ffdroider | 6e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 20:55

Target

3c7117f96c0c2879798a78a32d5d34cc.exe
Size

955KB
MD5

3c7117f96c0c2879798a78a32d5d34cc
SHA1

197c7dea513f8cbb7ebc17610f247d774c234213
SHA256

6e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162
SHA512

b89573ac6cbbe132c0c4bac009904cba6d5fda9b4d4eebe2d9552f2451acdd8b7b8e8dce663b26f6541c9c124eb5b9f468efd23b35a28047b0cb942f3a90c122
SSDEEP

24576:w82jSDss1H+s9gbxBRlq9L1LSLf2cCYoe+bCV9A1XEh:w82jSY2MxqzGZCxGuEh

Score

10^/10

Family

ffdroider

http://186.2.171.3

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

resource	yara_rule
behavioral1/memory/2224-1-0x0000000000400000-0x000000000067D000-memory.dmp	family_ffdroider
behavioral1/memory/2224-3-0x0000000000400000-0x000000000067D000-memory.dmp	family_ffdroider

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/2224-0-0x0000000000400000-0x000000000067D000-memory.dmp	vmprotect
behavioral1/memory/2224-1-0x0000000000400000-0x000000000067D000-memory.dmp	vmprotect
behavioral1/memory/2224-3-0x0000000000400000-0x000000000067D000-memory.dmp	vmprotect

Program crash 1 IoCs

pid	pid_target	Process
1880	2224	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 1880	2224	3c7117f96c0c2879798a78a32d5d34cc.exe	16
PID 2224 wrote to memory of 1880	2224	3c7117f96c0c2879798a78a32d5d34cc.exe	16
PID 2224 wrote to memory of 1880	2224	3c7117f96c0c2879798a78a32d5d34cc.exe	16
PID 2224 wrote to memory of 1880	2224	3c7117f96c0c2879798a78a32d5d34cc.exe	16

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 184
1⤵
- Program crash
PID:1880

C:\Users\Admin\AppData\Local\Temp\3c7117f96c0c2879798a78a32d5d34cc.exe
"C:\Users\Admin\AppData\Local\Temp\3c7117f96c0c2879798a78a32d5d34cc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2224

memory/2224-0-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download
memory/2224-1-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download
memory/2224-3-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download