Diamond Fox - part 2: let's dive in the code | Malwarebytes Labs
By Malwarebytes Labs
Published: 2017-04-05 · Archived: 2026-04-05 19:38:03 UTC
In a previous post we made an initial analysis of a Diamond Fox bot delivered by the Nebula Exploit Kit (more
about the campaign can be found here). We described the way to unpack the protection layer in order to get the
core, written in Visual Basic, that can be decompiled. In this second part of the series, we will take a deeper look
into the code and analyze the bot’s features and code design.
Analyzed samples
988e9fa903cc2fbb80e7221072fb2221 – Diamond Fox Crystal (final VB payload)
3ef960da3e4bc4bc7c05d02fbf121d4e – old Diamond Fox (final VB payload)
Changelog
In the release that is sold on the black market, the authors included a changelog describing all versions up to the
current one (codenamed Crystal). Below, you can see the related fragment:
Crystal Version [+] Loader core recoded [+] Improved Size: 17.5 kb [+] Added unlimited panel list [+
Decompiling
As we mentioned in the previous post, Diamond Fox is written in Visual Basic and after unpacking it can be
decompiled by VB Decompiler. Unfortunately, the results of the decompilation are not fully accurate and some
parts of the code are difficult to analyze. However, we can still figure out the most important actions performed by
the malware.
We provided a partially cleaned version of the decompiled code:
https://gist.github.com/hasherezade/79de1509c8565ec7496cd554092df6f8#file-module1-vb.
Execution flow
Diamond Fox starts its execution from decrypting and parsing the configuration – in this edition, it is stored in the
section “L!NK“. Then, depending on the configuration, some further features are enabled or disabled. For
example, it may deploy defensive checks – against sandboxes and Virtual Machines.
https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/
Page 1 of 8

The stored parameters are encrypted and they are decrypted at runtime – however, the decryption function is no
longer a simple XOR known from the previous versions:
(see a partially cleaned version of this function:
https://gist.github.com/hasherezade/79de1509c8565ec7496cd554092df6f8#file-decrypt-vb )
Along with the features that can be enabled or disabled depending on the configuration, Diamond Fox offers
features that are controlled from the CnC.
Reading response from the CnC:
https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/
Page 2 of 8

Parsing commands and executing appropriate actions (commands are identified by numbers – from 0 to 25):
Features
Let’s have a look inside the code and follow the features mentioned by the authors.
[+] Loader core recoded
https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/
Page 3 of 8

The code of the malware has been reorganized and its big portions have been rewritten. It can be
noticed at first sight if we decompile the new version and compare it versus the old one. In the
current version everything is in one module, while in the previous cases the code was subdivided
into various modules.
Old Diamond Fox decompiled (fragment):
We can see the code subdivided on modules with descriptive names, making analysis easier. In the new version,
we will not find this familiar layout.
Decompiled code of Diamond Fox Crystal (the new one):
The new version introduced a different way of storing the configuration. Now, the encrypted configuration is in
the dedicated section named “L!NK“.
[+] Added domain generation algorithm
https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/
Page 4 of 8

In the analyzed sample this feature was not enabled and the CnC address was static. However, looking at the code
we can find a domain generation algorithm (DGA) is based on the current date:
(see a partially cleaned version of this function:
https://gist.github.com/hasherezade/79de1509c8565ec7496cd554092df6f8#file-domain_generate-vb)
[+] Added Anti-Emulation
Checking if the sample is not running in a VM or sandbox by attempting to load DLLs associated with the virtual
environment:
vboxmrxnp
SbieDll
snxhk
pthreadVC
It comes also with a set of blacklisted volume serial numbers, identifying popular sandboxes:
AC79B241
70144646
6C78A9C3
[+] Added Desktop/Laptop Detection
Checking if it is running on the laptop by testing battery presence:
https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/
Page 5 of 8

[+] Added PE configuration storage
The section L!NK is used not only to store initial configuration, but also some fetched data.
The random ID of the bot is generated and stored:
[+] Improved Crypto wallet stealer (+24)
We can find in the code strings used to search several crypto wallets:
https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/
Page 6 of 8

MultiBit, Armory, Electrum, digital, -LTC, MultiDoge, BitcoinDark, Unobtanium, Dash, Bi
Analyzing the code deeper, we find that first the .wallet files are searched:
The found data is grabbed and passed into another function: “>
That function is responsible for posting the grabbed content to the CnC server:
[+] Added captcha on web panel login
We can observe it if we try to follow the address of the CnC captured during the behavioral analysis.
Indeed, near to the credential fields we can see a very simple captcha:
[+] Added new panel logo
The authors of Diamond Fox put a lot of effort to make a graphic design attractive for the user. This
time, the panel comes with a set of logos that are randomly changing on page refresh. This feature
https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/
Page 7 of 8

may seem fancy and redundant in a malware; however, it shows the effort put on the user
experience.
[+] Improved Keylogger(added clipboard detector and window title trigger)
As we saw during behavioral analysis, Diamond Fox generates neatly formatted reports about
captured users’ activities. They include Clipboard content and the title of the main window, where
the particular text was typed:
Conclusion
Diamond Fox Crystal has been solidly refactored in comparison to the older versions. Removing descriptive
modules’ names made analysis more difficult. Due to the change in the method of encrypting configuration, now
retrieving its content is not as trivial.”>
Overall, Diamond Fox comes with typical features that we can expect from the stealer. In spite of some
improvements, the code quality is still nothing impressive.
Appendix
https://www.cylance.com/a-study-in-bots-diamondfox – about an elder version of Diamond Fox
This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest
in InfoSec. She loves going in details about malware and sharing threat information with the community. Check
her out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.
Source: https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/
https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/
Page 8 of 8