ffdroider

General

Target

42909ef96fc66ee4ad2b1182f06ecbe6.exe
Size

3.8MB
Sample

231231-qegsxsadg2
MD5

42909ef96fc66ee4ad2b1182f06ecbe6
SHA1

9ccde9b068c6dca4172df09853e8b9aa9dcded94
SHA256

4cafb22334d394a75bf299e8b582791b939af7d462c79b4423948a34f364481b
SHA512

e54ef137f1a12fa1c77090ade5e6fd5c404f84a5c3d0b9227fe95eb72d30e6d03fd0431c265569f7b08dc5f416973081264aa3d634399f30ad273da8f4559f9a
SSDEEP

98304:Ub9fEIQBU9HIJ0tyFximjgX7dJw1mLPKZ4ygx2EjufaWte:UpfEIvdIJ0WxHjm5JwSiZ3rEAaH

Score

10^/10

Malware Config

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.wygexde.xyz/

Extracted

Family

ffdroider

C2

http://128.1.32.84

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Extracted

Family

redline

C2

92.119.112.202:13340

Targets

- Target
  
  42909ef96fc66ee4ad2b1182f06ecbe6.exe
- Size
  
  3.8MB
- MD5
  
  42909ef96fc66ee4ad2b1182f06ecbe6
- SHA1
  
  9ccde9b068c6dca4172df09853e8b9aa9dcded94
- SHA256
  
  4cafb22334d394a75bf299e8b582791b939af7d462c79b4423948a34f364481b
- SHA512
  
  e54ef137f1a12fa1c77090ade5e6fd5c404f84a5c3d0b9227fe95eb72d30e6d03fd0431c265569f7b08dc5f416973081264aa3d634399f30ad273da8f4559f9a
- SSDEEP
  
  98304:Ub9fEIQBU9HIJ0tyFximjgX7dJw1mLPKZ4ygx2EjufaWte:UpfEIvdIJ0WxHjm5JwSiZ3rEAaH
Score

10^/10

ffdroider privateloader redline risepro sectoprat smokeloader socelars pub2 backdoor discovery evasion infostealer loader rat spyware stealer trojan vmprotect
- FFDroider
  Stealer targeting social media platform users first seen in April 2022.
  stealer ffdroider
- FFDroider payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2