{ "id": "7d4717de-a1f2-4634-a726-23577367fae9", "created_at": "2026-04-06T00:13:06.932723Z", "updated_at": "2026-04-10T03:37:09.367775Z", "deleted_at": null, "sha1_hash": "f237144584213d1523e9702d995c0b87a3d8f3e3", "title": "Diamond Fox - part 2: let's dive in the code | Malwarebytes Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 800147, "plain_text": "Diamond Fox - part 2: let's dive in the code | Malwarebytes Labs\r\nBy Malwarebytes Labs\r\nPublished: 2017-04-05 · Archived: 2026-04-05 19:38:03 UTC\r\nIn a previous post we made an initial analysis of a Diamond Fox bot delivered by the Nebula Exploit Kit (more\r\nabout the campaign can be found here). We described the way to unpack the protection layer in order to get the\r\ncore, written in Visual Basic, that can be decompiled. In this second part of the series, we will take a deeper look\r\ninto the code and analyze the bot’s features and code design.\r\nAnalyzed samples\r\n988e9fa903cc2fbb80e7221072fb2221 – Diamond Fox Crystal (final VB payload)\r\n3ef960da3e4bc4bc7c05d02fbf121d4e – old Diamond Fox (final VB payload)\r\nChangelog\r\nIn the release that is sold on the black market, the authors included a changelog describing all versions up to the\r\ncurrent one (codenamed Crystal). Below, you can see the related fragment:\r\nCrystal Version [+] Loader core recoded [+] Improved Size: 17.5 kb [+] Added unlimited panel list [+\r\nDecompiling\r\nAs we mentioned in the previous post, Diamond Fox is written in Visual Basic and after unpacking it can be\r\ndecompiled by VB Decompiler. Unfortunately, the results of the decompilation are not fully accurate and some\r\nparts of the code are difficult to analyze. However, we can still figure out the most important actions performed by\r\nthe malware.\r\nWe provided a partially cleaned version of the decompiled code:\r\nhttps://gist.github.com/hasherezade/79de1509c8565ec7496cd554092df6f8#file-module1-vb.\r\nExecution flow\r\nDiamond Fox starts its execution from decrypting and parsing the configuration – in this edition, it is stored in the\r\nsection “L!NK“. Then, depending on the configuration, some further features are enabled or disabled. For\r\nexample, it may deploy defensive checks – against sandboxes and Virtual Machines.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/\r\nPage 1 of 8\n\nThe stored parameters are encrypted and they are decrypted at runtime – however, the decryption function is no\r\nlonger a simple XOR known from the previous versions:\r\n(see a partially cleaned version of this function:\r\nhttps://gist.github.com/hasherezade/79de1509c8565ec7496cd554092df6f8#file-decrypt-vb )\r\nAlong with the features that can be enabled or disabled depending on the configuration, Diamond Fox offers\r\nfeatures that are controlled from the CnC.\r\nReading response from the CnC:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/\r\nPage 2 of 8\n\nParsing commands and executing appropriate actions (commands are identified by numbers – from 0 to 25):\r\nFeatures\r\nLet’s have a look inside the code and follow the features mentioned by the authors.\r\n[+] Loader core recoded\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/\r\nPage 3 of 8\n\nThe code of the malware has been reorganized and its big portions have been rewritten. It can be\r\nnoticed at first sight if we decompile the new version and compare it versus the old one. In the\r\ncurrent version everything is in one module, while in the previous cases the code was subdivided\r\ninto various modules.\r\nOld Diamond Fox decompiled (fragment):\r\nWe can see the code subdivided on modules with descriptive names, making analysis easier. In the new version,\r\nwe will not find this familiar layout.\r\nDecompiled code of Diamond Fox Crystal (the new one):\r\nThe new version introduced a different way of storing the configuration. Now, the encrypted configuration is in\r\nthe dedicated section named “L!NK“.\r\n[+] Added domain generation algorithm\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/\r\nPage 4 of 8\n\nIn the analyzed sample this feature was not enabled and the CnC address was static. However, looking at the code\r\nwe can find a domain generation algorithm (DGA) is based on the current date:\r\n(see a partially cleaned version of this function:\r\nhttps://gist.github.com/hasherezade/79de1509c8565ec7496cd554092df6f8#file-domain_generate-vb)\r\n[+] Added Anti-Emulation\r\nChecking if the sample is not running in a VM or sandbox by attempting to load DLLs associated with the virtual\r\nenvironment:\r\nvboxmrxnp\r\nSbieDll\r\nsnxhk\r\npthreadVC\r\nIt comes also with a set of blacklisted volume serial numbers, identifying popular sandboxes:\r\nAC79B241\r\n70144646\r\n6C78A9C3\r\n[+] Added Desktop/Laptop Detection\r\nChecking if it is running on the laptop by testing battery presence:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/\r\nPage 5 of 8\n\n[+] Added PE configuration storage\r\nThe section L!NK is used not only to store initial configuration, but also some fetched data.\r\nThe random ID of the bot is generated and stored:\r\n[+] Improved Crypto wallet stealer (+24)\r\nWe can find in the code strings used to search several crypto wallets:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/\r\nPage 6 of 8\n\nMultiBit, Armory, Electrum, digital, -LTC, MultiDoge, BitcoinDark, Unobtanium, Dash, Bi\r\nAnalyzing the code deeper, we find that first the .wallet files are searched:\r\nThe found data is grabbed and passed into another function: “\u003e\r\nThat function is responsible for posting the grabbed content to the CnC server:\r\n[+] Added captcha on web panel login\r\nWe can observe it if we try to follow the address of the CnC captured during the behavioral analysis.\r\nIndeed, near to the credential fields we can see a very simple captcha:\r\n[+] Added new panel logo\r\nThe authors of Diamond Fox put a lot of effort to make a graphic design attractive for the user. This\r\ntime, the panel comes with a set of logos that are randomly changing on page refresh. This feature\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/\r\nPage 7 of 8\n\nmay seem fancy and redundant in a malware; however, it shows the effort put on the user\r\nexperience.\r\n[+] Improved Keylogger(added clipboard detector and window title trigger)\r\nAs we saw during behavioral analysis, Diamond Fox generates neatly formatted reports about\r\ncaptured users’ activities. They include Clipboard content and the title of the main window, where\r\nthe particular text was typed:\r\nConclusion\r\nDiamond Fox Crystal has been solidly refactored in comparison to the older versions. Removing descriptive\r\nmodules’ names made analysis more difficult. Due to the change in the method of encrypting configuration, now\r\nretrieving its content is not as trivial.”\u003e\r\nOverall, Diamond Fox comes with typical features that we can expect from the stealer. In spite of some\r\nimprovements, the code quality is still nothing impressive.\r\nAppendix\r\nhttps://www.cylance.com/a-study-in-bots-diamondfox – about an elder version of Diamond Fox\r\nThis was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest\r\nin InfoSec. She loves going in details about malware and sharing threat information with the community. Check\r\nher out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/" ], "report_names": [ "diamond-fox-p2" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434386, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f237144584213d1523e9702d995c0b87a3d8f3e3.pdf", "text": "https://archive.orkl.eu/f237144584213d1523e9702d995c0b87a3d8f3e3.txt", "img": "https://archive.orkl.eu/f237144584213d1523e9702d995c0b87a3d8f3e3.jpg" } }