{
	"id": "61a49ad5-053d-4b8c-8e83-0e99d821e94c",
	"created_at": "2026-04-06T00:16:16.845487Z",
	"updated_at": "2026-04-10T03:21:46.706946Z",
	"deleted_at": null,
	"sha1_hash": "40ab65dd31111c6013d70599c74100fc96e6b5f8",
	"title": "DiamondFox - Bank Robbers will be replaced",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4633900,
	"plain_text": "DiamondFox - Bank Robbers will be replaced\r\nArchived: 2026-04-05 17:40:38 UTC\r\nDiamondFox Kettu is the newest addition to the DiamondFox family. In this post, I will be analysing and\r\ndiscussing how it functions, its encryption, and how it achieves its modularity.\r\nForeword\r\nFirst, I would like to give a huge thank you to Casperinous for his amazing help with the config decryption, and to\r\nSteve Ragan for editing and reviewing this analysis. This post has taken some time to write due to my desire to\r\ncreate an in-depth look at this piece of malware. For updates and information about my work follow me on twitter\r\n@fr3dhk.\r\nOverview\r\nDiamondFox is a well known family within the commodity malware market. The creator has been working on it\r\nfor a while, and has iterated through quite a few different names and versions. The previous version had the\r\ncodename \"Renard\" which is French for fox, this version's codename is \"Kettu\".\r\nDiamondFox is sold in many blackhat communities by a user named edbitss, along with his other piece of\r\nmalware, GlitchPOS. A large selling point of DiamondFox is that it's a modular piece of malware. It has been\r\ndeveloped so it supports the ability for the user to add plugins into the panel, which will then be executed by the\r\nmalware. Because of this modularity, the seller has decided to sell different parts of his malware for different\r\nprices. \r\nPrices:\r\nhttps://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced\r\nPage 1 of 22\n\nBotkiller - 100$\r\nJabber notifier - 50$\r\nCookies grabber - 100$\r\nUAC bypasser - 100$\r\nHidden ammyy admin - 150$\r\nFile stealer - 150$\r\nStealers (browsers, IM, FTP, RDP and web history) - 100$\r\nPersistence - 100$\r\nKeylogger - 100$\r\nRemote console - 100$\r\nCrypto hijacker - 100$\r\nBolt - 200$\r\nUSB spread - 100$\r\nBot - 600$\r\nVideo recorder - 200$\r\nWallet stealer - 100$\r\nAs you can see, this is a somewhat pricey piece of code. It is also a very capable piece of malware with lots of\r\ndifferent plugins. The malware is controlled through an HTTP command and control server (C2) which is written\r\nin PHP, I'll be discussing the C2 at the end of this post. DiamondFox is written in VB6 and the main part of the\r\nmalware provides some commonly found features, here are some of them.\r\nEncrypted C2 communications \u0026 namecoin support\r\nUnicode\r\nScreenshots\r\nSmall binary size around 90kb\r\nAnti-analysis\r\nNative binary\r\nPersistence \u0026 self-destruction\r\nDiamondFox bases its initial functionality on a config that is set during the building of the binary. This is\r\nencrypted so we will need to decrypt it before we proceed with the rest of this analysis.\r\nConfiguration \u0026 Decryption\r\nDue to the malware being written in VB6, we can use certain tools to decompile the malware into p-code, and then\r\nwithin the same tool, export a pseudo representation of the control flow of the malware. Because the tool does not\r\nsupport analysis functions such as being able to rename functions, and variables, I have had to export the entire\r\npseudo code representation into a text file and then open it in my favourite text editor. In the following screenshots\r\nyou will see the code that I have analysed and renamed, please take some function names with a grain of salt as I\r\nmay have given them a generic name. \r\nhttps://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced\r\nPage 2 of 22\n\nEncrypted Config\r\nIn the above image you will see the function named EncryptedConfig. This function contains 8 encrypted strings\r\nthat it proceeds to combine into one long string which is then returned. We can determine that this is the encrypted\r\nconfig as it's one of the first functions called within main.\r\nDecrypt Config\r\nIn main we see the first first use of the EncryptedConfig function. Before the malware decrypts the configuration\r\nit will first use a different decryption method to decrypt a string. This string encryption is used throughout the\r\nmalware to evade analysis. Looking at the DecryptString function we see the following.\r\nDecrypt String VB\r\nI have rewritten this function in python (link) so that I can decrypt the rest of the strings within the malware. Now\r\nI can go back and decrypt the string before the config decryption. We can presume that the newly decrypted string\r\nis our cipher key for the config decryption as it is passed as a paramater to the decryption function.\r\nhttps://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced\r\nPage 3 of 22\n\nDecrypt Function\r\nAfter going through the malware I realised that the malware base64 decodes the config and then uses AES to\r\ndecrypt the config. Knowing this I then started looking for an IV which made me come across the source code\r\n(link) for the class the malware author has used. This source code made it clear that the AES method is ECB and\r\nthat the malware author also uses encoding to inflate and deflate the configuration. I used the previously decrypted\r\ncipher key and plugged it into a recipe (link) I have cooked up in CyberChef (link) to recreate the config\r\ndecryption process.\r\nCyberChef\r\nThe config will determine the following. \r\nC2 URLs\r\nUser Agents\r\nC2 Encryption keys\r\nTimers\r\nAntis\r\nInstallation\r\nStartup\r\nThe key for the decryption of the config will be different per build along with other parts of the configuration.\r\nOnce the configuration is decrypted different globals will be set so that the malware can determine its\r\nfunctionality.\r\nInstallation \u0026 Evasion\r\nhttps://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced\r\nPage 4 of 22\n\nBefore the malware begins with its persistence and evasion mechanisms it will first begin by checking if the anti-analysis options are enabled within the malwares config. If it is enabled then there are a bunch of different if\r\nstatements that will call some anti-analysis methods. The important methods we see employed by the malware is\r\nthe checking of DLLs.\r\nAnti-Analysis method\r\nThe malware will attempt to load a few different libraries that are commonly found within VM installations.\r\nAlong with this check the malware attempts to turn off windows defender if the user is an admin.\r\nAnti Windows Defender\r\nIf these checks pass and the malware determines that it isn't running within a virtual machine it will then proceed\r\nwith the installation and persistence of the malware. Persistence begins with DiamondFox determining its\r\ninstallation path from its configuration. Once this directory has been determined the malware will check the\r\nlocation of where it is currently running and compare it with this install location. If they do not match\r\nDiamondFox will create the installation directory and then use the following commands in powershell to copy\r\nitself to the installation directory.\r\nDrop \u0026 Start\r\nOnce the malware has copied itself using powershell and the newly copied malware has been started then it will\r\nproceed to 'melt' which is a term for deleting itself. This is again done with powershell \r\nhttps://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced\r\nPage 5 of 22\n\nMelt\r\nThe malware exits once this command has been executed and we move our analysis to the newly started malware\r\nin the installation location. To achieve startup persistence the malware will first check if this functionality is\r\nenabled within its configuration. If it is then DiamondFox will again make use of powershell to create a shortcut\r\nfile and place it within the startup folder for the user.