ffdroider | 45b8610362cb8b8948f0a3a193daaeca16a13798921573cd708450f478079976

Analysis

max time kernel
92s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2024 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e33397689414f30209a555b0ae1fe5c.exe
Size

891KB
MD5

8e33397689414f30209a555b0ae1fe5c
SHA1

b915a1cb575c181c01b11a0f6b8a5e00e946e9c3
SHA256

45b8610362cb8b8948f0a3a193daaeca16a13798921573cd708450f478079976
SHA512

f8bfab698890515c7df76d6147e423faacd0e6d58b9e5ba9b891b56c5b62e0d1798165d510fa22b9a453e80a7e9eb511418c00158126b89aacbd7c7a43873b84
SSDEEP

12288:nqh8pVbGprmp9giopBtgyMzuoDAloRi5X3FGfwM0A2F37EhKuJ4IMpH:nmrTd4yMzuoDAMipQfAF3+/OL

Score

10^/10

ffdroider evasion spyware stealer trojan vmprotect

Malware Config

Extracted

Family

ffdroider

http://186.2.171.3

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 3 IoCs

resource	yara_rule
behavioral2/memory/3760-1-0x0000000000400000-0x000000000060D000-memory.dmp	family_ffdroider
behavioral2/memory/3760-6-0x0000000000400000-0x000000000060D000-memory.dmp	family_ffdroider
behavioral2/memory/3760-506-0x0000000000400000-0x000000000060D000-memory.dmp	family_ffdroider

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/3760-0-0x0000000000400000-0x000000000060D000-memory.dmp	vmprotect
behavioral2/memory/3760-1-0x0000000000400000-0x000000000060D000-memory.dmp	vmprotect
behavioral2/memory/3760-6-0x0000000000400000-0x000000000060D000-memory.dmp	vmprotect
behavioral2/memory/3760-506-0x0000000000400000-0x000000000060D000-memory.dmp	vmprotect

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8e33397689414f30209a555b0ae1fe5c.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3760	8e33397689414f30209a555b0ae1fe5c.exe
Token: SeManageVolumePrivilege	3760	8e33397689414f30209a555b0ae1fe5c.exe
Token: SeManageVolumePrivilege	3760	8e33397689414f30209a555b0ae1fe5c.exe
Token: SeManageVolumePrivilege	3760	8e33397689414f30209a555b0ae1fe5c.exe
Token: SeManageVolumePrivilege	3760	8e33397689414f30209a555b0ae1fe5c.exe

C:\Users\Admin\AppData\Local\Temp\8e33397689414f30209a555b0ae1fe5c.exe
"C:\Users\Admin\AppData\Local\Temp\8e33397689414f30209a555b0ae1fe5c.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
3.1MB

MD5
26096d9c767dfcf837c6e72ad9608777

SHA1
85b8ca023f4f439d4c41992005671f36795f9ced

SHA256
dee92327b3966caf06b1fba0c210115266083bde506a5df356f001202fb83845

SHA512
6e2b0759e2c7684cf19478a1a1b12d8a57a9b534afd4bbd622bfc29fa7e07b3b1bdb4ea1a787cb024d95be935bc4fddcc533521056371e6fe8237ffba9297e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

Filesize
50KB

MD5
28325e3663e69357bd9e1dbf97544676

SHA1
23c9114fa3cee3b66eeca1334c6e914d0c18e9e6

SHA256
d77c688909e27b896c33bf3597dcf4c044a20567636f7a9376cf41585249f600

SHA512
2c64b592f5c279de77c20ac3edf78c3daebb4d48e08644ad0b5a3df59a2613b3250988fdb831f1bd3285cd829ec3ea7a92b258628d46f6507e31d20dca85b18e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
9d6fcecc3fd2d37a989a7d7fb95a28ee

SHA1
6ff75a39a0a8ed5cefc5655e2c73ca892a5c4868

SHA256
cb399ad2d26ea4054375c1978c6a0d4851452ed85cc963cecb03446eb0bb7ac5

SHA512
a92946d6acc674555f2c76ef6e051edfb080c678a5b2caae49afa501d0b92bc87c5e60463acab1ef08809000665919d3543b0029ec964b825062c0272eecfdcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
044df7685eb82a6f765c3223cb43c1f1

SHA1
68987698b7d0161e68dadc4197be4b7347e5e6f2

SHA256
bfaa0e58a233644c7ac23ef067a60dcd0b14c347452c04443a0794b821fb3884

SHA512
ef63eed35efba4f677674d170d851c66b8b870007fa592b7ff0c3e6ed545dd18f12d47ccb1dcbc569713c6d9d71e9b4310f676173889956ec8472cc9c3c6dbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a41da19e45f315a2ee4a6a207e24ddd3

