ffdroider | 0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d

General

Target

0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
Size

3.8MB
MD5

2fae1bd2d77f021a0b327b5356c4d2c7
SHA1

cd0bb537e1aec361a8abe141795718ab2f37bf79
SHA256

0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d
SHA512

0582506405d6fb6c6c94a0d6dbd2067dd7c3fd9f54a8a92ed1248b89fd216b28e2b3489fdfb7ce8dd5888eb021eefd9159864b5aa4cc5a5408847828eb123d6b

Score

10^/10

ffdroider evasion spyware stealer trojan

Malware Config

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider Payload 8 IoCs

resource	yara_rule
behavioral2/memory/1928-131-0x0000000000400000-0x00000000009F1000-memory.dmp	family_ffdroider
behavioral2/memory/1928-132-0x0000000000400000-0x00000000009F1000-memory.dmp	family_ffdroider
behavioral2/memory/1928-133-0x0000000000400000-0x00000000009F1000-memory.dmp	family_ffdroider
behavioral2/memory/1928-134-0x0000000000400000-0x00000000009F1000-memory.dmp	family_ffdroider
behavioral2/memory/1928-136-0x0000000000400000-0x00000000009F1000-memory.dmp	family_ffdroider
behavioral2/memory/1928-137-0x0000000000400000-0x00000000009F1000-memory.dmp	family_ffdroider
behavioral2/memory/1928-582-0x0000000000400000-0x00000000009F1000-memory.dmp	family_ffdroider
behavioral2/memory/1928-946-0x0000000000400000-0x00000000009F1000-memory.dmp	family_ffdroider

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
Token: SeManageVolumePrivilege	1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
Token: SeManageVolumePrivilege	1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
Token: SeManageVolumePrivilege	1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
Token: SeManageVolumePrivilege	1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
Token: SeManageVolumePrivilege	1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
Token: SeManageVolumePrivilege	1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
Token: SeManageVolumePrivilege	1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
Token: SeManageVolumePrivilege	1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
Token: SeManageVolumePrivilege	1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
Token: SeManageVolumePrivilege	1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
Token: SeManageVolumePrivilege	1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
Token: SeManageVolumePrivilege	1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
Token: SeManageVolumePrivilege	1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
Token: SeManageVolumePrivilege	1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
Token: SeManageVolumePrivilege	1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
Token: SeManageVolumePrivilege	1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
Token: SeManageVolumePrivilege	1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
Token: SeManageVolumePrivilege	1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
Token: SeManageVolumePrivilege	1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
Token: SeManageVolumePrivilege	1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
Token: SeManageVolumePrivilege	1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
Token: SeManageVolumePrivilege	1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
Token: SeManageVolumePrivilege	1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
Token: SeManageVolumePrivilege	1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
Token: SeManageVolumePrivilege	1928	0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe

C:\Users\Admin\AppData\Local\Temp\0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe
"C:\Users\Admin\AppData\Local\Temp\0281a3df4c3626c144d04210e776a0f6078244e64eb0713c468bca08d09b7e5d.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1928-130-0x0000000000400000-0x00000000009F1000-memory.dmp

Filesize
5.9MB

Download
memory/1928-131-0x0000000000400000-0x00000000009F1000-memory.dmp

Filesize
5.9MB

Download
memory/1928-132-0x0000000000400000-0x00000000009F1000-memory.dmp

Filesize
5.9MB

Download
memory/1928-133-0x0000000000400000-0x00000000009F1000-memory.dmp

Filesize
5.9MB

Download
memory/1928-134-0x0000000000400000-0x00000000009F1000-memory.dmp

Filesize
5.9MB

Download
memory/1928-136-0x0000000000400000-0x00000000009F1000-memory.dmp

Filesize
5.9MB

Download
memory/1928-137-0x0000000000400000-0x00000000009F1000-memory.dmp

Filesize
5.9MB

Download
memory/1928-138-0x00000000041C0000-0x00000000041D0000-memory.dmp

Filesize
64KB

Download
memory/1928-144-0x0000000004360000-0x0000000004370000-memory.dmp

Filesize
64KB

Download
memory/1928-150-0x0000000004E10000-0x0000000004E18000-memory.dmp

Filesize
32KB

Download
memory/1928-151-0x0000000004E30000-0x0000000004E38000-memory.dmp

Filesize
32KB

Download
memory/1928-152-0x0000000004ED0000-0x0000000004ED8000-memory.dmp

Filesize
32KB

Download
memory/1928-153-0x0000000005020000-0x0000000005028000-memory.dmp

Filesize
32KB

Download
memory/1928-154-0x0000000005180000-0x0000000005188000-memory.dmp

Filesize
32KB

Download
memory/1928-155-0x0000000005420000-0x0000000005428000-memory.dmp

Filesize
32KB

Download
memory/1928-156-0x0000000005320000-0x0000000005328000-memory.dmp

Filesize
32KB

Download
memory/1928-157-0x0000000005190000-0x0000000005198000-memory.dmp

Filesize
32KB

Download
memory/1928-158-0x0000000004E30000-0x0000000004E38000-memory.dmp

Filesize
32KB

Download
memory/1928-159-0x0000000005190000-0x0000000005198000-memory.dmp

Filesize
32KB

Download
memory/1928-160-0x00000000052C0000-0x00000000052C8000-memory.dmp

Filesize
32KB

Download
memory/1928-161-0x0000000004E30000-0x0000000004E38000-memory.dmp

Filesize
32KB

Download
memory/1928-162-0x00000000052C0000-0x00000000052C8000-memory.dmp

Filesize
32KB

Download
memory/1928-163-0x0000000005190000-0x0000000005198000-memory.dmp

Filesize
32KB

Download
memory/1928-190-0x0000000004DB0000-0x0000000004DB8000-memory.dmp

Filesize
32KB

Download
memory/1928-191-0x0000000004DB0000-0x0000000004DB8000-memory.dmp

Filesize
32KB

Download
memory/1928-192-0x0000000004F30000-0x0000000004F38000-memory.dmp

Filesize
32KB

Download
memory/1928-582-0x0000000000400000-0x00000000009F1000-memory.dmp

Filesize
5.9MB

Download
memory/1928-946-0x0000000000400000-0x00000000009F1000-memory.dmp

Filesize
5.9MB

Download

Analysis

Sharing