\r\nCreate Startup\r\nCommand \u0026 Control Communications\r\nDiamondFox's command and control communications are done over HTTP where they are encrypted and sent\r\nfrom the malware to a web server running PHP. Before the malware can begin communications it must first\r\nresolve the C2s domain. A feature that sets DiamondFox apart from competing malware is the ability to use\r\nnamecoin domains. To achieve this the malware makes use of the following (link) to be able to easily query\r\nnamecoin domains. Once the C2 domain has been resolved the malware can then make its first connection to the\r\nC2. The malware then checks each of the gates within the config to be able to find the correct one. \r\nhttps://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced\r\nPage 6 of 22\n\nCheck Gates\r\nThe malware iterates through each gate and then requests it with a unique user-agent that has been specified in the\r\nconfiguration. Along with this the malware has a decryption key that will be verified with the C2. Once a C2 has\r\nbeen verified it will then be set into a global and be used as the main gate. Now that the malware has the correct\r\ngate to use, it will then begin by collecting some system information through WMI. \r\nPC Info\r\nAlong with this information we also see the malware collecting running processes and installed programs. On top\r\nof DiamondFox collecting basic information about the infected computer it also includes some windows\r\nenvironment information. \r\nMore Info\r\nhttps://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced\r\nPage 7 of 22\n\nDiamondFox communications are encrypted with 128-bit AES, this time the first 16 bytes of the connection key is\r\nused as the AES cipher key. The malware determines a field to use within the POST request which is determined\r\nby the following logic to create a unique field.\r\nGate Check-In\r\nNow that DiamondFox has the correct gate to use and has collected all of the relevant information about the\r\ninfected computer it will send a POST to the gate with the information encrypted within the uniquely generated\r\nfield. Our encryption key for this piece of malware is 'aadd2492be4f9f28' and the generated field is 'a98' which\r\nyou can see below.\r\nGate Post\r\nThe C2 will receive this post and handle it. Then if the user of the malware has created a task to download and\r\nexecute malware the POST request will be replied to by the C2 with the file that needs to be downloaded and\r\nexecuted. Retrieving the payload is done in two ways, if the malware is being hosted on the C2 then the malware\r\nwill request the gate with the gf URL parameter containing the files name. This stands for get file and will return\r\nthe file requested. If the file is a remote file then the malware will request the gate with the grf (get remote file)\r\nURL parameter and the C2 will then proceed to use CURL to proxy the file to the malware. Once the malware has\r\ndealt with the download and execute task it'll then proceed to report this to the C2.\r\nDiamondFox is also able to exfiltrate different files, the first file that is uploaded is a screenshot of the infected\r\nhost. Once the screenshot has been taken the malware will send a POST request to the C2 with the screenshot in\r\nthe POST body. The gate also uses another uniquely generated URL parameter named slots. This parameter is\r\ngenerated from the first 3 characters in the communications' encryption key. Because our encryption key is\r\n'aadd2492be4f9f28' then the slots URL parameter will be 'aad' as seen below.\r\nhttps://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced\r\nPage 8 of 22\n\nScreenshot Upload\r\nThe C2 determines what the uploaded file is by its extension. Here is the list of the extensions and their meaning.\r\njpg - Screenshot\r\nlog - Keylogger logs\r\nhst - Web history\r\npw - Stealer logs\r\nftp - FTP logs\r\nins - Software instances\r\nml - Email logs\r\nrdp - RDP logs\r\ncc - RAM scraper logs\r\nwallet - Wallet stealer logs\r\nDiamondFox will also ban IPs that seem to be attempting malicious things. These include trying to enumerate\r\ninformation through the C2 and connecting to the gate with the incorrect user-agent. \r\nPlugin System\r\nDiamondFox has an extensive plugin system which is one of its main selling points. These plugins are distributed\r\nby the seller in the form of an encrypted DLL with the extension .pack and a codename. The pack files can then be\r\nuploaded to the C2 and their functionality can be changed accordingly within the control panel. DiamondFox\r\nhandles plugins by first requesting the C2 gate with the URL parameter 'pl=1' which stands for plugin list. The C2\r\nresponds with a comma separated list of all the plugin ids that are enabled. \r\nDecrypted Plugin List\r\nhttps://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced\r\nPage 9 of 22\n\nThe malware will receive this text and split it into an array of plugin ids. For the first 6 possible plugins the\r\nmalware will iterate through the array and check if any of the first 6 plugins are enabled. If a plugin is enabled\r\nwithin these first 6 then it will be retrieved using the URL parameter of 'p' which is equal to the plugin id.