ffdroider | 5b60d2cb0b63bcd9c7df5873496d119de3f5364ba6eeea8548f20b2940a73ffa

General

Target

5c21cca8d79a5c46f7f1bd78b222c47a.exe
Size

3.9MB
MD5

5c21cca8d79a5c46f7f1bd78b222c47a
SHA1

bd249dea8ceb0a4bde6ee336ed2063696b821767
SHA256

5b60d2cb0b63bcd9c7df5873496d119de3f5364ba6eeea8548f20b2940a73ffa
SHA512

1f63c24f59d5508a81e371e8c4ab8f11ce1c61a31fb78ecefdbe3d59d5e62eb281bda61e507642b92f3a897b11b0a3b0dcee3369cb78686097c91c91b08108d7

Score

10^/10

ffdroider spyware stealer suricata

Malware Config

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider Payload 8 IoCs

resource	yara_rule
behavioral1/files/0x00070000000132ef-55.dat	family_ffdroider
behavioral1/files/0x00070000000132ef-58.dat	family_ffdroider
behavioral1/files/0x00070000000132ef-57.dat	family_ffdroider
behavioral1/files/0x00070000000132ef-56.dat	family_ffdroider
behavioral1/files/0x00070000000132ef-60.dat	family_ffdroider
behavioral1/files/0x00070000000132ef-62.dat	family_ffdroider
behavioral1/memory/1728-63-0x0000000000400000-0x00000000009BC000-memory.dmp	family_ffdroider
behavioral1/memory/1908-64-0x0000000000400000-0x00000000008D3000-memory.dmp	family_ffdroider

suricata: ET MALWARE Win32/FFDroider CnC Activity
suricata: ET MALWARE Win32/FFDroider CnC Activity
suricata
suricata: ET MALWARE Win32/FFDroider CnC Activity M2
suricata: ET MALWARE Win32/FFDroider CnC Activity M2
suricata
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1908	da_1648136254601.exe

Loads dropped DLL 4 IoCs

pid	Process
1728	5c21cca8d79a5c46f7f1bd78b222c47a.exe
1728	5c21cca8d79a5c46f7f1bd78b222c47a.exe
1728	5c21cca8d79a5c46f7f1bd78b222c47a.exe
1728	5c21cca8d79a5c46f7f1bd78b222c47a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1728	5c21cca8d79a5c46f7f1bd78b222c47a.exe
1908	da_1648136254601.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1908	1728	5c21cca8d79a5c46f7f1bd78b222c47a.exe	29
PID 1728 wrote to memory of 1908	1728	5c21cca8d79a5c46f7f1bd78b222c47a.exe	29
PID 1728 wrote to memory of 1908	1728	5c21cca8d79a5c46f7f1bd78b222c47a.exe	29
PID 1728 wrote to memory of 1908	1728	5c21cca8d79a5c46f7f1bd78b222c47a.exe	29

C:\Users\Admin\AppData\Local\Temp\5c21cca8d79a5c46f7f1bd78b222c47a.exe
"C:\Users\Admin\AppData\Local\Temp\5c21cca8d79a5c46f7f1bd78b222c47a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\Documents\VlcpVideoV1.0.1\da_1648136254601.exe
  "C:\Users\Admin\Documents\VlcpVideoV1.0.1\da_1648136254601.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\VlcpVideoV1.0.1\da_1648136254601.exe

Filesize
3.3MB

MD5
dfb6e366186969c7265e5602a4b85335

SHA1
f20c75e427ef43b853b4a053e98cd301cae331c1

SHA256
d77bea86bd4c36acae410d6dec8e012439e36d6226d99f1fd7de29827fca3835

SHA512
5420980743bb7772ffd1cda00acbbe921ec3746c20db17b653fc8cd4c795db33d516ea82604f43b61dc94ca6a949d21338f3d3528b3ac0f168bdae4676af9019

Download Submit
C:\Users\Admin\Documents\VlcpVideoV1.0.1\da_1648136254601.exe

Filesize
3.3MB

MD5
dfb6e366186969c7265e5602a4b85335

SHA1
f20c75e427ef43b853b4a053e98cd301cae331c1

SHA256
d77bea86bd4c36acae410d6dec8e012439e36d6226d99f1fd7de29827fca3835

SHA512
5420980743bb7772ffd1cda00acbbe921ec3746c20db17b653fc8cd4c795db33d516ea82604f43b61dc94ca6a949d21338f3d3528b3ac0f168bdae4676af9019

Download Submit
\Users\Admin\Documents\VlcpVideoV1.0.1\da_1648136254601.exe

Filesize
3.3MB

MD5
dfb6e366186969c7265e5602a4b85335

SHA1
f20c75e427ef43b853b4a053e98cd301cae331c1

SHA256
d77bea86bd4c36acae410d6dec8e012439e36d6226d99f1fd7de29827fca3835

SHA512
5420980743bb7772ffd1cda00acbbe921ec3746c20db17b653fc8cd4c795db33d516ea82604f43b61dc94ca6a949d21338f3d3528b3ac0f168bdae4676af9019

Download Submit
\Users\Admin\Documents\VlcpVideoV1.0.1\da_1648136254601.exe

Filesize
3.3MB

MD5
dfb6e366186969c7265e5602a4b85335

SHA1
f20c75e427ef43b853b4a053e98cd301cae331c1

SHA256
d77bea86bd4c36acae410d6dec8e012439e36d6226d99f1fd7de29827fca3835

SHA512
5420980743bb7772ffd1cda00acbbe921ec3746c20db17b653fc8cd4c795db33d516ea82604f43b61dc94ca6a949d21338f3d3528b3ac0f168bdae4676af9019

Download Submit
\Users\Admin\Documents\VlcpVideoV1.0.1\da_1648136254601.exe

Filesize
3.3MB

MD5
dfb6e366186969c7265e5602a4b85335

SHA1
f20c75e427ef43b853b4a053e98cd301cae331c1

SHA256
d77bea86bd4c36acae410d6dec8e012439e36d6226d99f1fd7de29827fca3835

SHA512
5420980743bb7772ffd1cda00acbbe921ec3746c20db17b653fc8cd4c795db33d516ea82604f43b61dc94ca6a949d21338f3d3528b3ac0f168bdae4676af9019

Download Submit
\Users\Admin\Documents\VlcpVideoV1.0.1\da_1648136254601.exe

Filesize
3.3MB

MD5
dfb6e366186969c7265e5602a4b85335

SHA1
f20c75e427ef43b853b4a053e98cd301cae331c1

SHA256
d77bea86bd4c36acae410d6dec8e012439e36d6226d99f1fd7de29827fca3835

SHA512
5420980743bb7772ffd1cda00acbbe921ec3746c20db17b653fc8cd4c795db33d516ea82604f43b61dc94ca6a949d21338f3d3528b3ac0f168bdae4676af9019

Download Submit
memory/1728-54-0x0000000075381000-0x0000000075383000-memory.dmp

Filesize
8KB

Download
memory/1728-63-0x0000000000400000-0x00000000009BC000-memory.dmp

Filesize
5.7MB

Download
memory/1908-64-0x0000000000400000-0x00000000008D3000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing