ffdroider | 8e5d1bf413e250f4e2964e715ab71277eb68baff8a9895fc28611f859f039207

Analysis

max time kernel
105s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e5d1bf413e250f4e2964e715ab71277eb68baff8a9895fc28611f859f039207.exe
Size

1.2MB
MD5

2d751ef0dd4aeb0f1413738822697da7
SHA1

45101cb9a786c59d94a87f27cec7d402d5854669
SHA256

8e5d1bf413e250f4e2964e715ab71277eb68baff8a9895fc28611f859f039207
SHA512

5eae75df6c7657f873202968164d51297f3318b1f0c1a505c1e7f49e961939ca8026056879911648af7c83f1a854042414b48d549337a348f084fcd96b7c50c8
SSDEEP

24576:H5xIlrhX1p0AmmfLlmTqhtMhzrZyWCFRahDOv6uNQXQHrZ:2p5RatpuaX2rZ

Score

10^/10

ffdroider defense_evasion discovery spyware stealer trojan

Malware Config

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
Ffdroider family
ffdroider
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8e5d1bf413e250f4e2964e715ab71277eb68baff8a9895fc28611f859f039207.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e5d1bf413e250f4e2964e715ab71277eb68baff8a9895fc28611f859f039207.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4000	8e5d1bf413e250f4e2964e715ab71277eb68baff8a9895fc28611f859f039207.exe
Token: SeManageVolumePrivilege	4000	8e5d1bf413e250f4e2964e715ab71277eb68baff8a9895fc28611f859f039207.exe
Token: SeManageVolumePrivilege	4000	8e5d1bf413e250f4e2964e715ab71277eb68baff8a9895fc28611f859f039207.exe

C:\Users\Admin\AppData\Local\Temp\8e5d1bf413e250f4e2964e715ab71277eb68baff8a9895fc28611f859f039207.exe
"C:\Users\Admin\AppData\Local\Temp\8e5d1bf413e250f4e2964e715ab71277eb68baff8a9895fc28611f859f039207.exe"
1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4000

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
fcfd769b80591429db8c6cdcbbfb0021

SHA1
00169e621a6a791450c2f52b8575a00b18cba386

SHA256
6c30b50dfc5a2c1b733d229d8e9ce916f7cda633f554cbb14846239dd84f5bfb

SHA512
6b52e425d9c1b73443127519d6e97347e856ef4356c4c1e18356637acbff8a2f72f6895b70dc83223ebbc9495c570c897a8ee63b01d613993fd235874b092126

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
62ba6d52b7fadf783aa6371f903f5cb2

SHA1
f3a54c575ef6cf5513a6574547cdd425aec51e8e

SHA256
640c22c8f2e3e3e125381998243684cda84567d1d7e46575369787c67823ea23

SHA512
3e6c602bb12c0215c4446054af20737e9efca0c533cdefa27294cdd03e258b1bb5eca9fd28d0d566dc56bb26657e4044c2706a6b94ab8d9e11a0e489402c1e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
bc86352bbca2cf60bd0108400345350e

SHA1
5f6e98d4f02f8548f3527268c8a8395ce7f9ff84

SHA256
b0b263d931d6b2d87f33d3371eb130cd06c8eadf668af15f59e9d65051a7c9b5

SHA512
258ce82d6956698328c82900e95e96cee521d0a47605068eddf66ed0bf6ef73f83d1a91f3608ef179590e0c84576e483a2052803838bfee97be9b17bdf40a9fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e14d22d0862b005fde64b66cbf415aaa

SHA1
6cc3af3b89ec375c2b9efa68ceebf74baa850266

SHA256
602a6ca203ca43e8e81bb468f6b1a07843811d7b7070fd638c1797a81b8a16b2

SHA512
91a0c4f44e8223b5122678916fbaac6864ee9ffd246928dba44f4741d45b560845d8c8b9d32aaa66bff4444f4a2e5c236d73d598472c70d8a8b71afd63e86f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d59dd5bf6fa45cc3d2f7eed3b662f410

SHA1
f1fbb2cc4096860a9d0c3144de46fab14987133b

SHA256
8b915831fb59c87dcea73240bd315256c5428215648696eba2b8555f79094814

SHA512
71f60ad74e3061232ee2210c74069391afa329eda200f6c964bd89c0981fc705effb214871a92224fb240252602fc894647c1e5b88cea53c67dba743391c4d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a769bf6875f09d2573283500dfd2d646

