ffdroider | a222934b1c6c67ebf726df4f5840b3de00f0d6ddfe6cb9f6f6f11e0ae1ea2770

General

Target

2025-04-12_14196d68dd0ba86c495e0ad66097ac3a_amadey_black-basta_elex_luca-stealer_smoke-loader.exe
Size

1.1MB
MD5

14196d68dd0ba86c495e0ad66097ac3a
SHA1

3c90704f1480a9ff18e09d69fedeed0a8f6b80d3
SHA256

a222934b1c6c67ebf726df4f5840b3de00f0d6ddfe6cb9f6f6f11e0ae1ea2770
SHA512

4ca1627d4a171ed5070019a96dc0fcf078a21309b7d1add1c61c7db95282df03bf1835f19513962565672d298dcd71bf602ed8735931bd154467d6c5eebb798b
SSDEEP

24576:rSMR9ShOWpqJ5+CYhJyQt6gfP7ZD+wYUSSUPQ5bzqBDjNrRgjqMvShX:8qgl06yQ5bqjBCjPSZ

Score

10^/10

ffdroider discovery spyware stealer

Malware Config

Extracted

Family

ffdroider

C2

http://101.36.107.74

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
Ffdroider family
ffdroider
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4200	3932	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-12_14196d68dd0ba86c495e0ad66097ac3a_amadey_black-basta_elex_luca-stealer_smoke-loader.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3932	2025-04-12_14196d68dd0ba86c495e0ad66097ac3a_amadey_black-basta_elex_luca-stealer_smoke-loader.exe

C:\Users\Admin\AppData\Local\Temp\2025-04-12_14196d68dd0ba86c495e0ad66097ac3a_amadey_black-basta_elex_luca-stealer_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-12_14196d68dd0ba86c495e0ad66097ac3a_amadey_black-basta_elex_luca-stealer_smoke-loader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 1292
  2⤵
  - Program crash
  PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3932 -ip 3932
1⤵
PID:5980

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d3f49f02b667bb7400c23d83acb71851

SHA1
b62a02c992d864b199c193158b7df25bd90f9abf

SHA256
f1bd2963f27286128a9813a31ecfbb0b7c6d7b1f8ec49ca9a38dfac52e691c90

SHA512
63216eee3b833f2fab257f7664c38b1ca2a3dfff3612aba7bc30ac1cb1791db9aadb4abbbb16d42320b78ed9695e7429cf78b2c74a39e6a1c4dcaea84970554f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
8142ec84dfdf467da271ad00674a19bc

SHA1
84b2ba14edc3ecbd2f564e1e199054bd342dc8e3

SHA256
784d689c7d60debd1774dffe59e6fa4aa4cc8d37932d6f9ad1b16f1af3472090

SHA512
91ae5553121038db7091be15abff0a0c9b89b605ecb5e6199a68dc99f59026290e3909158273eee392f4cd62c8d7c5b9877e6c7879c850a88207ebe760f8c9af

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d608eea8afb0c5b50a321506c02cea80

SHA1
6c694c5e392e13032bfd947e5bf0782f0e2d8da0

SHA256
bcb6e842e19a27411e6e9babd3d895745671d23ba92060ce154db63e7fec74bb

SHA512
67b8263b7da57e34642a90841400c80dfa98ce8d73a8737285a0dc968c068698c15215a44c53717d83b917458c38c2aac664ad3541d48f5ecee685960c679374

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
ed5c6f9e77344be1be2bc463ff763ea2

SHA1
693bcfd91b1038a88b14bad86ad260d7229fdac5

SHA256
4ffa5d9da2a2dfbe4c9b7148e0ddb3a58867f6d3ca8a7f7197d4555a1253c147

SHA512
8e3cb7a2b5f893038e15c18805656b265fd826514ba7e250390f063306961dea100da324d4b542b5859308d938b1cca59bc5d519a6d187da882af17e434d2ecf

Download Submit
memory/3932-26-0x00000000047E0000-0x00000000047E8000-memory.dmp

Filesize
32KB

Download
memory/3932-40-0x0000000004200000-0x0000000004208000-memory.dmp

Filesize
32KB

Download
memory/3932-20-0x00000000042C0000-0x00000000042C8000-memory.dmp

Filesize
32KB

Download
memory/3932-23-0x0000000004280000-0x0000000004288000-memory.dmp

Filesize
32KB

Download
memory/3932-24-0x0000000004400000-0x0000000004408000-memory.dmp

Filesize
32KB

Download
memory/3932-25-0x00000000048E0000-0x00000000048E8000-memory.dmp

Filesize
32KB

Download
memory/3932-0-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/3932-27-0x0000000004650000-0x0000000004658000-memory.dmp

Filesize
32KB

Download
memory/3932-17-0x00000000041E0000-0x00000000041E8000-memory.dmp

Filesize
32KB

Download
memory/3932-18-0x0000000004200000-0x0000000004208000-memory.dmp

Filesize
32KB

Download
memory/3932-48-0x0000000004650000-0x0000000004658000-memory.dmp

Filesize
32KB

Download
memory/3932-50-0x0000000004780000-0x0000000004788000-memory.dmp

Filesize
32KB

Download
memory/3932-10-0x0000000003700000-0x0000000003710000-memory.dmp

Filesize
64KB

Download
memory/3932-63-0x0000000004200000-0x0000000004208000-memory.dmp

Filesize
32KB

Download
memory/3932-4-0x00000000035A0000-0x00000000035B0000-memory.dmp

Filesize
64KB

Download
memory/3932-71-0x0000000004780000-0x0000000004788000-memory.dmp

Filesize
32KB

Download
memory/3932-73-0x0000000004650000-0x0000000004658000-memory.dmp

Filesize
32KB

Download
memory/3932-2-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/3932-95-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing