ffdroider | a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14-02-2024 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b55bffb97ebd2c51834c415982957b4.exe
Size

1.2MB
MD5

9b55bffb97ebd2c51834c415982957b4
SHA1

728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16
SHA256

a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11
SHA512

4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2
SSDEEP

24576:0G9h7lhNYhemeqcCLtbvL8iNJqzM3cITaF3+pJiP8LXloL5113GrfhM59ta:0G93SemeqcCZvL8i/qQ3ccJiPiXOL51C

Score

10^/10

ffdroider evasion spyware stealer trojan vmprotect

Malware Config

Extracted

Family

ffdroider

http://186.2.171.3

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 3 IoCs

resource	yara_rule
behavioral2/memory/4512-1-0x0000000000400000-0x0000000000759000-memory.dmp	family_ffdroider
behavioral2/memory/4512-6-0x0000000000400000-0x0000000000759000-memory.dmp	family_ffdroider
behavioral2/memory/4512-506-0x0000000000400000-0x0000000000759000-memory.dmp	family_ffdroider

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4512-0-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect
behavioral2/memory/4512-1-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect
behavioral2/memory/4512-6-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect
behavioral2/memory/4512-506-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9b55bffb97ebd2c51834c415982957b4.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4512	9b55bffb97ebd2c51834c415982957b4.exe
Token: SeManageVolumePrivilege	4512	9b55bffb97ebd2c51834c415982957b4.exe
Token: SeManageVolumePrivilege	4512	9b55bffb97ebd2c51834c415982957b4.exe
Token: SeManageVolumePrivilege	4512	9b55bffb97ebd2c51834c415982957b4.exe
Token: SeManageVolumePrivilege	4512	9b55bffb97ebd2c51834c415982957b4.exe

C:\Users\Admin\AppData\Local\Temp\9b55bffb97ebd2c51834c415982957b4.exe
"C:\Users\Admin\AppData\Local\Temp\9b55bffb97ebd2c51834c415982957b4.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
7bc5f3b30515896a0c26261da80af15b

SHA1
57224d0b2140a7cc86404eb31f8a4e2992fec56d

SHA256
f2c3a31779ded5c3bdc3d22a65aa10cc547a7a8ed6786a4cf316e544b1fd0b69

SHA512
2d8a87b166d7ad4c0222425cad97e4c736d31a5779cca248ecbc738cdf4169f56c35b1124fdb201d1cd9d8a3a3f9febf76d9879e0202dfebb4cfba7edf83df08

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

Filesize
51KB

MD5
dc6ee14e80b10b95dd84028a2503306e

SHA1
ac12bda485f6eef30b6f41aeeedb70b6fd6575b5

SHA256
ea9a10e0948cf3522fea4e6dcedcc7ce07cd8321dbee0ce7921c9d9b5f2c54c6

SHA512
c3bc85357514a1fb441cee6c4d164e3cfc4437066bdc5e49a5aa3ff8c079301f9a846b03851a916837298487c60e13f03d094ffde3b5b7eb986e2b7a1c50c5d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
4802ade96fb6d4f444b08b9354006a0f

SHA1
875aa8cba597e3704ec6d2c7ee58a289592d10c6

SHA256
fee8acdbf8b2a53095f1d479790b45f939530988614f36f3e74ce1698e15996a

SHA512
e684ff4fff01b8bdd466772a5e3155a9e9a957c79679faf067deaa4b7517df7973e806448bb90dfed44f541b8cf4555f88075860263255658e737cc31f14161d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
68c30b9d5a244f59f45388e4100a576d

SHA1
14be4332ca86da2325408b75ceda7c2c808ff220

SHA256
ac4b55fb609c019b9f1b7c802a883d707bb7473638a4949158af52f77cfd9072

SHA512
a0d4899719e10daabdae4bfe816dafb6d4c008f2e8a9d957ff9e77eece21d88a229bf6ea28bdc1c38df25066c01ba14f42ca66320c487f3e0d237a9f95a7eb07

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
6c80fdfc2d9c85eb39d5cb7642d203e2

SHA1
302bf2c9148a222356156da1ab2d442b4cc993e3

SHA256
608d093fdcac235c99215308220c15d3dfacb7d3d16704a4e30b5135b220abb7

SHA512
ddddb14d1d5624b8557af6cf5134ac23f6b77e03119b6c762ef11dc0c88b34e6706b90c47dca251c0f3f682cd26c8aea665637f25add7347d6599604c9811c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
646a734d601f2d89b61bd22bff79d331