SHA1
8a25e2a828a36b8f405e9a05e121eebfcc549ddc

SHA256
e2d3a1171d6f248265899474824ca4d7117a2a1da9a2b2d066f5c7c717469290

SHA512
fdf13bab6febba0c376ea0507c85d0a3544e3481258c213d9e005f91e08684a954d158237ff98c6baffc7e256839bf959773698196b3e0344705cbc60e2387da

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f296b6e0e96bf91195c620317c7279aa

SHA1
6bb852bd60dff1cfcea530c102c14aec926463b5

SHA256
f806b9a122e4d3c9d69a245521f48dd7d09f51a9124927796208865aca7e9601

SHA512
8d18e595ba11ad0a4316a9db9ed8174e356df8d642dfea292e0fc4bcaf790d78665fb566623eb8e37c4c565660fae08dc90ae4440ee6369243f08d80eb03749c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
240582661807a6961960713b90b3fb04

SHA1
ea74ac608defa9bd2a051ac4300a0dd7fffed43a

SHA256
b89ff7995a0b59f3c2f5a44093bf0b023552f6478adbf3a542a4e8600622c3a0

SHA512
00ce00efa99201236df810c565005fbcbc51332ea276b988daf5045aa4944d5478fc5aa95e5cea335405427a62d64ba0753cc28b28644989f66882aa054904e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0ecc565cc9d5ce02c7f9151e5501a7da

SHA1
53ebb8423a150ed95be33123b28a2d82179ccbd6

SHA256
6c716334a4cb577d710cb5f2149a0bd4ce3e7003168de7c1fe95c6cbb26bd9cf

SHA512
43069fa7b7c492a33b7ee6a8dc72cd3d0eaa51c82f1aa1ce4b6572d3f9d7b1c3bf728b46bda3d060c7f5741573186a902356a1cb4cb627d2ca204c101c2c17f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d5f7c89dc309fd950b43b9ab085a3512

SHA1
b5c15b0b3ee0491e5ff86a3fe2c6f5353f9dd600

SHA256
7295ea37f2ac612dfeee7bd4cddd882ed4d7271387508edfe2543c7bb5e6058d

SHA512
8df9690670ce3b872350628c6027df39622d869c7d1d2f13db8c67cb129398195ea1c7a1307170003b58f1066731e957847410a03766871703f8d79906437b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
85cb7f9196b18e4a85b170225387906b

SHA1
cbc7dbe52f5339809fc8f6a57ee136438172152a

SHA256
b67a01bac40966fd33531e51b15257118f8ab6f4a2b99efca5d38f6452da7018

SHA512
3d0e2f7130e63c317a67ca401f6dbe41fe73a0c99b5d42a2d914e7eaa12c47606e56788a979e54b77c309683cf0c3b0e161433f23bb9339fc56db5b9682d8474

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
46d5f1320da66a86ca885792451f8f7a

SHA1
15f5f845870f1a5be3eec697d8eb39f6e9cce6d3

SHA256
d843302107d9329ad690bfa90f5f92a22e80b3d3fb2cfcccec8c9fd363806955

SHA512
4f0a0cf2eebf587441480bd35659c5272912edd259895b7a5d9e75bad2d44ddccf96e95e4a9aa5e1402717371b36290d471c6594a010b3c543c4bd0f892204e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
07d226e714e1d53191c1644392f0fad0

SHA1
ecb69330716811c7dcd43d49e31701977352665e

SHA256
b3e736e13191ffb5655a923a9a9d816e8310c4e22e88b9355d2eb9c3de7584ec

SHA512
9e28b5e6a35684cd7bc235e337c5f0d27c562f86ea734f37a5eda6dab29e1772f74bcfaf49c3404d1217722aafd5379fa05597ce3ad26b3550ecc511d43dd2e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
67004ff42932b9191b33f27a109dd564