SHA1
48459cde560c2ff47f15927c6e15aae40472d9af

SHA256
5f07b89090e59ab51d368ec8372ee69930cd9a1b445fcd701d28d1677afe0d96

SHA512
44dd6d0dbef10388e335e27e28c1aa45343a0336bde7fdd9be17a6d707cc82d88ac31131342c9b5f5a7c27524c3c245a3bef06800047bbddead533d0a93eebaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
2360f458402413d4414329a473441de1

SHA1
8821e620b553c5224630dbc4a77a232f3736f575

SHA256
87c06bc586fc3d437f1ed9c8a8c6b10d328ee701ea5ffa4bae1286b139277b04

SHA512
44409a34d4aed13bb33edeaaab936daefaa163c7ed9dfc7212143d88c71589c23a974df43318fc698b06fa5da6bdd8991f3fb61e8cbc6f1b26a376dfe5c6ccf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d4da311739f5b6e5ced2f20fc701e95d

SHA1
c4c63934ac9573d74f4ebc53743d09e2e4a5de6a

SHA256
73e9a287143c68d9a5808bc435c53ff802773d68dbc0af386004e4e5d28e20d1

SHA512
04ef8a90f64ffee9db3ee122dde75bc0cca13f7e4e9530ce5bf49b43ccf43735dba78d8ef64d4f5cc1b43c99986313beae847d49298925e409be813d22dd858b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0536d5f6071a7e07788f7c0b75df6f63

SHA1
07e115fb741a8fabc995b55feb417a08b6777cdb

SHA256
6b474ea0d726b2a2c67efa426f1dead1f1b92d82784775321fb77b59db56d554

SHA512
6d4dc8b026c09b38d585215eaf6e868b932fc6f7e75951e0ebbbf385fbc46e9f85098a1bd500a4a2d9d17dd882cd10d5f8f4cde475af24075a26b0c04a0560f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
495ebd21c568c3f51af27cae51168d6b

SHA1
fd5cb87b32a92a234a46683862f0073947bb7d32

SHA256
1711022b2939f7cabee5152922a75c656a3cff75d73ec51fc7496d949df22141

SHA512
8df85513dac41238bd1e0080db0f04a975406eaa8c01823544f28963aef2f2920ab8ce6056fd164f63d689c11c7e98646a8ea0cd469d86454c0034370174abf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
370c3dbe0bc10230f22308210536f695

SHA1
3f99ad81a856b6b65b0e61cb03a4bdd23d46c1b3

SHA256
27723168c9287336c35fc484eff8478267ab0386f718623fd62ed510586a58cd

SHA512
484cc1f983c5deedc4d3ee00bba70f5edf6d008f8c4c39d602f6853f347f123f4a2db4f3fcebc4149f5133a8d4e1e6f6fcd56812efc95f3db99481577be1052d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
b6ac3cfff4338dfbc4dffb40b0c3486a

SHA1
dd93f68f0f92cf458294b87869055addb268bcd4

SHA256
ccc163887b0ec0990839a1e4e9c13a4e0367d04417a50ec7871fa533694146e7

SHA512
954c1f973c0c9a87bcde378cead596019d4aa4ff7bed58d6f8eb9a1ae6264a251a88f7ffcd995548bacb6321a1ea83fcd9d5349f7f98f4d774d42543c3e407ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
44840b0fbfdf9493554e033df13079c8

SHA1
b3a6c1d630e1123d066488c14891a075f5ec0b97

SHA256
f7ecbe8df21dfe52c33581a0876afcffb329f5ee7f25cb17b132a29f7a3ce5d3

SHA512
acbfe5ec42676ef23b41700939b5515cd3cf251f2e5bb5f2a12050f2a4d5ae95d8ba1a6cc3eb17ed10bb727688178f687c1bde8bef9d7bdc3d90e7359a345dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
13KB

MD5
0b09223820921aef2dee80f5c5fc291e

SHA1
c3a2805a5bf6f1a45a89ef0b51adb680657a6e90

SHA256
a4de964f8fc2524cb95814eb1fb840d51d939bb09491aee936ee3642c54e76e0

SHA512
f4147806bc3a6c83d6bf1f6b4e9cfefe7b7dda35492ef2a5e972fefbfe9ebfc249cb26840100ec542fb3a27d3f1acfa5c89b481bbf5c7e73265486c6effb6571

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
1c2a145f3485aebb3401ddec54025521

SHA1
bb4ef7e543e9a156fb8bf1d3048a9bd181899f29

SHA256
a1a53c6500d2a024bc298ce3e15c987bc9d8d77190f97a2ce3000df808be26de

SHA512
d5955da73f21e23240bb9f46fcd4d728c432203a6633be8b120dfcf968564ddd1f12110b0733707ef1e0b6be234485b98a79e4cd25c3793c81f023e5556a8e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
09999613776ba0fb376752783071dcf1

