ffdroider

General

Target

Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe
Size

3.3MB
Sample

230104-pclhnaaf7z
MD5

2a1400529544b41c0c7e56a7b91c43f6
SHA1

d89c0480f212fa0eab35dc1c049c409e572c2f09
SHA256

e47bfa7b58706edeeaf73664039c10cb1ff7a517d833c0b28751b835bdc68cf7
SHA512

f216d3cf5cec99c7734e0461bca2ef952ae1b097fc16d5639ff60671c4fdf381c3b6a803aee48ae0d8b2956e337d24bd8a39b87e7260dc357710c60f9063f76b
SSDEEP

98304:UboDpahPxyFximnbWtg5f4e+QFz6TBQ+/nqVF:USxHnbF5rZFz6TBQEqT

Score

10^/10

Malware Config

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.wygexde.xyz/

Extracted

Family

ffdroider

C2

http://101.36.107.74

Targets

- Target
  
  Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe
- Size
  
  3.3MB
- MD5
  
  2a1400529544b41c0c7e56a7b91c43f6
- SHA1
  
  d89c0480f212fa0eab35dc1c049c409e572c2f09
- SHA256
  
  e47bfa7b58706edeeaf73664039c10cb1ff7a517d833c0b28751b835bdc68cf7
- SHA512
  
  f216d3cf5cec99c7734e0461bca2ef952ae1b097fc16d5639ff60671c4fdf381c3b6a803aee48ae0d8b2956e337d24bd8a39b87e7260dc357710c60f9063f76b
- SSDEEP
  
  98304:UboDpahPxyFximnbWtg5f4e+QFz6TBQ+/nqVF:USxHnbF5rZFz6TBQEqT
Score

10^/10

ffdroider privateloader smokeloader socelars backdoor evasion loader stealer trojan vmprotect persistence spyware
- Detects Smokeloader packer
- FFDroider
  Stealer targeting social media platform users first seen in April 2022.
  stealer ffdroider
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2