ffdroider | 40d7ead8c2b3f512f490edf1c2ac207bafca3bbc1def3bbda44fe855ef1fb9f3

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20/12/2023, 17:43

Target

fb3bc18401f7cc5a5b426209cbf968c2.exe
Size

5.3MB
MD5

fb3bc18401f7cc5a5b426209cbf968c2
SHA1

670d97d270669c2e721d9940fe83fb0db9431edf
SHA256

40d7ead8c2b3f512f490edf1c2ac207bafca3bbc1def3bbda44fe855ef1fb9f3
SHA512

cd5b4502baf74556b7e6cfb7348e2af1537f7296ae343bb9b005748c51cd78764fd02036621565e655e58a67fb78b6cee55419b90ab68fb2011543ba2be2d931
SSDEEP

98304:brbMvQuxQBQe4dbR0zWRLFphiHvQ/qpyr0k88suiO+QahI+iZ7q1zPPXNAjtVa/u:X+fei5suiO+QCI+7NAjtVa/u

Score

10^/10

ffdroider stealer

Family

ffdroider

http://186.2.171.3

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 1 IoCs

resource	yara_rule
behavioral1/memory/3032-0-0x0000000000400000-0x0000000000945000-memory.dmp	family_ffdroider

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3052	3032	WerFault.exe	27

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 3052	3032	fb3bc18401f7cc5a5b426209cbf968c2.exe	28
PID 3032 wrote to memory of 3052	3032	fb3bc18401f7cc5a5b426209cbf968c2.exe	28
PID 3032 wrote to memory of 3052	3032	fb3bc18401f7cc5a5b426209cbf968c2.exe	28
PID 3032 wrote to memory of 3052	3032	fb3bc18401f7cc5a5b426209cbf968c2.exe	28

C:\Users\Admin\AppData\Local\Temp\fb3bc18401f7cc5a5b426209cbf968c2.exe
"C:\Users\Admin\AppData\Local\Temp\fb3bc18401f7cc5a5b426209cbf968c2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 236
  2⤵
  - Program crash
  PID:3052

memory/3032-0-0x0000000000400000-0x0000000000945000-memory.dmp

Filesize
5.3MB

Download