SHA1
fdc187d9997cf806e121500581c9ccb6e4f0b98a

SHA256
ede18f109a8b9c5105fe02d122b0bf085d73d7ddb4c7af55fbc6f02c665843ca

SHA512
b5723c33c18cecb142dc8e4fd9c73235b72523ad34d27b53dd1aef0f2fb3e855f3121c03e2ae7bac6a8268006a3c1fca03dea7310a34d76fa8f82f8256d36f93

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f2f48be2e950905b2ec163e66b92ecc9

SHA1
3ca34069069d921dd0b6daa46df88cb757cdbb9e

SHA256
b317aab239863361f7340b45895f5ee218cf63c7f98382b2230043faf1ee8a1b

SHA512
47ef4e2d2c1ffcda2362ceac49d21db6fbc50cb074fae4f496a8087eb22c61b5311bf0b573dd15ea287557bbae69833378aa19ca2ff79f02b771f00473d23f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e5dad73e043f8bcdbc2121773e1a7815

SHA1
b00853a9bb913bfdc3b6a59d720d78357389ac88

SHA256
4dc0489568474fb073cb4f3b43de9dea49415c18babb10c7b3a61c3dca4b56e8

SHA512
f01c390f83ccca90214f9fd31297c9d34fb473e41735e26b704473cbfc21dbe7d5222516c369976bc70e146eb561048885ab9861d2fa07f78cf3631f8727f38e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
1b841ae56fcdde13be2e640ace584aad

SHA1
d1902cd560fddb7caa56a408c094324e7deed3b4

SHA256
3f5bf51cba64e45e882967a8ca70d51791e48a47ec172e95071edf6abb2f36f8

SHA512
7c373cf91db24c74b2cef63ca55960b7384129485d70151e34679f0af206397abc1a2f69222691159a8f1955894e5ec0edcfd97e28603576eddb550924db1fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
ad03050bd8fd3806d0902ce62e5e96b4

SHA1
9957274cde323a0aba764a457490182bfb18718b

SHA256
e9c68cbbcd472d33e2dd38950ae070d928343974a72fadce1e02a1235e9a709d

SHA512
991372a4885c1cafcb6fea1e22b50de270d871db3d1db75cad6abc0eb308906f9fb78dc03589d9b696f1b73502b27fb2a6c1fd4e0d7cd67617cd67cf3c494e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
98cf41f7c5e2bb28bbb0d264d6129b59

SHA1
3d56a41aa2db6ff9d9cbb06817da7f37ffeed8de

SHA256
0b19ec7d9ee622398a359d02925566d8e0e0a85bcec120e3edf9f0dfe9a85768

SHA512
fbd858a2468c3ed0a9f342fb4e0bbba290b4d935dc2f5b7e8530d5b7840aaba819f42bbd5cb26abd2bfbfa2f63ef8fdf1206691c23e4c5dba51f3acede2c03e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0534fcd5262c6bcc9b1095a7cff43a13

SHA1
494006318a97fe1bbacf9b8f4d4e6cf21368ed1d

SHA256
6e01bde38acaaeed430251753f92c49e02d1c55ecceb21397c3396768be92e56

SHA512
c49ecd69795d318b40fd9fc62e2e0f5dac8e203154176ed227b450bb411026116fe0730db4e1716cfa71d99bf05a0b33f9c561b8127a7fec4e044a2b91c198bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
9012392a56b4de8c087c824420d66380

SHA1
7e3a2b2914db47ae0bfbf7f25821be05062b5333

SHA256
2f788887ee57660ca2922ffd6e9e77686fe4c2b4ed5eaf6889a9813ac511eb28

SHA512
7ef40ecef58da93ef973d2d89170513bd249d9ebf16529289aa8bfc049f4a2ef10caef503d980b6647506cfb1eef766e4fe209c190ecf7892ab112e6e6eae758

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
96595214d00fd6dc9f1a2966724f9c05

SHA1
83ceb1ab9bd911b7ac0a3055ab4658e0ea59eb60

SHA256
acb146d143ecd0c958864bc7fc62d81580087bf85fbf50ab4721addaf00fc98d

SHA512
3a2aae759747f959c7a660a3f30298790cecaa34ee1d0b942ba00c7fa1c4b2dc58f49a0e9a027cd2b923e7de7909b8832ff2f1b4e505a38d1038efb722f206bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
24bfe42fc9a543cbf43c82d64dbf507a

SHA1
e5e8e7be795512ea1b86323c7538fcc5d556d20e

SHA256
9882086fad43ce1d888ed22ecc95e49ae1d2b0e248064b3833eaf0997d260bd8

SHA512
da51ecc4feaddc96aa5009d44566e871182b7632f044b15f72b8cdc1aa75b8650c5dc3f0fdfb9ac5b775fc409e67c41b4dc1e7ed23bbdac5a59c3c70fea08874

