ffdroider | 685933af075d310ddb454b399641cfdbf801441e5360df0e71204d63d2afc757

Analysis

max time kernel
0s
max time network
151s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20eb6b8655de71aad0ba6e71a045b1f6.exe
Size

2.6MB
MD5

20eb6b8655de71aad0ba6e71a045b1f6
SHA1

1770246098ea07e2024dd31de0fba54916d7236b
SHA256

685933af075d310ddb454b399641cfdbf801441e5360df0e71204d63d2afc757
SHA512

bb6a8f071ca9d77ab6c10f90b3ba1ad1e86c7b326fa7731c13fde95554bba97cf374878a64a7ad4fec0aee3301751ab32d280a8c440aa78319fc89f5391f2259
SSDEEP

49152:pAI+mPQQSU9afXEDN50Qx8lMmD4gGovWhJLEx2BwDPw1V46hi5SC0DNdSM2SwMpt:pAI+M4UsuNxyvGoOnEx2BoQVlhi5S9OG

Score

10^/10

ffdroider vidar 916 discovery stealer vmprotect

Malware Config

Extracted

Family

vidar

Version

39.9

Botnet

916

https://prophefliloc.tumblr.com/

Attributes

profile_id
916

Extracted

Family

ffdroider

http://186.2.171.3

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

resource	yara_rule
behavioral1/memory/2588-70-0x0000000000400000-0x000000000067D000-memory.dmp	family_ffdroider
behavioral1/memory/2588-186-0x0000000000400000-0x000000000067D000-memory.dmp	family_ffdroider

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral1/memory/2504-143-0x0000000000220000-0x00000000002BD000-memory.dmp	family_vidar
behavioral1/memory/2504-144-0x0000000000400000-0x0000000002CBF000-memory.dmp	family_vidar
behavioral1/memory/2504-195-0x0000000000400000-0x0000000002CBF000-memory.dmp	family_vidar
behavioral1/memory/2504-203-0x0000000000220000-0x00000000002BD000-memory.dmp	family_vidar

Executes dropped EXE 4 IoCs

pid	Process
2664	GameBox32Bit.exe
2756	BotCheck.exe
2504	GameBox64bit.exe
2632	GameBox.exe

Loads dropped DLL 6 IoCs

pid	Process
1936	20eb6b8655de71aad0ba6e71a045b1f6.exe
1936	20eb6b8655de71aad0ba6e71a045b1f6.exe
1936	20eb6b8655de71aad0ba6e71a045b1f6.exe
1936	20eb6b8655de71aad0ba6e71a045b1f6.exe
1936	20eb6b8655de71aad0ba6e71a045b1f6.exe
1936	20eb6b8655de71aad0ba6e71a045b1f6.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	185.116.193.219
Destination IP	185.116.193.219
Destination IP	185.116.193.219
Destination IP	185.116.193.219

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2588-70-0x0000000000400000-0x000000000067D000-memory.dmp	vmprotect
behavioral1/memory/2588-186-0x0000000000400000-0x000000000067D000-memory.dmp	vmprotect

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe	20eb6b8655de71aad0ba6e71a045b1f6.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe	20eb6b8655de71aad0ba6e71a045b1f6.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.exe	20eb6b8655de71aad0ba6e71a045b1f6.exe
File created	C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.ini	20eb6b8655de71aad0ba6e71a045b1f6.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe	20eb6b8655de71aad0ba6e71a045b1f6.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe	20eb6b8655de71aad0ba6e71a045b1f6.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe	20eb6b8655de71aad0ba6e71a045b1f6.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe	20eb6b8655de71aad0ba6e71a045b1f6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2916	2588	WerFault.exe
2768	2504	WerFault.exe	32

