ffdroider | 1dce5d2a9682c811f7c4dd7e4f4c8f26ba35bba8803efe316aabddafb41c1708

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-12-2023 10:09

Target

d7eb620404874d7f77870f1b1ecaeee3.exe
Size

758KB
MD5

d7eb620404874d7f77870f1b1ecaeee3
SHA1

e281d765ee3facac0140732427c291f1a31d90b4
SHA256

1dce5d2a9682c811f7c4dd7e4f4c8f26ba35bba8803efe316aabddafb41c1708
SHA512

5042740a5f8d650cdce19b07eb45896dac5b76c853a60158b4c09ddbf83f3463ba6789dc93357aad18343add3a84e1e518c9511e0bc1af16ff16966007ad4bb8
SSDEEP

12288:AfZMnJxs7QUxOwR8s3AYxHHu90MnJ33Px1MKU2GLcOPSv8AQv8JyWOOFPDGMi4:AfZMg7QXw2sQYtuHJHpORncOKv8TTWNM

Score

10^/10

Family

ffdroider

http://128.1.32.84

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

resource	yara_rule
behavioral1/memory/2928-1-0x0000000000400000-0x000000000063B000-memory.dmp	family_ffdroider
behavioral1/memory/2928-3-0x0000000000400000-0x000000000063B000-memory.dmp	family_ffdroider

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/2928-0-0x0000000000400000-0x000000000063B000-memory.dmp	vmprotect
behavioral1/memory/2928-1-0x0000000000400000-0x000000000063B000-memory.dmp	vmprotect
behavioral1/memory/2928-3-0x0000000000400000-0x000000000063B000-memory.dmp	vmprotect

Program crash 1 IoCs

pid	pid_target	Process
2500	2928	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2500	2928	d7eb620404874d7f77870f1b1ecaeee3.exe	14
PID 2928 wrote to memory of 2500	2928	d7eb620404874d7f77870f1b1ecaeee3.exe	14
PID 2928 wrote to memory of 2500	2928	d7eb620404874d7f77870f1b1ecaeee3.exe	14
PID 2928 wrote to memory of 2500	2928	d7eb620404874d7f77870f1b1ecaeee3.exe	14

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 184
1⤵
- Program crash
PID:2500

C:\Users\Admin\AppData\Local\Temp\d7eb620404874d7f77870f1b1ecaeee3.exe
"C:\Users\Admin\AppData\Local\Temp\d7eb620404874d7f77870f1b1ecaeee3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2928

memory/2928-0-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2928-1-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2928-3-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download