\r\nRetrieve First 6 Plugins\r\nEach plugin is uniquely encrypted with its own AES 128-bit cipher key. Once DiamondFox has retrieved the\r\nplugin with the 'p' URL parameter it will then proceed to get the plugin password using the 'gpp' URL parameter\r\nwhich will return an encrypted cipher key. This cipher key is then used to decrypt the retrieved plugin. Here is a\r\nlist of all the plugins along with their codenames, decryption keys and other important information.\r\nPlugin List\r\nWithin this MySQL table we see a column named 'install', this refers to whether the plugin should be constantly\r\nrun or just run once. The first 6 plugins are not installed and are all credential stealers, hence why they are done\r\nseperately. Each of these first 6 plugins will write their stolen credentials to a log file in the malware install path\r\nwith the name scheme of their id + '.log'. The malware will execute the DLL and wait until this log file is available\r\nto be sent to the C2. This upload is again done with the slots parameter which in our case is 'aad'.\r\nUpload Stolen Credentials\r\nhttps://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced\r\nPage 10 of 22\n\nOnce the malware has handled the first 6 plugins it then continues onto a different system where it requests the C2\r\nwith a URL parameter of 'lp' which will return a list of a comma separated array of all the plugin ids that are\r\nenabled and have install enabled. These can be seen in the table above. \r\nGet Install Plugins\r\nThe malware will then iterate through each of the plugins returned by the C2 and call the HandleInstallPlugin\r\nfunction so that each of these plugins can be ran. \r\nAll installed plugins are kept in a directory named 'modules' within the installation directory. If this directory does\r\nnot exist then it will be created. Plugins are written to this directory with the name scheme of their id + '.dll'. When\r\nthe HandleInstallPlugin is called on a plugin then it is first checked to see whether it already exists within the\r\n'modules' directory. If it doesn't then the malware will retrieve it from the C2 and decrypt it. The plugin is\r\nretrieved with the URL parameter 'gpb' which is assigned to the plugin ID.\r\nMost of the installed plugins have a configuration that also needs to be retrieved. The configuration file name is\r\nretrieved with the 'pcn' URL parameter which is set to the id of the plugin (pcn standing for plugin config name).\r\nThe C2 will then respond with the filename of the plugin config to be written to within the install folder.\r\nFile Stealer Config Name\r\nIf the C2 returns a config filename for the plugin then the malware will proceed to request the config from the C2\r\nwith URL parameter 'lpc' (load plugin config) which is equal to the plugin's id. This is then written into the\r\nplugin's configuration file. Here's an example of the configuration returned for the file stealer plugin.\r\nFile Stealer Configuration\r\nhttps://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced\r\nPage 11 of 22\n\nThe configuration for each malware will vary but parameters are always split by pipes. The plugin's password is\r\nthen retrieved from the C2 with the already seen URL parameter of 'gpp'. The malware then loads the decrypted\r\nDLL and runs it. The output of the dll is then written to a log file and the log file is uploaded to the C2. I'll now\r\nconcentrate on some interesting plugins but there are too many to cover in one post so I'll just be giving an\r\noverview of some of the interesting ones. Here's a table summarising.\r\nURL\r\nParameter\r\nURL Example Description\r\nExample Decrypted\r\nResponse\r\npl http://c2.com/gate.php?pl=1 Enabled plugin list 1,2,3,4,5,6\r\np http://c2.com/gate.php?p=2\r\nRetrieve encrypted plugin\r\nDLL\r\nPlugin DLL\r\ngpp\r\nhttp://c2.com/gate.php?\r\ngpp=2\r\nGet plugin password a4d54e4e6a1e87c4\r\nlp http://c2.com/gate.php?lp=1 Install plugin list 9,10,11,12,13\r\ngpb\r\nhttp://c2.com/gate.php?