000 ff25b4104000 ff25f0104000 ff2544104000 }
            // n = 4, score = 2000
            //   ff25bc104000         | jmp                 dword ptr [0x4010bc]
            //   ff25b4104000         | jmp                 dword ptr [0x4010b4]
            //   ff25f0104000         | jmp                 dword ptr [0x4010f0]
            //   ff2544104000         | jmp                 dword ptr [0x401044]

        $sequence_3 = { ff2568104000 ff253c104000 ff2550104000 ff2548104000 }
            // n = 4, score = 2000
            //   ff2568104000         | jmp                 dword ptr [0x401068]
            //   ff253c104000         | jmp                 dword ptr [0x40103c]
            //   ff2550104000         | jmp                 dword ptr [0x401050]
            //   ff2548104000         | jmp                 dword ptr [0x401048]

        $sequence_4 = { ff2500104000 ff2504104000 ff2508104000 ff2510114000 }
            // n = 4, score = 2000
            //   ff2500104000         | jmp                 dword ptr [0x401000]
            //   ff2504104000         | jmp                 dword ptr [0x401004]
            //   ff2508104000         | jmp                 dword ptr [0x401008]
            //   ff2510114000         | jmp                 dword ptr [0x401110]

        $sequence_5 = { ff2504104000 ff2508104000 ff2510114000 ff2560104000 }
            // n = 4, score = 2000
            //   ff2504104000         | jmp                 dword ptr [0x401004]
            //   ff2508104000         | jmp                 dword ptr [0x401008]
            //   ff2510114000         | jmp                 dword ptr [0x401110]
            //   ff2560104000         | jmp                 dword ptr [0x401060]

        $sequence_6 = { ff2544104000 ff25f8104000 ff2524114000 ff2530104000 }
            // n = 4, score = 2000
            //   ff2544104000         | jmp                 dword ptr [0x401044]
            //   ff25f8104000         | jmp                 dword ptr [0x4010f8]
            //   ff2524114000         | jmp                 dword ptr [0x401124]
            //   ff2530104000         | jmp                 dword ptr [0x401030]

        $sequence_7 = { ff2530104000 ff2594104000 ff25cc104000 ff2528104000 }
            // n = 4, score = 2000
            //   ff2530104000         | jmp                 dword ptr [0x401030]
            //   ff2594104000         | jmp                 dword ptr [0x401094]
            //   ff25cc104000         | jmp                 dword ptr [0x4010cc]
            //   ff2528104000         | jmp                 dword ptr [0x401028]

        $sequence_8 = { ff25e0104000 ff25ec104000 ff25c4104000 ff25d8104000 }
            // n = 4, score = 2000
            //   ff25e0104000         | jmp                 dword ptr [0x4010e0]
            //   ff25ec104000         | jmp                 dword ptr [0x4010ec]
            //   ff25c4104000         | jmp                 dword ptr [0x4010c4]
            //   ff25d8104000         | jmp                 dword ptr [0x4010d8]

        $sequence_9 = { ff2524104000 ff2514114000 ff2520114000 ff2518114000 }
            // n = 4, score = 2000
            //   ff2524104000         | jmp                 dword ptr [0x401024]
            //   ff2514114000         | jmp                 dword ptr [0x401114]
            //   ff2520114000         | jmp                 dword ptr [0x401120]
            //   ff2518114000         | jmp                 dword ptr [0x401118]

    condition:
        7 of them
}
Download all Yara Rules