SHA1
f4b9eebefc85ad93e8b1d106b209157b1efd6046

SHA256
2616d44208a733200c3d2c82e873e5d063700b6beebb7c2f321ab41cc769df6e

SHA512
4030dd5caa0b27a4decc4870b1302be986780ac784c1a4ef66ab47794aea79c47e442534f95cdc445187213645a2506a5f1b39a8791c22dd7047a29e965d1680

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
6f893b2ebbe1b20bd2749372afee4c6c

SHA1
430f0b7529faa27220378bca32507921b20f61c7

SHA256
7d7591e112eb2e5e1e5c51f3e0d39140527763d80a85a29094c6be79c52e542f

SHA512
57c7d879bd99742609d40c58ca599f22b86504209181b23d2a43827ad2ff468c28352ed92640a8537cf934b4aa6d761af76973aa857eab24195e3a5b9fc2f263

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
3c03ae0a3277adde4c0f52094e24cc20

SHA1
6d39188f337810c0d68dfbbada062df00dd8a279

SHA256
72b7986f844f9bc91a14d2fbd38b3e63a2f7040208e9c3a531567e0ef55a00bf

SHA512
399c341460dfb9e89d3a5f60ba34e1fdb40934d782d87fc4f799339f4673f282ff88c7d2a71616983beeb1e350c28426b1607b3ea3cf44914c866500a8d4bf43

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
51385b8f8434bec45d9cb5745517798c

SHA1
b787be46cd29be9fe956d1a8fbd1509778773bef

SHA256
9635774ce4b4c5f1db549ed3d55f982b0e37099b7d1636c838f4d590af38a1d7

SHA512
6fb49c07222f93f2cafdd68f3f48b24f4760b110f5a9d595692f8df06b49b8b1d3dc9ccd262d614c9d5fa2a1013611fb0f9a85e3cc7792c1404ea2a064ffa23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
5c8afc69f16b64a0e3df7f0c98faa750

SHA1
d79e40ac49dd0d35d0214c1481e3d1cc05f1cb36

SHA256
e806c2e2c363a0ec693689cc1960838f34aa485d86c5b4658af3e2eef2da1387

SHA512
8ae1f3de78ad0fff28aad5009f88b8e6261d72a88f0412769d81ebdc61f7a890b54e4e4ddc75f5a22173ee1774373ced37498dcb61047e0dc55487bf005a29b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
341d75c38fc2170ca310cc0642fcca5c

SHA1
2717e1bafd1e14fea664e2a9b2526d59f59fa1a1

SHA256
c8aac8c7b819ebff306d0bd4c5538957ca9459ed124979456aa5a7a72eafe681

SHA512
12ffc5a8695edea58f777c2e5d7569f33c2764171433a81062db5e7452ba2a415344bbb64fedcbe6e3519dc5a8876db9cae5e2088dbe5a8ec9b74e2a775f9b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d8378699e5707608609e06ae238d80c2

SHA1
d718af3849b79d7049a5a1c569baec0bd1ab0864

SHA256
ba7a7c881c388d8a04774750a4bdc1dbcf80afe357445a064574bf6033c91636

SHA512
8a4a50a07e45a0b57d6b39e14c2b90a2377087ede97b7a97ee95b5e302056649e69baaaafb500afc330ad3915fb00bce67d262d74f26fbc921d49b6c9a0ed0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e912ffdf224bcc04fc1bb01b3aec7041

SHA1
d616451e151de51bbfb87a37ca24a214d6c89af9

SHA256
8c964b69ef5f16201cb921aeef971b79366517592e8ec3293d82ae00a7b27a46

SHA512
09ca63e54c6dc941021357898ac97f70fef6c263fb9b00fe04a696afc42fb54638f2133df568e66f24a3265804c74b7470b39a1a819d1e5ba66462d34ac15117

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
6d4c5223ab5a5fc8f2f5716bd02483e2

SHA1
8ae8c43de8d7011d830406cbda45c59573daeaee

SHA256
eaf0b5db1ff7caa959e30156262790f801d1f091dae396564dc1aa6d77fc19b9

SHA512
96fe055effb3f7508042678c09ca05e0ab4d85fae0da404338f7fb06c36c55286a5582b7a4de80a4975fa4900124a059b7c93814971cda6f40c2a8a5c9dfcd19

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
ec61cff1df2c4aa734d9b14c8191dad6