\r\ngpb=9\r\nRetrieve encrypted plugin\r\nDLL\r\nPlugin DLL\r\npcn\r\nhttp://c2.com/gate.php?\r\npcn=9\r\nRetrieve plugin config\r\nfilename\r\nsearch.conf\r\nlpc\r\nhttp://c2.com/gate.php?\r\nlpc=9\r\nGet plugin config *.wallet|ALL|100|200\r\nAnd here is what the install folder looks like after these plugins have been ran.\r\nInstall Folder After Plugins\r\nhttps://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced\r\nPage 12 of 22\n\nIn the above image you can see the configuration files for different plugins and the folder that will contain videos\r\nfor the screen recorder plugin. Here's the contents of the modules folder.\r\nModules\r\nAbove is the encrypted DLL modules.\r\nHidden RDP\r\nDiamondFox offers a hidden remote control of an infected computer as one of its many plugins. Although this is\r\nnamed as hidden RDP it does not make use of the windows RDP service and instead will utilise the remote access\r\ntool called Ammyy Admin (link). Ammyy Admin is commonly used in tech support scams and is also the base for\r\nthe FlawedAmmyy malware (link). Unlike other plugins DiamondFox will only trigger this plugin if the user has\r\ncreated a task for an infected computer to start the hidden RDP process. When opening Ammyy Admin you will\r\nbe greeted with the following. \r\nhttps://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced\r\nPage 13 of 22\n\nAmmyy Admin works by creating a unique ID and password for your computer that you can share with someone\r\nelse who will then proceed to be able to connect to your computer using these credentials. But this would create\r\nissues for DiamondFox as it must run Ammyy Admin without notifying the user whilst also being able to pass the\r\nclient ID and password back to the C2 for malicious users to exploit. So to combat these issues DiamondFox uses\r\nthe following exploit (link) to hide the GUI, set a specified password and also know the location of the infected\r\nuser's ID in memory. Here's main where we can see the plugin making use of this exploit (I have renamed\r\nfunctions for clarity).\r\nHRDP Main\r\nWe initially see a mutex being created so that the plugin isn't running twice. Then the malware will make sure that\r\nthe 'ID.txt' file does not exist in APPDATA as this is where it'll write the infected user's Ammyy Admin client ID.\r\nThe malware will then create a directory in the 'ProgramData' directory named 'AMMYY'. Once this directory has\r\nbeen created then the malware will write the authentication bypass files to this folder. The malware will then\r\nproceed with process injection into Windows Media Player.\r\nInject Ammyy Admin\r\nhttps://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced\r\nPage 14 of 22\n\nThe process injection is done by first locating where the Windows Media Player binary is located and then loading\r\nthe Ammyy Admin binary from resources. The Ammyy Admin binary is then injected into a newly started\r\nWindows Media Player process. The process injection will also make use of the -nogui exploit within the injected\r\nprocess so that Ammyy Admin does not display anything to the user. The malware will then proceed with another\r\nprocess injection.\r\nStart Loader\r\nThe malware loads another binary from resources which is responsible for reading the client ID from memory and\r\nthen writing it to the 'ID.txt' file in APPDATA. The ID.txt file contents is then uploaded to the C2 for the user to\r\nthen be able to connect to the infected computer.\r\nRemote Console\r\nIf the user wants to start a remote shell for their infected computer then they can do it through the remote console\r\nplugin. This plugin allows the user to be able to command a remote command-line instance on the infected\r\ncomputer. Like the hidden RDP plugin this plugin is only triggered upon user trigger. Here's what this looks like\r\nfor the user.\r\nDiamondFox Remote Console\r\nWhen the plugin is triggered we see the same process of DLL loading. Once the DLL is loaded the plugin begins\r\nby creating a mutex and then proceeding with checking in with the C2. This is done by setting a URL parameter of\r\nhttps://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced\r\nPage 15 of 22\n\n'cmd' which is equal to a base64 encoded string of the infected computers HWID + '|Connected'. Let's take a look\r\nat the plugins main.\r\nShell Main\r\nWe see the main loop which will request the C2 looking for commands. If it gets a run command then a file will\r\nbe dropped to the disk and then run using powershell. Other commands will be ran through a hidden command-line with width and height set to 0. Standard input output will be used to enter and retrieve commands from this\r\nhidden CMD process and the output will then be sent back to the C2 to be displayed by the user.\r\nPersistence\r\nTo keep the infected user from being able to kill the DiamondFox process the developer has created a plugin to\r\nwatch the DiamondFox process and restart it if it has been stopped. The plugin begins by determining if the\r\ninfected computer is using a 32bit or 64bit architecture. If the victim is using 32bit then the malware will get the\r\nx86 program files directory or if the host is 64bit then it'll get the program files directory. Once it has a directory\r\nto use it will iterate through the sub directories and find the first directory that contains an executable. When an\r\nexecutable has been found the malware will load another binary from resources and inject it into the chosen\r\nexecutable.\r\nThe injected executable will proceed to copy the main DiamondFox binary and watch the process of the malware.\r\nIf the process stops then the malware will use powershell to restart the process. If the file is deleted then the plugin\r\nwill drop the copied binary and start the process.\r\nUAC Bypass\r\nTo give the malware a stronger hold on the infected computer DiamondFox makes use of User Access Control\r\n(UAC) bypasses to be able to gain higher privileges. When the plugin is loaded it begins by querying two registry\r\nhttps://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced\r\nPage 16 of 22\n\nkeys.\r\nUAC Checks\r\nThese checks will query the registry keys that determine if any attempts at elevation of privileges will create a\r\nvisual prompt for the administrator of the infected computer. If the attempts will create visual prompts then the\r\nplugin will exit. If not then the UAC bypass plugin will then query the windows product name and if the version\r\nof windows is not supported then the plugin will exit.\r\nUAC Product Name Checks\r\nI'm not going to reiterate all the different bypasses DiamondFox uses as they have been described in more depth\r\nelsewhere. Here are the bypasses it uses as of writing this analysis.\r\nwsreset.exe (link)\r\nsdclt.exe (link)\r\nfodhelper.exe (link)\r\neventvwr.exe (link)\r\nC2 \u0026 Panel\r\nHere are some screenshots of the inside of the panel. \r\nhttps://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced\r\nPage 17 of 22\n\nLogin\r\nDashboard\r\nhttps://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced\r\nPage 18 of 22\n\nClients\r\nClient\r\nhttps://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced\r\nPage 19 of 22\n\nStatistics\r\nReports\r\nhttps://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced\r\nPage 20 of 22\n\nSettings\r\nPlugins\r\nhttps://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced\r\nPage 21 of 22\n\nTask Manager\r\nEpilogue\r\nDiamondFox is a very capable piece of malware with many features and plugins. Although some plugins seem to\r\nbe very basic the malware comes together as a very dangerous piece of kit. This analysis took longer than I had\r\nplanned so I have left out a few of the plugins. I may come back to write about these if I see it as necessary. I hope\r\nthat this was a beneficial analysis and until the next time, goodbye \u0026 thanks for reading!\r\nIOC\r\n4440d9bb248b6ecb966eef7af0ec276c\r\nhttps://tria.ge/200812-vc8ftkz17s/\r\ntimesync.live\r\nSource: https://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced\r\nhttps://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced"
	],
	"report_names": [
		"diamondfox-bank-robbers-will-be-replaced"
	],
	"threat_actors": [],
	"ts_created_at": 1775434576,
	"ts_updated_at": 1775791306,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/40ab65dd31111c6013d70599c74100fc96e6b5f8.pdf",
		"text": "https://archive.orkl.eu/40ab65dd31111c6013d70599c74100fc96e6b5f8.txt",
		"img": "https://archive.orkl.eu/40ab65dd31111c6013d70599c74100fc96e6b5f8.jpg"
	}
}