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f87023492df7d6a1f97a4a075dfad715

SHA1
df616977064cf17a469d85e38189b21090dd7db0

SHA256
579459ae7f3574e6b4cd1e04f3f82197c6ef5e599bc9dd051415a9552c6104bf

SHA512
a018750c47f4db7ff4f808f04b401b7ab5e31a4b7025360f000757b942f7522e3640fd9c3835ff8037d99cea3620d7d8ed2a97a27a266b52549382faeb1a4328

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
2ab95282be538b1aa25540e67dd66627

SHA1
08b80afa6a7f8b189ca833c2f94f062b9f01e034

SHA256
10735742df44e3a800d080757b6ce3b44f2d5cfe6d369f2709b71e951d9cfd6b

SHA512
8b9c5de76067666403f552d06fff3d2f853e88c3819f83045f14ad7ab1d86b6585b275c047da04e1418c12ad2f497e11dbb61354226e2a8c50c541ace904b1bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
7043ab48a1050e87e915b9dc9732986d

SHA1
b433d77f6907e236bc2116991ccc8b550263c0f4

SHA256
85b21a41bcb0f3c352b1396633d61ce406ff29c17f77556b5c4f8ddbc581fc9b

SHA512
6a00549dc54c138e88fbeb0978384fb25af50a38a9cd81466b595bae7cd8f8c0d5357a533f29e9e280f84da9382745929399dc61e1e36df29cb45fc099b32b28

Download Submit
memory/3760-24-0x0000000004870000-0x0000000004878000-memory.dmp

Filesize
32KB

Download
memory/3760-125-0x0000000004730000-0x0000000004738000-memory.dmp

Filesize
32KB

Download
memory/3760-129-0x00000000048B0000-0x00000000048B8000-memory.dmp

Filesize
32KB

Download
memory/3760-131-0x0000000004A60000-0x0000000004A68000-memory.dmp

Filesize
32KB

Download
memory/3760-130-0x0000000005160000-0x0000000005168000-memory.dmp

Filesize
32KB

Download
memory/3760-22-0x00000000047B0000-0x00000000047B8000-memory.dmp

Filesize
32KB

Download
memory/3760-132-0x00000000048D0000-0x00000000048D8000-memory.dmp

Filesize
32KB

Download
memory/3760-153-0x00000000048D0000-0x00000000048D8000-memory.dmp

Filesize
32KB

Download
memory/3760-21-0x0000000004790000-0x0000000004798000-memory.dmp

Filesize
32KB

Download
memory/3760-145-0x0000000004690000-0x0000000004698000-memory.dmp

Filesize
32KB

Download
memory/3760-14-0x0000000003CE0000-0x0000000003CF0000-memory.dmp

Filesize
64KB

Download
memory/3760-168-0x0000000004690000-0x0000000004698000-memory.dmp

Filesize
32KB

Download
memory/3760-8-0x0000000003B80000-0x0000000003B90000-memory.dmp

Filesize
64KB

Download
memory/3760-155-0x0000000004A00000-0x0000000004A08000-memory.dmp

Filesize
32KB

Download
memory/3760-6-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download
memory/3760-128-0x0000000004730000-0x0000000004738000-memory.dmp

Filesize
32KB

Download
memory/3760-0-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download
memory/3760-117-0x0000000004690000-0x0000000004698000-memory.dmp

Filesize
32KB

Download
memory/3760-116-0x0000000004670000-0x0000000004678000-memory.dmp

Filesize
32KB

Download
memory/3760-31-0x00000000049C0000-0x00000000049C8000-memory.dmp

Filesize
32KB

Download
memory/3760-27-0x0000000004830000-0x0000000004838000-memory.dmp

Filesize
32KB

Download
memory/3760-77-0x00000000049C0000-0x00000000049C8000-memory.dmp

Filesize
32KB

Download
memory/3760-75-0x0000000004AF0000-0x0000000004AF8000-memory.dmp

Filesize
32KB

Download
memory/3760-28-0x00000000049B0000-0x00000000049B8000-memory.dmp

Filesize
32KB

Download
memory/3760-67-0x00000000047B0000-0x00000000047B8000-memory.dmp

Filesize
32KB

Download
memory/3760-29-0x0000000004C50000-0x0000000004C58000-memory.dmp

Filesize
32KB

Download
memory/3760-54-0x0000000004AF0000-0x0000000004AF8000-memory.dmp

Filesize
32KB

Download
memory/3760-52-0x00000000049C0000-0x00000000049C8000-memory.dmp

Filesize
32KB

Download
memory/3760-30-0x0000000004B50000-0x0000000004B58000-memory.dmp

Filesize
32KB

Download
memory/3760-1-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download
memory/3760-44-0x00000000047B0000-0x00000000047B8000-memory.dmp

Filesize
32KB

Download
memory/3760-506-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download