SHA1
98ee47074a5018775015e1715ef9c62d5e51825d

SHA256
39b4e737f331e3aff073d49d5b70f71a09dc997d90d70ead82181edc33408539

SHA512
1015b448c3e3f0bec8f5fce02464c889d3f922af24628d340c6d2c3785b7180be882bed6fac61792f3deae5eb3ea96787edc364537c4debdf0301b65968d2a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
5466042fa5b0eed7cbee63626e59cb87

SHA1
4d4f40523203b4100edf1dc995056efabb45680f

SHA256
8553bd4d91504b6eda64c6daf09e6051755ad6cbe93c1030ebfadb66d6665fc0

SHA512
578689d0c4e45c9c41a8ffe3a67e531c1cdb1ea9eba2d2b16fa5fb3e42cb6d29d7d352286033b5be8032c57be14019da949f962d59260d7ed7af2f8936ec7391

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
579f11651d5b38ed53fcf7301edeec84

SHA1
8591bda4b611ba9591911c3760d8349a1d01429b

SHA256
ae50d7a00ffd9e995225823a9fb99f4730b56fbafe097f0e195c22700b2d010e

SHA512
8c4e0217bb699179f9200a144dde6695a150c4ffe1af169b632fff62a8ed7bf61b54267251c3e838b00587dcb88bd8c3867c61bdfeab50bf32ec9079eb1e3479

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d6871f52c58662276fb13d30f32cde36

SHA1
cf924f49fe6f68f813768652138df174ba7b4fab

SHA256
ac9bbaefd93b4ae6bbce386371a8eeb0ed79e0feedb1509c296a789db5a2d35b

SHA512
f20e4c8d12f02a522544dbc0e76f81ee08dd6882fa92b69f8d5081a8f5213804cb98716f000cde53aff77a54db180be5343606055bee8170c6f851b8a0a73f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0a5f10e5c4f9ae0a15776379920581a2

SHA1
2368c5b6a16257bc933a8b6488b3f9cd3b30cac8

SHA256
183ffa5864e2e6c15dfd3eea17909b8f206c729c7517e46da5be5abe5dcbf24e

SHA512
9e7a7f1b07b7c9bc231814627ad195daddc4d345834c2bdcf422861e255ec4be431036f69d330bc590d683443eab6e3cebdad86bb978929597a68e54beb9e3b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
84c5a46e2e3c2652154f621b45a19b25

SHA1
9fc2e21c0b74045c644ee0e3ae9364c0521ebdc4

SHA256
199fe70eb25c05464fc45526f02e1d381fc2a9ed1bfb64e5a8b628577d109bd0

SHA512
07042c8af3285119d791cfa1d64c8639892f3f6dc6685352f2e01114ba1479dfb622db5ab3eb80cbe8bbf657b9a83238ec214b0321613d0715a54e545a84e0dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
6079f4d70bcfe3d02f21bc80464cfc72

SHA1
4613d2e75195a62ce8fe0781f4491232c9a5fcd6

SHA256
662498e211d68942801b207e331ee5d7132d97e6b04b7a5c096073dacebfc7a5

SHA512
33d90f976c39ca32e1eb9c4c90f479db4a88eb9d2a152f9b4bc7006bd729f6f6e12c1fcd52810b55ae44a90cb92bd12c7088f8c83e7208debe09998de9016ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
cb5ce10131fa4e8bacc0831a35ed818c

SHA1
fe75ac46d9a287571ec471ae8a049ffa7b2678e9

SHA256
8d18c9e695a11e6bb0d6eccbde47d267cde8c18c04d5aead57ca4863dbd0ce1d

SHA512
afd1f7602867ad9e4e6af13ad4c367325502c466535e4b8e3f2ccb7b2a9eff5c8a188e6aec5231eaf5d6391e3e9f17152517882395054f5c0e7817c71fba9461

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
26ed062bfeb99699800139f7976a40da

SHA1
34852ddfd9693579895b4abda5fe8aaefe03bc37

SHA256
78ba60011bb5fe9cb6063c0758316f98d6507e9f50dba4bc05ea86fccb3f7135

SHA512
e171c3c560e6f479d38d12edaa0f1e9000e151f4d3d63c2641c09da133b98e9f67729371b25ca2bdde6db9c76123ef6d9ae6bcda6d304bb1cd8e57bbc938d59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
7a4fb8a69f293ec37ce1a501cfdda6db

SHA1
c1fe6f671de1c5f6ab310abfac72e1612ec7527a

SHA256
635ee73fa19e724c078f0c06c6fdde61e29d01bcc8af5dc1d659a16959a7f3d6

SHA512
6bd0ab652182e78534af0afbd78fb5a2fa0cedf5bbe512af5872576b6c1a159c8b6d8f727d4a2a966540f9b388520ae9a4762561364ae08844ad317cf7f2a06e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e1f4940900f64ff57d0fe1724b8b755e

SHA1
cfb5ebe52878b7e07e181e9cfc754055c7cd1bab

SHA256
b76772c7af5aab0bcca0f47adf3c48cbfc55391019a9ba068a0e11d274ce7215

SHA512
fe5a4c68d31bcc8aefd988d0836d9f084628dea90fafd12a0e8991653de8f1e5f63e14f0fa1df19b46277e3ad36c19523e94751cbd2fd6f18e81118ceca5c54c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a3a603cb2c3c4c3562cc250699ec1b5a

SHA1
91b78bdfe07f63b427535161b151a884026a8f34

SHA256
6bedf4f1979d7d16deb576809dc3ef44fe1257e181f69a54e826daefc36c42d6

SHA512
8a01c5ca85706d2ea1bd92668f034ed80d3b3a7211dd6dda7b341c281bd6a32e304ad3ccf0c3c5fe969d414af007d1432cab07f13a5d4f8a6fe5e24d97996e56

Download Submit
memory/4512-116-0x0000000004680000-0x0000000004688000-memory.dmp

Filesize
32KB

Download
memory/4512-6-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/4512-129-0x0000000004EC0000-0x0000000004EC8000-memory.dmp

Filesize
32KB

Download
memory/4512-130-0x0000000005170000-0x0000000005178000-memory.dmp

Filesize
32KB

Download
memory/4512-131-0x0000000005070000-0x0000000005078000-memory.dmp

Filesize
32KB

Download
memory/4512-132-0x0000000004EE0000-0x0000000004EE8000-memory.dmp

Filesize
32KB

Download
memory/4512-145-0x00000000046A0000-0x00000000046A8000-memory.dmp

Filesize
32KB

Download
memory/4512-24-0x0000000004860000-0x0000000004868000-memory.dmp

Filesize
32KB

Download
memory/4512-153-0x0000000004EE0000-0x0000000004EE8000-memory.dmp

Filesize
32KB

Download
memory/4512-22-0x00000000047C0000-0x00000000047C8000-memory.dmp

Filesize
32KB

Download
memory/4512-155-0x0000000005010000-0x0000000005018000-memory.dmp

Filesize
32KB

Download
memory/4512-21-0x00000000047A0000-0x00000000047A8000-memory.dmp

Filesize
32KB

Download
memory/4512-14-0x0000000003CF0000-0x0000000003D00000-memory.dmp

Filesize
64KB

Download
memory/4512-168-0x00000000046A0000-0x00000000046A8000-memory.dmp

Filesize
32KB

Download
memory/4512-8-0x0000000003B50000-0x0000000003B60000-memory.dmp

Filesize
64KB

Download
memory/4512-125-0x0000000004740000-0x0000000004748000-memory.dmp

Filesize
32KB

Download
memory/4512-0-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/4512-128-0x0000000004740000-0x0000000004748000-memory.dmp

Filesize
32KB

Download
memory/4512-117-0x00000000046A0000-0x00000000046A8000-memory.dmp

Filesize
32KB

Download
memory/4512-31-0x00000000049D0000-0x00000000049D8000-memory.dmp

Filesize
32KB

Download
memory/4512-27-0x00000000049A0000-0x00000000049A8000-memory.dmp

Filesize
32KB

Download
memory/4512-28-0x00000000049C0000-0x00000000049C8000-memory.dmp

Filesize
32KB

Download
memory/4512-77-0x00000000049D0000-0x00000000049D8000-memory.dmp

Filesize
32KB

Download
memory/4512-75-0x0000000004B00000-0x0000000004B08000-memory.dmp

Filesize
32KB

Download
memory/4512-29-0x0000000004C70000-0x0000000004C78000-memory.dmp

Filesize
32KB

Download
memory/4512-67-0x00000000047C0000-0x00000000047C8000-memory.dmp

Filesize
32KB

Download
memory/4512-54-0x0000000004B00000-0x0000000004B08000-memory.dmp

Filesize
32KB

Download
memory/4512-52-0x00000000049D0000-0x00000000049D8000-memory.dmp

Filesize
32KB

Download
memory/4512-30-0x0000000004B70000-0x0000000004B78000-memory.dmp

Filesize
32KB

Download
memory/4512-1-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/4512-44-0x00000000047C0000-0x00000000047C8000-memory.dmp

Filesize
32KB

Download
memory/4512-506-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download