ffdroider | 5ce27f724cff5f6f4558ec61f2f328df7fbe8905ac032e461358b9a4a1acb34b

Analysis

Target

5ce27f724cff5f6f4558ec61f2f328df7fbe8905ac032e461358b9a4a1acb34b.exe
Size

1.8MB
MD5

e101086987595cde7a1439641814d5cf
SHA1

f7b1b3bd0a933be4adbca78d6938d6dfac90de77
SHA256

5ce27f724cff5f6f4558ec61f2f328df7fbe8905ac032e461358b9a4a1acb34b
SHA512

216b33d61872fe0ae7c93e1329fa55e369edcffc49be54b7e079edc09ccfd7d7c680c5a2bfdf81008bae666e44b62a3aeca5884ea4d4ea49afc470b8da5f71cd
SSDEEP

49152:oiVOqL26YVweCqo0oKPB803g0Bk+QqX0NmXqxq:ocfrqo5KPB203XgM

Score

10^/10

Family

ffdroider

http://152.32.228.19

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/740-56-0x00000000002B0000-0x00000000006DB000-memory.dmp	family_ffdroider
behavioral1/memory/740-58-0x00000000002B0000-0x00000000006DB000-memory.dmp	family_ffdroider
behavioral1/memory/740-57-0x00000000002B0000-0x00000000006DB000-memory.dmp	family_ffdroider
behavioral1/memory/740-71-0x00000000002B0000-0x00000000006DB000-memory.dmp	family_ffdroider

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5ce27f724cff5f6f4558ec61f2f328df7fbe8905ac032e461358b9a4a1acb34b.exe

description pid process

Token: SeManageVolumePrivilege 740 5ce27f724cff5f6f4558ec61f2f328df7fbe8905ac032e461358b9a4a1acb34b.exe

description	pid	process
Token: SeManageVolumePrivilege	740	5ce27f724cff5f6f4558ec61f2f328df7fbe8905ac032e461358b9a4a1acb34b.exe

C:\Users\Admin\AppData\Local\Temp\5ce27f724cff5f6f4558ec61f2f328df7fbe8905ac032e461358b9a4a1acb34b.exe
"C:\Users\Admin\AppData\Local\Temp\5ce27f724cff5f6f4558ec61f2f328df7fbe8905ac032e461358b9a4a1acb34b.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:740

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/740-54-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

Filesize
8KB

Download
memory/740-55-0x00000000002B0000-0x00000000006DB000-memory.dmp

Filesize
4.2MB

Download
memory/740-56-0x00000000002B0000-0x00000000006DB000-memory.dmp

Filesize
4.2MB

Download
memory/740-58-0x00000000002B0000-0x00000000006DB000-memory.dmp

Filesize
4.2MB

Download
memory/740-57-0x00000000002B0000-0x00000000006DB000-memory.dmp

Filesize
4.2MB

Download
memory/740-59-0x0000000000770000-0x0000000000780000-memory.dmp

Filesize
64KB

Download
memory/740-65-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/740-71-0x00000000002B0000-0x00000000006DB000-memory.dmp

Filesize
4.2MB

Download