ffdroider | 1dce5d2a9682c811f7c4dd7e4f4c8f26ba35bba8803efe316aabddafb41c1708

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-03-2024 04:46

Target

d7eb620404874d7f77870f1b1ecaeee3.exe
Size

758KB
MD5

d7eb620404874d7f77870f1b1ecaeee3
SHA1

e281d765ee3facac0140732427c291f1a31d90b4
SHA256

1dce5d2a9682c811f7c4dd7e4f4c8f26ba35bba8803efe316aabddafb41c1708
SHA512

5042740a5f8d650cdce19b07eb45896dac5b76c853a60158b4c09ddbf83f3463ba6789dc93357aad18343add3a84e1e518c9511e0bc1af16ff16966007ad4bb8
SSDEEP

12288:AfZMnJxs7QUxOwR8s3AYxHHu90MnJ33Px1MKU2GLcOPSv8AQv8JyWOOFPDGMi4:AfZMg7QXw2sQYtuHJHpORncOKv8TTWNM

Score

10^/10

Family

ffdroider

http://128.1.32.84

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

resource	yara_rule
behavioral1/memory/2052-1-0x0000000000400000-0x000000000063B000-memory.dmp	family_ffdroider
behavioral1/memory/2052-3-0x0000000000400000-0x000000000063B000-memory.dmp	family_ffdroider

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/2052-0-0x0000000000400000-0x000000000063B000-memory.dmp	vmprotect
behavioral1/memory/2052-1-0x0000000000400000-0x000000000063B000-memory.dmp	vmprotect
behavioral1/memory/2052-3-0x0000000000400000-0x000000000063B000-memory.dmp	vmprotect

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2552	2052	WerFault.exe	26

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2552	2052	d7eb620404874d7f77870f1b1ecaeee3.exe	27
PID 2052 wrote to memory of 2552	2052	d7eb620404874d7f77870f1b1ecaeee3.exe	27
PID 2052 wrote to memory of 2552	2052	d7eb620404874d7f77870f1b1ecaeee3.exe	27
PID 2052 wrote to memory of 2552	2052	d7eb620404874d7f77870f1b1ecaeee3.exe	27

C:\Users\Admin\AppData\Local\Temp\d7eb620404874d7f77870f1b1ecaeee3.exe
"C:\Users\Admin\AppData\Local\Temp\d7eb620404874d7f77870f1b1ecaeee3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 184
  2⤵
  - Program crash
  PID:2552

memory/2052-0-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2052-1-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2052-3-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download