ffdroider

General

Target

32AC0624A534A2C40FB8EBA41E80BB1D31B99CD118D42.exe
Size

3.3MB
Sample

230327-h3sw4acc29
MD5

df36b8a03f1c4100ccea6a79116c1bda
SHA1

6d0cf1d6aadd77bf16251551f1a00a76fca395e9
SHA256

32ac0624a534a2c40fb8eba41e80bb1d31b99cd118d42208c89229079699f783
SHA512

2bbf03a76e03e4ec2a0f9404dd7fec940c0348810f16ebc19450795708b16ed394d985292d47eb51160df135640c31022476bc937a5273184e26b7c6ef03458f
SSDEEP

98304:Ubjn1zQyFximOATdA8xd4svk3upL/ZWt/LcMJ:UPnVxHOATdA8YsvkuLBics

Score

10^/10

Malware Config

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.wygexde.xyz/

Extracted

Family

ffdroider

C2

http://101.36.107.74

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Targets

- Target
  
  32AC0624A534A2C40FB8EBA41E80BB1D31B99CD118D42.exe
- Size
  
  3.3MB
- MD5
  
  df36b8a03f1c4100ccea6a79116c1bda
- SHA1
  
  6d0cf1d6aadd77bf16251551f1a00a76fca395e9
- SHA256
  
  32ac0624a534a2c40fb8eba41e80bb1d31b99cd118d42208c89229079699f783
- SHA512
  
  2bbf03a76e03e4ec2a0f9404dd7fec940c0348810f16ebc19450795708b16ed394d985292d47eb51160df135640c31022476bc937a5273184e26b7c6ef03458f
- SSDEEP
  
  98304:Ubjn1zQyFximOATdA8xd4svk3upL/ZWt/LcMJ:UPnVxHOATdA8YsvkuLBics
Score

10^/10

ffdroider privateloader smokeloader socelars pub2 backdoor discovery evasion loader spyware stealer trojan vmprotect
- FFDroider
  Stealer targeting social media platform users first seen in April 2022.
  stealer ffdroider
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2