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2664	1936	20eb6b8655de71aad0ba6e71a045b1f6.exe	34
PID 1936 wrote to memory of 2664	1936	20eb6b8655de71aad0ba6e71a045b1f6.exe	34
PID 1936 wrote to memory of 2664	1936	20eb6b8655de71aad0ba6e71a045b1f6.exe	34
PID 1936 wrote to memory of 2664	1936	20eb6b8655de71aad0ba6e71a045b1f6.exe	34
PID 1936 wrote to memory of 2756	1936	20eb6b8655de71aad0ba6e71a045b1f6.exe	18
PID 1936 wrote to memory of 2756	1936	20eb6b8655de71aad0ba6e71a045b1f6.exe	18
PID 1936 wrote to memory of 2756	1936	20eb6b8655de71aad0ba6e71a045b1f6.exe	18
PID 1936 wrote to memory of 2756	1936	20eb6b8655de71aad0ba6e71a045b1f6.exe	18
PID 1936 wrote to memory of 2504	1936	20eb6b8655de71aad0ba6e71a045b1f6.exe	32
PID 1936 wrote to memory of 2504	1936	20eb6b8655de71aad0ba6e71a045b1f6.exe	32
PID 1936 wrote to memory of 2504	1936	20eb6b8655de71aad0ba6e71a045b1f6.exe	32
PID 1936 wrote to memory of 2504	1936	20eb6b8655de71aad0ba6e71a045b1f6.exe	32
PID 1936 wrote to memory of 2632	1936	20eb6b8655de71aad0ba6e71a045b1f6.exe	31
PID 1936 wrote to memory of 2632	1936	20eb6b8655de71aad0ba6e71a045b1f6.exe	31
PID 1936 wrote to memory of 2632	1936	20eb6b8655de71aad0ba6e71a045b1f6.exe	31
PID 1936 wrote to memory of 2632	1936	20eb6b8655de71aad0ba6e71a045b1f6.exe	31

C:\Users\Admin\AppData\Local\Temp\20eb6b8655de71aad0ba6e71a045b1f6.exe
"C:\Users\Admin\AppData\Local\Temp\20eb6b8655de71aad0ba6e71a045b1f6.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe"
  2⤵
  - Executes dropped EXE
  PID:2756
- - C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe
    "C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe" -a
    3⤵
    PID:2532
- C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe"
  2⤵
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\is-L6M7G.tmp\GameBoxWin32.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-L6M7G.tmp\GameBoxWin32.tmp" /SL5="$70120,506127,422400,C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe"
    3⤵
    PID:2708
- C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"
  2⤵
  PID:2588
- C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe"
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"
  2⤵
  - Executes dropped EXE
  PID:2504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 884
    3⤵
    - Program crash
    PID:2768
- C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe"
  2⤵
  - Executes dropped EXE
  PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 184
1⤵
- Program crash
PID:2916

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
PID:2332
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe

Filesize
92KB

MD5
95a0ac2189b3e6aa4b9383d99f5da110

SHA1
b302a47d4fd0f2dd8e4536e76ece2b5fed02006e

SHA256
990fd1487190b791f403b1d7feafb5fcf547a2abe952fce676ef2b3fff8dab14

SHA512
1005a4882b7dcd74f9270f721d4f995997abcc4290c077c738f17bb94a766c671a8f933c5bf5a8a26ca019c41c3f6f9b1a7c923c04e86e34b2a7cd30cc47de42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
587e3f0651e565391196cb0ccb23d1db

SHA1
c1770359ce561ad81eab414db77fc70a0dc2f7ff

SHA256
63205ff5e8b241feae6241d030b474c9b74808d22e7c65fcd9f843ca73fafc2f

SHA512
7aae5cdbbf09790bf233fd041569b134a3bfc01f1046d7cf5efe576f1c3ec0f88c3a44535e7adbef4a2912e3b74a9f82a880fcebb5b19296fa9d8d3480b9c1f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
93364c7c191647eaf452af99cc439085

SHA1
8b0a25f6c0879ccdd3310976fd01bd07ba134804

SHA256
d0d272d70d6bab563b91e0db8b3de9af764a2793bceb3128229b53a645bca161

SHA512
6ae2597766ed70fe4f534e2d1302be9eeec2b875e420ceb2fa8ca40dc4d3e4480a9965e69e4a93af89483640f207102e92d6aa3d197be7cef76382fca8ec415e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
0658e9aad98aa8efe7437744c2cf380d

SHA1
6598fc2829e9e32f6d386e2eba082f5bb99d3836

SHA256
d83bdf96b97abb6f2325df7be500160d1513997a00ad904a552598378601f022

SHA512
c42abbc2fe2db50fdcd17899aefd16309547e720390fd80d9bdb82694cd21a476f6e02e1d251453ad5100f557fa118ea663c066846216f5fca935e406f5c5a0a

Download Submit
\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe

Filesize
540KB

MD5
428821691d16f489bcbb6054e590f931

SHA1
67782087763116ec1161b0b101e846aaf7ad6938

SHA256
f24ff2523af577fd2bda2d2c2fc82912515e49ec7ed7438a4a2aa5f17596fb24

SHA512
88e7c2ea00710303a36c6fcaf7ca922931632d80c93bb3c69ba262bb95ec7894b01a86467da008a099b102439dbb7d088c05c75eac8ede8d49d081788b3b2048

Download Submit
memory/864-121-0x0000000000C20000-0x0000000000C6C000-memory.dmp

Filesize
304KB

Download
memory/864-119-0x0000000000C20000-0x0000000000C6C000-memory.dmp

Filesize
304KB

Download
memory/864-145-0x0000000001270000-0x00000000012E1000-memory.dmp

Filesize
452KB

Download
memory/864-120-0x0000000001270000-0x00000000012E1000-memory.dmp

Filesize
452KB

Download
memory/1696-125-0x0000000000060000-0x00000000000AC000-memory.dmp

Filesize
304KB

Download
memory/1696-493-0x0000000000260000-0x00000000002D1000-memory.dmp

Filesize
452KB

Download
memory/1696-488-0x0000000000260000-0x00000000002D1000-memory.dmp

Filesize
452KB

Download
memory/1696-482-0x0000000000260000-0x00000000002D1000-memory.dmp

Filesize
452KB

Download
memory/1696-314-0x0000000000260000-0x00000000002D1000-memory.dmp

Filesize
452KB

Download
memory/1696-129-0x0000000000260000-0x00000000002D1000-memory.dmp

Filesize
452KB

Download
memory/1696-199-0x0000000000260000-0x00000000002D1000-memory.dmp

Filesize
452KB

Download
memory/1696-146-0x0000000000260000-0x00000000002D1000-memory.dmp

Filesize
452KB

Download
memory/1936-69-0x0000000003550000-0x00000000037CD000-memory.dmp

Filesize
2.5MB

Download
memory/1936-68-0x0000000003550000-0x00000000037CD000-memory.dmp

Filesize
2.5MB

Download
memory/1936-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-195-0x0000000000400000-0x0000000002CBF000-memory.dmp

Filesize
40.7MB

Download
memory/2504-203-0x0000000000220000-0x00000000002BD000-memory.dmp

Filesize
628KB

Download
memory/2504-144-0x0000000000400000-0x0000000002CBF000-memory.dmp

Filesize
40.7MB

Download
memory/2504-143-0x0000000000220000-0x00000000002BD000-memory.dmp

Filesize
628KB

Download
memory/2504-142-0x0000000002E70000-0x0000000002F70000-memory.dmp

Filesize
1024KB

Download
memory/2504-249-0x0000000002E70000-0x0000000002F70000-memory.dmp

Filesize
1024KB

Download
memory/2564-118-0x00000000002D0000-0x000000000032D000-memory.dmp

Filesize
372KB

Download
memory/2564-117-0x00000000021D0000-0x00000000022D1000-memory.dmp

Filesize
1.0MB

Download
memory/2564-124-0x00000000002D0000-0x000000000032D000-memory.dmp

Filesize
372KB

Download
memory/2588-186-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download
memory/2588-70-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download
memory/2632-107-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download
memory/2632-127-0x000000001AF70000-0x000000001AFF0000-memory.dmp

Filesize
512KB

Download
memory/2632-198-0x000000001AF70000-0x000000001AFF0000-memory.dmp

Filesize
512KB

Download
memory/2632-110-0x0000000000360000-0x0000000000386000-memory.dmp

Filesize
152KB

Download
memory/2632-116-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/2632-187-0x000007FEF50B0000-0x000007FEF5A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2632-104-0x000007FEF50B0000-0x000007FEF5A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2632-337-0x000007FEF50B0000-0x000007FEF5A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2632-80-0x0000000000BF0000-0x0000000000C26000-memory.dmp

Filesize
216KB

Download
memory/2700-106-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2700-77-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2700-341-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2708-197-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2708-340-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2708-105-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads