ffdroider

Sharing

Copy URL

Twitter E-mail

General

Target

8433fe414ef00a0c1eabb4c12a9274f736715ecb0f73bcc28d7ead059f5f0bc4
Size

2.0MB
Sample

241104-15aseayclb
MD5

f1f7bbb4c32acb4961d566b46ede736d
SHA1

1cf993bedf69123eb48d96b4348b912966113830
SHA256

8433fe414ef00a0c1eabb4c12a9274f736715ecb0f73bcc28d7ead059f5f0bc4
SHA512

86cfca8709d770880095b57593736e4dc05b13edaea2e1e55c2e1c4684992dcbde463311f87c1d7294c211445f4e131f83188acbf3005f7e9da3052792bdd4fd
SSDEEP

49152:oBzO9GyHqRNmI5MDCjOXaRryAj18PMAqOdOO:+OcRoI5MmSXaxAVIO

Score

10^/10

Malware Config

Extracted

Family

ffdroider

http://186.2.171.3

Targets

- Target
  
  Crack.exe
- Size
  
  56KB
- MD5
  
  7126148bfe5ca4bf7e098d794122a9a3
- SHA1
  
  3fe6be3ee8bf1a0c99139b146913c8c6acd7dd64
- SHA256
  
  f8c0350d71e5dd14438d477f73915c4845290c7f0620656624722183b76013f5
- SHA512
  
  0bec6450d1be17489436de7a5186dbcb88089edd4227c3b5484460c9368e5ca0a2d88c385d31989f449a5d8cc347057c80a997682d6c0ed1b9cfcb85c677eb48
- SSDEEP
  
  768:LMyTlenToDMTEp1Gjy76rM9QXPvRePLrlteelLh:LGEYT5y39QXHRErjlLh
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2
- Target
  
  GloryWSetp.exe
- Size
  
  185KB
- MD5
  
  3eabedf278cd8dd76b23497dad959435
- SHA1
  
  4ca403030401fee6be2d9dbfb4d638e29f9ef19f
- SHA256
  
  a526e9dae9298bbd03ca2a8fc8a45809eac1543bbec4680182493c551d65f731
- SHA512
  
  6cdffac5c48e0984eed3a2b28a2a49cf13f79da76763848bdd4c406fc14254f4d10d4fd77a6f444321c2e626d8f2f569c01c01ca70939c880b5847573dcd30d2
- SSDEEP
  
  3072:URyxMedEB5tC80rnGbjuzl4kDBWE8Gy3LX2SqfbKLwaGzWWSHTie+CS01I641vyl:4ia/Rbi6NS+Lp
Score

10^/10

discovery xmrig miner
- Xmrig family
  xmrig
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  Install.exe
- Size
  
  381KB
- MD5
  
  58c203a58312c6121c932e9a59079064
- SHA1
  
  f57f41180fbe8e5dffafef79ea88f707c5cb748a
- SHA256
  
  3555826df75751600d127b343a3214a0f9b4c211b1fdcdf9ccceb1dda6be5f27
- SHA512
  
  e141e9da04e6ba43d639c729d83fd9773bda1c51759dda84f59f27a017a5809e47e4ddaa5a2c8be92ef81ca58fabe06faeca37252a7b4ab64d18679fc5e8e406
- SSDEEP
  
  6144:x/QiQXCjoL8+Ee0CYDTAsdRnhOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7f:pQi3joL8+iDNdRhlL//plmW9bTXeVhD4
Score

7^/10

discovery
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral5 behavioral6
- Target
  
  KiffApp2.exe
- Size
  
  83KB
- MD5
  
  1c844fbbddd5c48cd6ecbd41e6b3fba2
- SHA1
  
  6cf1bf7f35426ef8429689a2914287818b3789f6
- SHA256
  
  8f474d9f74192818abf096b2449564ff47f1ab86a14111179bbec73e2ffb6865
- SHA512
  
  b4d12bd02029aab1eb9d609875df98b96391db86f3c0f0f4e82d6814949794668fd3aaba15439383e9a7bacaa3616454f2913222d018e195483507a7d675424a
- SSDEEP
  
  1536:3clLTEsDOLIomkSv6I4eg+8O10vxkeMkgm:3clLTEsUmk0rgJO1SxHL
Score

1^/10
behavioral7 behavioral8
- Target
  
  Setup.exe
- Size
  
  746KB
- MD5
  
  fce837623f5184a71022ae71638c84f7
- SHA1
  
  f89872d03aa84d7d445c447a917dbc118a25d42c
- SHA256
  
  ac0cd27c71d75b6ea298c5169f845ab40e4b5750cb76368c5364f29178e0594d
- SHA512
  
  5cd855b3493e8bb1f17f0ba809efb13c690eb1cc8a12006d2d74a5f8d69a3aadc77718a6e752a5c1455c218fd099895d54dcc41652ea889e41892c49d736755b
- SSDEEP
  
  6144:d/QiQXCh5m+ksmpk3U9j0IF2soxvjFEOTb9WmZX/8shzdsY4CpHPhnZSvb:VQi3hc6m6UR0Icp1hf39Wkv8xwJZg
Score

7^/10

discovery
- Executes dropped EXE
- Loads dropped DLL
behavioral10 behavioral9
- Target
  
  md1_1eaf.exe
- Size
  
  1.2MB
- MD5
  
  9b55bffb97ebd2c51834c415982957b4
- SHA1
  
  728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16
- SHA256
  
  a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11
- SHA512
  
  4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2
- SSDEEP
  
  24576:0G9h7lhNYhemeqcCLtbvL8iNJqzM3cITaF3+pJiP8LXloL5113GrfhM59ta:0G93SemeqcCZvL8i/qQ3ccJiPiXOL51C
Score

10^/10

ffdroider discovery spyware stealer vmprotect evasion trojan
- FFDroider
  Stealer targeting social media platform users first seen in April 2022.
  stealer ffdroider
- FFDroider payload
- Ffdroider family
  ffdroider
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks whether UAC is enabled
  evasion trojan
behavioral11 behavioral12