ffdroider

General

Target

25b01b6f282806ad99486c3d072e5bfd
Size

9.1MB
Sample

231231-dlgehsgbf4
MD5

25b01b6f282806ad99486c3d072e5bfd
SHA1

c2ab46c1a27ecf22dcf17cffca96ae2ff56db740
SHA256

2cc5f31570047becc5e77581e2f640afba8d6904c6be61105603d60d01c181d0
SHA512

b35a0a8966a90919ead835eef4a563ff79e70eeab92ac2ef2139b7e939a5e8c6ee8177e2fdee515a7230c1806d52251de4d92d9090b657f0654831c7fde662de
SSDEEP

196608:PvlQF2xHG9mT5kszFw1d4zZkxaZzDaC0b8LP3gt8lKKVURWw/RNKE5N:3l02g9E5kszq4zZqwzD30biPwIK144RT

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

ffdroider

C2

http://186.2.171.3

Targets

- Target
  
  25b01b6f282806ad99486c3d072e5bfd
- Size
  
  9.1MB
- MD5
  
  25b01b6f282806ad99486c3d072e5bfd
- SHA1
  
  c2ab46c1a27ecf22dcf17cffca96ae2ff56db740
- SHA256
  
  2cc5f31570047becc5e77581e2f640afba8d6904c6be61105603d60d01c181d0
- SHA512
  
  b35a0a8966a90919ead835eef4a563ff79e70eeab92ac2ef2139b7e939a5e8c6ee8177e2fdee515a7230c1806d52251de4d92d9090b657f0654831c7fde662de
- SSDEEP
  
  196608:PvlQF2xHG9mT5kszFw1d4zZkxaZzDaC0b8LP3gt8lKKVURWw/RNKE5N:3l02g9E5kszq4zZqwzD30biPwIK144RT
Score

10^/10

ffdroider smokeloader backdoor stealer trojan upx
- FFDroider
  Stealer targeting social media platform users first seen in April 2022.
  stealer ffdroider
- FFDroider payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Nirsoft
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

FFDroider payload

SmokeLoader

Nirsoft

UPX packed file

Unexpected DNS network traffic destination

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2