ffdroider | 6e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 09:01

Target

3c7117f96c0c2879798a78a32d5d34cc.exe
Size

955KB
MD5

3c7117f96c0c2879798a78a32d5d34cc
SHA1

197c7dea513f8cbb7ebc17610f247d774c234213
SHA256

6e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162
SHA512

b89573ac6cbbe132c0c4bac009904cba6d5fda9b4d4eebe2d9552f2451acdd8b7b8e8dce663b26f6541c9c124eb5b9f468efd23b35a28047b0cb942f3a90c122
SSDEEP

24576:w82jSDss1H+s9gbxBRlq9L1LSLf2cCYoe+bCV9A1XEh:w82jSY2MxqzGZCxGuEh

Score

10^/10

Family

ffdroider

http://186.2.171.3

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3032-1-0x0000000000400000-0x000000000067D000-memory.dmp	family_ffdroider
behavioral1/memory/3032-3-0x0000000000400000-0x000000000067D000-memory.dmp	family_ffdroider

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral1/memory/3032-0-0x0000000000400000-0x000000000067D000-memory.dmp	vmprotect
behavioral1/memory/3032-1-0x0000000000400000-0x000000000067D000-memory.dmp	vmprotect
behavioral1/memory/3032-3-0x0000000000400000-0x000000000067D000-memory.dmp	vmprotect

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3068 3032 WerFault.exe 3c7117f96c0c2879798a78a32d5d34cc.exe

pid	pid_target	process	target process
3068	3032	WerFault.exe	3c7117f96c0c2879798a78a32d5d34cc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3c7117f96c0c2879798a78a32d5d34cc.exe

description	pid	process	target process
PID 3032 wrote to memory of 3068	3032	3c7117f96c0c2879798a78a32d5d34cc.exe	WerFault.exe
PID 3032 wrote to memory of 3068	3032	3c7117f96c0c2879798a78a32d5d34cc.exe	WerFault.exe
PID 3032 wrote to memory of 3068	3032	3c7117f96c0c2879798a78a32d5d34cc.exe	WerFault.exe
PID 3032 wrote to memory of 3068	3032	3c7117f96c0c2879798a78a32d5d34cc.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\3c7117f96c0c2879798a78a32d5d34cc.exe
"C:\Users\Admin\AppData\Local\Temp\3c7117f96c0c2879798a78a32d5d34cc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 184
  2⤵
  - Program crash
  PID:3068

memory/3032-0-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download
memory/3032-1-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download
memory/3032-3-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download