SYMBOLCOMMON_NAMEaka. SYNONYMS
win.diamondfox (Back to overview)

DiamondFox

aka: Crystal, Gorynych, Gorynch

There is no description at this point.

References
2022-08-08Medium CSIS TechblogBenoît Ancel
@online{ancel:20220808:inside:67ef9a0, author = {Benoît Ancel}, title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}}, date = {2022-08-08}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145}, language = {English}, urldate = {2022-08-28} } An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2021-07-27ZAYOTEMAbdulsamet Akinci
@techreport{akinci:20210727:diamondfox:f648c5c, author = {Abdulsamet Akinci}, title = {{Diamondfox Technical Analysis Report}}, date = {2021-07-27}, institution = {ZAYOTEM}, url = {https://github.com/samoceyn/Diamondfox-Technical-Analysis-Report/blob/6375314ccecdf3fe450f975a384bcc1b16f068a8/D%C4%B0AMONDFOX%20Technical%20Analysis%20Report.PDF}, language = {English}, urldate = {2021-08-24} } Diamondfox Technical Analysis Report
DiamondFox
2020-08-10FR3D.HKFred HK
@online{hk:20200810:diamondfox:d2a194b, author = {Fred HK}, title = {{DiamondFox - Bank Robbers will be replaced}}, date = {2020-08-10}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced}, language = {English}, urldate = {2020-08-12} } DiamondFox - Bank Robbers will be replaced
DiamondFox
2017-05-10Check PointCheck Point
@online{point:20170510:diamondfox:018fbdb, author = {Check Point}, title = {{DiamondFox modular malware – a one-stop shop}}, date = {2017-05-10}, organization = {Check Point}, url = {http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/}, language = {English}, urldate = {2019-12-18} } DiamondFox modular malware – a one-stop shop
DiamondFox
2017-04-06MalwarebytesMalwarebytes Labs
@online{labs:20170406:diamond:5788882, author = {Malwarebytes Labs}, title = {{Diamond Fox – part 2: let’s dive in the code}}, date = {2017-04-06}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/}, language = {English}, urldate = {2019-12-20} } Diamond Fox – part 2: let’s dive in the code
DiamondFox
2017-03-17MalwarebytesMalwarebytes Labs
@online{labs:20170317:diamond:67bf9e6, author = {Malwarebytes Labs}, title = {{Diamond Fox – part 1: introduction and unpacking}}, date = {2017-03-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/}, language = {English}, urldate = {2019-12-20} } Diamond Fox – part 1: introduction and unpacking
DiamondFox
2016-12-12SC MagazineSC Magazine
@online{magazine:20161212:inside:0f139d0, author = {SC Magazine}, title = {{Inside DiamondFox}}, date = {2016-12-12}, organization = {SC Magazine}, url = {https://www.scmagazine.com/inside-diamondfox/article/578478/}, language = {English}, urldate = {2020-01-13} } Inside DiamondFox
DiamondFox
2015-10-08CylanceBrian Wallace
@online{wallace:20151008:study:c8ba2d5, author = {Brian Wallace}, title = {{A Study in Bots: DiamondFox}}, date = {2015-10-08}, organization = {Cylance}, url = {https://blog.cylance.com/a-study-in-bots-diamondfox}, language = {English}, urldate = {2020-01-08} } A Study in Bots: DiamondFox
DiamondFox
Yara Rules
[TLP:WHITE] win_diamondfox_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_diamondfox_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.diamondfox"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { ff258c104000 ff2588104000 ff2508114000 ff2570104000 }
            // n = 4, score = 2000
            //   ff258c104000         | jmp                 dword ptr [0x40108c]
            //   ff2588104000         | jmp                 dword ptr [0x401088]
            //   ff2508114000         | jmp                 dword ptr [0x401108]
            //   ff2570104000         | jmp                 dword ptr [0x401070]

        $sequence_1 = { ff253c104000 ff2550104000 ff2548104000 ff2584104000 }
            // n = 4, score = 2000
            //   ff253c104000         | jmp                 dword ptr [0x40103c]
            //   ff2550104000         | jmp                 dword ptr [0x401050]
            //   ff2548104000         | jmp                 dword ptr [0x401048]
            //   ff2584104000         | jmp                 dword ptr [0x401084]

        $sequence_2 = { ff25bc104000 ff25b4104000 ff25f0104000 ff2544104000 }
            // n = 4, score = 2000
            //   ff25bc104000         | jmp                 dword ptr [0x4010bc]
            //   ff25b4104000         | jmp                 dword ptr [0x4010b4]
            //   ff25f0104000         | jmp                 dword ptr [0x4010f0]
            //   ff2544104000         | jmp                 dword ptr [0x401044]

        $sequence_3 = { ff2568104000 ff253c104000 ff2550104000 ff2548104000 }
            // n = 4, score = 2000
            //   ff2568104000         | jmp                 dword ptr [0x401068]
            //   ff253c104000         | jmp                 dword ptr [0x40103c]
            //   ff2550104000         | jmp                 dword ptr [0x401050]
            //   ff2548104000         | jmp                 dword ptr [0x401048]

        $sequence_4 = { ff2500104000 ff2504104000 ff2508104000 ff2510114000 }
            // n = 4, score = 2000
            //   ff2500104000         | jmp                 dword ptr [0x401000]
            //   ff2504104000         | jmp                 dword ptr [0x401004]
            //   ff2508104000         | jmp                 dword ptr [0x401008]
            //   ff2510114000         | jmp                 dword ptr [0x401110]

        $sequence_5 = { ff2504104000 ff2508104000 ff2510114000 ff2560104000 }
            // n = 4, score = 2000
            //   ff2504104000         | jmp                 dword ptr [0x401004]
            //   ff2508104000         | jmp                 dword ptr [0x401008]
            //   ff2510114000         | jmp                 dword ptr [0x401110]
            //   ff2560104000         | jmp                 dword ptr [0x401060]

        $sequence_6 = { ff2544104000 ff25f8104000 ff2524114000 ff2530104000 }
            // n = 4, score = 2000
            //   ff2544104000         | jmp                 dword ptr [0x401044]
            //   ff25f8104000         | jmp                 dword ptr [0x4010f8]
            //   ff2524114000         | jmp                 dword ptr [0x401124]
            //   ff2530104000         | jmp                 dword ptr [0x401030]

        $sequence_7 = { ff2530104000 ff2594104000 ff25cc104000 ff2528104000 }
            // n = 4, score = 2000
            //   ff2530104000         | jmp                 dword ptr [0x401030]
            //   ff2594104000         | jmp                 dword ptr [0x401094]
            //   ff25cc104000         | jmp                 dword ptr [0x4010cc]
            //   ff2528104000         | jmp                 dword ptr [0x401028]

        $sequence_8 = { ff25e0104000 ff25ec104000 ff25c4104000 ff25d8104000 }
            // n = 4, score = 2000
            //   ff25e0104000         | jmp                 dword ptr [0x4010e0]
            //   ff25ec104000         | jmp                 dword ptr [0x4010ec]
            //   ff25c4104000         | jmp                 dword ptr [0x4010c4]
            //   ff25d8104000         | jmp                 dword ptr [0x4010d8]

        $sequence_9 = { ff2524104000 ff2514114000 ff2520114000 ff2518114000 }
            // n = 4, score = 2000
            //   ff2524104000         | jmp                 dword ptr [0x401024]
            //   ff2514114000         | jmp                 dword ptr [0x401114]
            //   ff2520114000         | jmp                 dword ptr [0x401120]
            //   ff2518114000         | jmp                 dword ptr [0x401118]

    condition:
        7 of them
}
Download all Yara Rules