Overview

overview

10

Static

static

3

7ddf5c869f...6c.exe

windows7-x64

10

7ddf5c869f...6c.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7ddf5c869fe110170ac9c29c01d1f56c

  • Size

    7.0MB

  • Sample

    240128-yrv53safgl

  • MD5

    7ddf5c869fe110170ac9c29c01d1f56c

  • SHA1

    32a6e107399e1afa6e3a0d7efc086fe12fe5225c

  • SHA256

    4f51e87555adc3b2b1246354e767c52737d30a1e0b2372e38e9c0883f37f6d75

  • SHA512

    b59a746baa31b3d3936cdcc2ef0ed3afa1b9942358faed38cd68e7ffd92c237a1c3caebbcf0b0e7e6df1f0d3437434199dd871be332fc57b59c9a4c7ad21e598

  • SSDEEP

    196608:it0YTgHgUzjMHERRTNn3IeXgg9qKJgfL4CDs:gp0RRJ7Xgg9q0aLBs

Score
10/10
ffdroiderprivateloadersocelarsvidar916discoveryevasionloaderpersistencespywarestealertrojan

Malware Config

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

privateloader

C2

http://37.0.10.214/proxies.txt

http://37.0.10.171/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.185

Extracted

Family

vidar

Version

40.1

Botnet

916

C2

https://eduarroma.tumblr.com/

Attributes
  • profile_id

    916

Extracted

Family

ffdroider

C2

http://186.2.171.3

Targets

    • Target

      7ddf5c869fe110170ac9c29c01d1f56c

    • Size

      7.0MB

    • MD5

      7ddf5c869fe110170ac9c29c01d1f56c

    • SHA1

      32a6e107399e1afa6e3a0d7efc086fe12fe5225c

    • SHA256

      4f51e87555adc3b2b1246354e767c52737d30a1e0b2372e38e9c0883f37f6d75

    • SHA512

      b59a746baa31b3d3936cdcc2ef0ed3afa1b9942358faed38cd68e7ffd92c237a1c3caebbcf0b0e7e6df1f0d3437434199dd871be332fc57b59c9a4c7ad21e598

    • SSDEEP

      196608:it0YTgHgUzjMHERRTNn3IeXgg9qKJgfL4CDs:gp0RRJ7Xgg9q0aLBs

    Score
    10/10
    ffdroiderprivateloadersocelarsvidar916discoveryloaderstealerevasionpersistencespywaretrojan

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • FFDroider payload

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops Chrome extension

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks