ffdroider | 45b8610362cb8b8948f0a3a193daaeca16a13798921573cd708450f478079976

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 04:18

Target

8e33397689414f30209a555b0ae1fe5c.exe
Size

891KB
MD5

8e33397689414f30209a555b0ae1fe5c
SHA1

b915a1cb575c181c01b11a0f6b8a5e00e946e9c3
SHA256

45b8610362cb8b8948f0a3a193daaeca16a13798921573cd708450f478079976
SHA512

f8bfab698890515c7df76d6147e423faacd0e6d58b9e5ba9b891b56c5b62e0d1798165d510fa22b9a453e80a7e9eb511418c00158126b89aacbd7c7a43873b84
SSDEEP

12288:nqh8pVbGprmp9giopBtgyMzuoDAloRi5X3FGfwM0A2F37EhKuJ4IMpH:nmrTd4yMzuoDAMipQfAF3+/OL

Score

10^/10

Family

ffdroider

http://186.2.171.3

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

resource	yara_rule
behavioral1/memory/1632-1-0x0000000000400000-0x000000000060D000-memory.dmp	family_ffdroider
behavioral1/memory/1632-3-0x0000000000400000-0x000000000060D000-memory.dmp	family_ffdroider

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/1632-0-0x0000000000400000-0x000000000060D000-memory.dmp	vmprotect
behavioral1/memory/1632-1-0x0000000000400000-0x000000000060D000-memory.dmp	vmprotect
behavioral1/memory/1632-3-0x0000000000400000-0x000000000060D000-memory.dmp	vmprotect

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1548	1632	WerFault.exe	27

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1548	1632	8e33397689414f30209a555b0ae1fe5c.exe	28
PID 1632 wrote to memory of 1548	1632	8e33397689414f30209a555b0ae1fe5c.exe	28
PID 1632 wrote to memory of 1548	1632	8e33397689414f30209a555b0ae1fe5c.exe	28
PID 1632 wrote to memory of 1548	1632	8e33397689414f30209a555b0ae1fe5c.exe	28

C:\Users\Admin\AppData\Local\Temp\8e33397689414f30209a555b0ae1fe5c.exe
"C:\Users\Admin\AppData\Local\Temp\8e33397689414f30209a555b0ae1fe5c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 176
  2⤵
  - Program crash
  PID:1548

memory/1632-0-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download
memory/1632-1-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download
memory/1632-3-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download