SHA1
6278f720ec4b9b44988c313ef0a12e81794ae81b

SHA256
3d03a296af405d9f6fa6c6e22bcce9fac5e757af7a67f885b1be7e6c734de1f7

SHA512
f1664619971e8f1351e9028489bcbd2ed2cd8bd1980f975ac87f860f563940b20dfe6c76f05c0db4b4cd6d891b2e35e1cab2b486474bf164d61d9a256abb6849

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
4e5c61dc9f9608f3a0155e9a60d5d77b

SHA1
394f4ec21bc7cf5470623b4f7ad27b434d1b3fc3

SHA256
7e0e80cb988ef4381714774c0de65146b01a4608058994e1312e9cc124c9a06b

SHA512
c5650925760cfef0dc0f98faa30d72205f6c1addff284cf6ce0d2af184f9d3635c3a83eaacc5fb99b1252b188e0629d71a2e5e330a85a1878744fc7a505a37f4

Download Submit
memory/4000-63-0x0000000004210000-0x0000000004218000-memory.dmp

Filesize
32KB

Download
memory/4000-2-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/4000-18-0x0000000004210000-0x0000000004218000-memory.dmp

Filesize
32KB

Download
memory/4000-24-0x0000000004550000-0x0000000004558000-memory.dmp

Filesize
32KB

Download
memory/4000-17-0x00000000041F0000-0x00000000041F8000-memory.dmp

Filesize
32KB

Download
memory/4000-71-0x0000000004790000-0x0000000004798000-memory.dmp

Filesize
32KB

Download
memory/4000-73-0x0000000004660000-0x0000000004668000-memory.dmp

Filesize
32KB

Download
memory/4000-10-0x0000000003740000-0x0000000003750000-memory.dmp

Filesize
64KB

Download
memory/4000-4-0x00000000035A0000-0x00000000035B0000-memory.dmp

Filesize
64KB

Download
memory/4000-112-0x00000000040D0000-0x00000000040D8000-memory.dmp

Filesize
32KB

Download
memory/4000-113-0x00000000040F0000-0x00000000040F8000-memory.dmp

Filesize
32KB

Download
memory/4000-121-0x0000000004190000-0x0000000004198000-memory.dmp

Filesize
32KB

Download
memory/4000-124-0x0000000004190000-0x0000000004198000-memory.dmp

Filesize
32KB

Download
memory/4000-125-0x0000000004310000-0x0000000004318000-memory.dmp

Filesize
32KB

Download
memory/4000-126-0x00000000043C0000-0x00000000043C8000-memory.dmp

Filesize
32KB

Download
memory/4000-127-0x00000000043D0000-0x00000000043D8000-memory.dmp

Filesize
32KB

Download
memory/4000-128-0x0000000004330000-0x0000000004338000-memory.dmp

Filesize
32KB

Download
memory/4000-50-0x0000000004790000-0x0000000004798000-memory.dmp

Filesize
32KB

Download
memory/4000-141-0x00000000040F0000-0x00000000040F8000-memory.dmp

Filesize
32KB

Download
memory/4000-149-0x0000000004330000-0x0000000004338000-memory.dmp

Filesize
32KB

Download
memory/4000-151-0x0000000004360000-0x0000000004368000-memory.dmp

Filesize
32KB

Download
memory/4000-0-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/4000-164-0x00000000040F0000-0x00000000040F8000-memory.dmp

Filesize
32KB

Download
memory/4000-48-0x0000000004660000-0x0000000004668000-memory.dmp

Filesize
32KB

Download
memory/4000-172-0x0000000004360000-0x0000000004368000-memory.dmp

Filesize
32KB

Download
memory/4000-174-0x0000000004330000-0x0000000004338000-memory.dmp

Filesize
32KB

Download
memory/4000-20-0x00000000042D0000-0x00000000042D8000-memory.dmp

Filesize
32KB

Download
memory/4000-40-0x0000000004210000-0x0000000004218000-memory.dmp

Filesize
32KB

Download
memory/4000-23-0x0000000004290000-0x0000000004298000-memory.dmp

Filesize
32KB

Download
memory/4000-27-0x0000000004660000-0x0000000004668000-memory.dmp

Filesize
32KB

Download
memory/4000-26-0x0000000004800000-0x0000000004808000-memory.dmp

Filesize
32KB

Download
memory/4000-25-0x0000000004900000-0x0000000004908000-memory.dmp

Filesize
32KB

Download
memory/4000-300-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download