ffdroider

Sharing

Copy URL

Twitter E-mail

General

Target

66BF743BABAD7405D2426B25BF8D1BB493F6D9048B55E.exe
Size

6.0MB
Sample

230225-db6awsbh45
MD5

9334e72e31a668edc2c2176f609f6f28
SHA1

be94751be419c65f9ce010bc07c94817bd30a21d
SHA256

66bf743babad7405d2426b25bf8d1bb493f6d9048b55ede138d36a3b8a2f9c8e
SHA512

13d644ac77fed1ebf4d78d11925a15fd3fc670a4206591b9ecb51522d63ad589a432484f4d55600a27994fe719fc3bcbb8edf157b26ce2f95a39e5a5d31da653
SSDEEP

196608:JxiveVzaKs6r5oQnghmYsjoay8W8PdrAmDe8cBe2AyD:Jxivo2KshQ6sjNWoOmDAe2L

Malware Config

Extracted

Family

socelars

http://www.hhgenice.top/

Extracted

Family

privateloader

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

Attributes

payload_url
https://cdn.discordapp.com/attachments/1003879548242374749/1003976870611669043/NiceProcessX64.bmp

https://cdn.discordapp.com/attachments/1003879548242374749/1003976754358124554/NiceProcessX32.bmp

https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp

https://c.xyzgamec.com/userdown/2202/random.exe

http://193.56.146.76/Proxytest.exe

http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

http://privacy-tools-for-you-780.com/downloads/toolspab3.exe

http://luminati-china.xyz/aman/casper2.exe

https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe

http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe

https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp

http://185.215.113.208/ferrari.exe

https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp

https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp

https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp

https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp

https://c.xyzgamec.com/userdown/2202/random.exe

http://mnbuiy.pw/adsli/note8876.exe

http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

http://luminati-china.xyz/aman/casper2.exe

https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe

http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe

https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

Extracted

Family

ffdroider

http://111.90.158.95

Extracted

Family

smokeloader

Version

2020

http://misha.at/upload/

http://roohaniinfra.com/upload/

http://0axqpcc.cn/upload/

http://mayak-lombard.ru/upload/

http://mebel-lass.ru/upload/

http://dishakhan.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

media10new

91.121.67.60:51630

Attributes

auth_value
47bc78698369f70f69c14c417da0f954

Extracted

Family

redline

Botnet

user2020

135.181.129.119:4805

Attributes

auth_value
e06832300a56e500104f066d1e66bb70

Targets

- Target
  
  66BF743BABAD7405D2426B25BF8D1BB493F6D9048B55E.exe
- Size
  
  6.0MB
- MD5
  
  9334e72e31a668edc2c2176f609f6f28
- SHA1
  
  be94751be419c65f9ce010bc07c94817bd30a21d
- SHA256
  
  66bf743babad7405d2426b25bf8d1bb493f6d9048b55ede138d36a3b8a2f9c8e
- SHA512
  
  13d644ac77fed1ebf4d78d11925a15fd3fc670a4206591b9ecb51522d63ad589a432484f4d55600a27994fe719fc3bcbb8edf157b26ce2f95a39e5a5d31da653
- SSDEEP
  
  196608:JxiveVzaKs6r5oQnghmYsjoay8W8PdrAmDe8cBe2AyD:Jxivo2KshQ6sjNWoOmDAe2L
Score

10^/10

ffdroider gcleaner nullmixer privateloader redline smokeloader socelars media10new user2020 aspackv2 backdoor discovery dropper evasion infostealer loader main spyware stealer trojan
- Detects Smokeloader packer
- FFDroider
  Stealer targeting social media platform users first seen in April 2022.
  stealer ffdroider
- FFDroider payload
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars payload
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Detects Smokeloader packer

FFDroider payload

GCleaner

Modifies Windows Defender Real-time Protection settings

NullMixer

PrivateLoader

RedLine

RedLine payload

SmokeLoader

Socelars

Socelars payload

ASPack v2.12-2.42

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Checks whether UAC is enabled

Drops Chrome extension

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2