ffdroider | 685933af075d310ddb454b399641cfdbf801441e5360df0e71204d63d2afc757

General

Target

20eb6b8655de71aad0ba6e71a045b1f6.exe
Size

2.6MB
MD5

20eb6b8655de71aad0ba6e71a045b1f6
SHA1

1770246098ea07e2024dd31de0fba54916d7236b
SHA256

685933af075d310ddb454b399641cfdbf801441e5360df0e71204d63d2afc757
SHA512

bb6a8f071ca9d77ab6c10f90b3ba1ad1e86c7b326fa7731c13fde95554bba97cf374878a64a7ad4fec0aee3301751ab32d280a8c440aa78319fc89f5391f2259
SSDEEP

49152:pAI+mPQQSU9afXEDN50Qx8lMmD4gGovWhJLEx2BwDPw1V46hi5SC0DNdSM2SwMpt:pAI+M4UsuNxyvGoOnEx2BoQVlhi5S9OG

Score

10^/10

ffdroider vidar 916 discovery stealer vmprotect

Malware Config

Extracted

Family

ffdroider

C2

http://186.2.171.3

Extracted

Family

vidar

Version

39.9

Botnet

916

C2

https://prophefliloc.tumblr.com/

Attributes

profile_id
916

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

resource	yara_rule
behavioral2/memory/736-83-0x0000000000400000-0x000000000067D000-memory.dmp	family_ffdroider
behavioral2/memory/736-82-0x0000000000400000-0x000000000067D000-memory.dmp	family_ffdroider

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	4320	rUNdlL32.eXe	26

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral2/memory/4596-124-0x0000000004930000-0x00000000049CD000-memory.dmp	family_vidar
behavioral2/memory/4596-125-0x0000000000400000-0x0000000002CBF000-memory.dmp	family_vidar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	20eb6b8655de71aad0ba6e71a045b1f6.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/736-83-0x0000000000400000-0x000000000067D000-memory.dmp	vmprotect
behavioral2/memory/736-82-0x0000000000400000-0x000000000067D000-memory.dmp	vmprotect

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe	20eb6b8655de71aad0ba6e71a045b1f6.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.exe	20eb6b8655de71aad0ba6e71a045b1f6.exe
File created	C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.ini	20eb6b8655de71aad0ba6e71a045b1f6.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe	20eb6b8655de71aad0ba6e71a045b1f6.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe	20eb6b8655de71aad0ba6e71a045b1f6.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe	20eb6b8655de71aad0ba6e71a045b1f6.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe	20eb6b8655de71aad0ba6e71a045b1f6.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe	20eb6b8655de71aad0ba6e71a045b1f6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
924	3860	WerFault.exe
4900	736	WerFault.exe	36

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 2420	1416	20eb6b8655de71aad0ba6e71a045b1f6.exe	40
PID 1416 wrote to memory of 2420	1416	20eb6b8655de71aad0ba6e71a045b1f6.exe	40

C:\Users\Admin\AppData\Local\Temp\20eb6b8655de71aad0ba6e71a045b1f6.exe
"C:\Users\Admin\AppData\Local\Temp\20eb6b8655de71aad0ba6e71a045b1f6.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"
  2⤵
  PID:4596
- C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe"
  2⤵
  PID:4676
- C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"
  2⤵
  PID:736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 1976
    3⤵
    - Program crash
    PID:4900
- C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe"
  2⤵
  PID:4340
- C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe"
  2⤵
  PID:5044
- C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe"
  2⤵
  PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3860 -ip 3860
1⤵
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 604
1⤵
- Program crash
PID:924

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
PID:3860

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:220

C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe
"C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe" -a
1⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\is-9O26K.tmp\GameBoxWin32.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9O26K.tmp\GameBoxWin32.tmp" /SL5="$70220,506127,422400,C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe"
1⤵
PID:4304

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:2456

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:2984

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/736-83-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download
memory/736-82-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download
memory/1416-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-142-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4304-133-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4304-110-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4340-89-0x0000000002F50000-0x0000000002F56000-memory.dmp

Filesize
24KB

Download
memory/4340-78-0x0000000000FC0000-0x0000000000FF6000-memory.dmp

Filesize
216KB

Download
memory/4340-99-0x0000000002F80000-0x0000000002FA6000-memory.dmp

Filesize
152KB

Download
memory/4340-81-0x00007FFEF8980000-0x00007FFEF9441000-memory.dmp

Filesize
10.8MB

Download
memory/4340-129-0x00007FFEF8980000-0x00007FFEF9441000-memory.dmp

Filesize
10.8MB

Download
memory/4340-114-0x00000000030A0000-0x00000000030B0000-memory.dmp

Filesize
64KB

Download
memory/4340-103-0x0000000002F60000-0x0000000002F66000-memory.dmp

Filesize
24KB

Download
memory/4596-124-0x0000000004930000-0x00000000049CD000-memory.dmp

Filesize
628KB

Download
memory/4596-123-0x0000000002E90000-0x0000000002F90000-memory.dmp

Filesize
1024KB

Download
memory/4596-125-0x0000000000400000-0x0000000002CBF000-memory.dmp

Filesize
40.7MB

Download
memory/4676-97-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4676-132-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads