Overview

overview

10

Static

static

3

0577fa4481...42.exe

windows7-x64

10

0577fa4481...42.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442

  • Size

    3.4MB

  • Sample

    241219-ykdx8axrgy

  • MD5

    99ca4fb276c60eb9c9a57c168d36d9fd

  • SHA1

    2f1451025754967e328337bd21498fc991bdeed7

  • SHA256

    0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442

  • SHA512

    1469cd4714ef8afa9293f77e61207f0ec0a65e947f1182fce6f7557529fe517de20fe7ff2ab049b74c56de2d82eb9edae5fece7a87a67e0ccfa86f86ef757aca

  • SSDEEP

    98304:qaKslt88xE2TXCzBA8intj5IVySsKmj+OO8u3:93t8+UFAvjCiMV

Score
10/10
fabookieffdroiderraccoondiscoveryevasionpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

ffdroider

C2

http://101.36.107.74

Targets

    • Target

      0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442

    • Size

      3.4MB

    • MD5

      99ca4fb276c60eb9c9a57c168d36d9fd

    • SHA1

      2f1451025754967e328337bd21498fc991bdeed7

    • SHA256

      0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442

    • SHA512

      1469cd4714ef8afa9293f77e61207f0ec0a65e947f1182fce6f7557529fe517de20fe7ff2ab049b74c56de2d82eb9edae5fece7a87a67e0ccfa86f86ef757aca

    • SSDEEP

      98304:qaKslt88xE2TXCzBA8intj5IVySsKmj+OO8u3:93t8+UFAvjCiMV

    Score
    10/10
    fabookieffdroiderraccoondiscoveryevasionpersistencespywarestealertrojanupx

    • Detect Fabookie payload

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • Ffdroider family

      ffdroider

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Raccoon Stealer V1 payload

    • Raccoon family

      raccoon

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

3
T1012

Remote System Discovery

1
T1018

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks