ffdroider | 0e531029c9914e235afd9f2312bfeb6e78303c5afb5e3c5cc753a7825c132944

Analysis

max time kernel
117s
max time network
140s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 11:32

Target

3476deb75801446ac3a3df7326dcac73.exe
Size

920KB
MD5

3476deb75801446ac3a3df7326dcac73
SHA1

863b9c8518e6542d69b8b413766158c0f1a2b1a0
SHA256

0e531029c9914e235afd9f2312bfeb6e78303c5afb5e3c5cc753a7825c132944
SHA512

69cf604c777ea7c41353378523686b8e2b5e6912b35f82c0d8ec34aa569975d53f15e085424f8c899b9e12ddf3532c9e7e07a41cd19016120ee4de0a9213ce1b
SSDEEP

12288:mJ63CEYPtxrkzDxQnvfQBao68kZHRfEBUDOumP2f4sWAoBfg7HI1ShDebZB:mJzKDGnVeARf4P2wjBfEo1M0Z

Score

10^/10

Family

ffdroider

http://128.1.32.84

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

resource	yara_rule
behavioral1/memory/1352-1-0x0000000000400000-0x000000000065C000-memory.dmp	family_ffdroider
behavioral1/memory/1352-3-0x0000000000400000-0x000000000065C000-memory.dmp	family_ffdroider

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/1352-0-0x0000000000400000-0x000000000065C000-memory.dmp	vmprotect
behavioral1/memory/1352-1-0x0000000000400000-0x000000000065C000-memory.dmp	vmprotect
behavioral1/memory/1352-3-0x0000000000400000-0x000000000065C000-memory.dmp	vmprotect

Program crash 1 IoCs

pid	pid_target	Process	procid_target
280	1352	WerFault.exe	14

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 280	1352	3476deb75801446ac3a3df7326dcac73.exe	22
PID 1352 wrote to memory of 280	1352	3476deb75801446ac3a3df7326dcac73.exe	22
PID 1352 wrote to memory of 280	1352	3476deb75801446ac3a3df7326dcac73.exe	22
PID 1352 wrote to memory of 280	1352	3476deb75801446ac3a3df7326dcac73.exe	22

C:\Users\Admin\AppData\Local\Temp\3476deb75801446ac3a3df7326dcac73.exe
"C:\Users\Admin\AppData\Local\Temp\3476deb75801446ac3a3df7326dcac73.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 176
  2⤵
  - Program crash
  PID:280

memory/1352-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1352-1-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1352-3-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download