ffdroider | 5bde617d801c1b61acd96dcb09b30093d5137506ec2ee672bf5034c3c5a8f493

Analysis

max time kernel
95s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2025, 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bde617d801c1b61acd96dcb09b30093d5137506ec2ee672bf5034c3c5a8f493.exe
Size

1.0MB
MD5

bb031b880718e51db71c0a2a4cb437c6
SHA1

1017381b4a12a9ab8cec495efb4e7d2fa7d68d91
SHA256

5bde617d801c1b61acd96dcb09b30093d5137506ec2ee672bf5034c3c5a8f493
SHA512

5dd34a8b1de9fa1a1afd5d5f7463ac9aa012c4cae1c84948ec6bc8741ccdc983dcacda93251a4dbe5d68696e63596db51e279854c7fed1f9e8dff983252f460d
SSDEEP

24576:62eSa+JBtCN0U3qnacP1yprZDIPQc+yoV6lae95l5cIC0sqGSOtYz:D5U3qn0He95JrOtYz

Score

10^/10

ffdroider defense_evasion discovery spyware stealer trojan

Malware Config

Extracted

Family

ffdroider

http://101.36.107.74

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
Ffdroider family
ffdroider
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5bde617d801c1b61acd96dcb09b30093d5137506ec2ee672bf5034c3c5a8f493.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5bde617d801c1b61acd96dcb09b30093d5137506ec2ee672bf5034c3c5a8f493.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4616	5bde617d801c1b61acd96dcb09b30093d5137506ec2ee672bf5034c3c5a8f493.exe
Token: SeManageVolumePrivilege	4616	5bde617d801c1b61acd96dcb09b30093d5137506ec2ee672bf5034c3c5a8f493.exe
Token: SeManageVolumePrivilege	4616	5bde617d801c1b61acd96dcb09b30093d5137506ec2ee672bf5034c3c5a8f493.exe

C:\Users\Admin\AppData\Local\Temp\5bde617d801c1b61acd96dcb09b30093d5137506ec2ee672bf5034c3c5a8f493.exe
"C:\Users\Admin\AppData\Local\Temp\5bde617d801c1b61acd96dcb09b30093d5137506ec2ee672bf5034c3c5a8f493.exe"
1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4616

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
54354d2c125b0f261480401022a5242c

SHA1
e93d47bd8f24c25655a5403de4caf3b79ef82e19

SHA256
b6aab3abbf5fdff45986aea40836d1dd40fab2de6bc04190b588a34be5f6a3ff

SHA512
ef8d5471347a38a916c3ad99456096f929212763eb02b911e60620d72d15c182556efd5515283feaba6195ca16575a180d27539aea6b85cf79013465b09cbfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
568a7dab76d5eaeb6599989dd701893e

SHA1
c9940ac451d1ebf54ed987c467bbf7b26a43cc89

SHA256
8c409b50fbd50600a157b48b1976d4ab0bd2904497add7a30d0191df6cb7be64

SHA512
e6ef9537ff1eac6cd208fb67e42e1847c29c47a4d6c5ec08807be59924ed9fc1bfd9a856d22e92419e08f0ae04d3d9c618bbce12b79f39bbfe077d593ef607c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
6623fb855f61360c1d88557b9d3b2ce3

SHA1
1b6db6fab8f0694db304996411e02122f455db2b

SHA256
8fda479346ec0729402b7d5a02f9823b5c91f07bb24a25830f4bb81c31e2e98a

SHA512
865f5971b908791332ab7d1dcd0742afff0641365fa0cf3c2e89cf2ef7c3f53981f74a5997d5751fd3e000e8ea918af1ad9fc8a5b337fc188cc40904e205e798

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
826e536d8b20a1256236d34c4596fe56

SHA1
f2a6fe283a46e11aaa865916555abeabb93ba6cc

SHA256
b9263127cca740a129584057118d38f0ea68e3b758a013fa59e4fc9ab6fcc34d

SHA512
31c577e741bfb4fe7cc34f6a79b459b39c5773e5dadb2ffa62ebb29e7f7cef2f038124619bedba3f5c672c27083b6f38615d10d5df35821c2e00a2b5698e86cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
fa92a86a5ea658ed4662b13b6c6a1ffa

SHA1
32ae6a1e3b6464b0a6d2896f7f7a9d306b967793

SHA256
c7ce4a88342c770e6c150ba137782ded2466eae3482fe8177dcd4a0f10b5502c

SHA512
695c55e929f88b622708f404e0e95691da022e2b08ab065ddf261cc1322516b026af4531ef6e5f5fdb5ec41f9b55522ba2c556946386261f024d0b38f4936913

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
4d28bb1a00865561c71d7ee515f491c3

SHA1
98335cf3085fd44d198dfe9d59c03f18d85ff0ca

SHA256
62261f306c751456ea49173f12465613ddf6f043ae7dceb08cb391a25d6d05ca

SHA512
12dbcc6acdc581382934a47cee15ab855a78ae0b1113f870502b91b02081c3b493f7be09abf6c97be909cca2f61608d94579693cb5a9cb16aaa5812180018e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
b83910bcac74269b1446317a6914f838

SHA1
86e46c802ee7d148a1bcd5d2790f663fddd7227d

SHA256
a48de58d0ef28c995c03fcd9c67156b038ce4058dc689dc38ccc477d41befc18

SHA512
0f9cb4d827aa8e184b95db21c30d4cb0a261c96febf40bb9f7510d5b09720582fe7bf53ba1a71780adc6ac291923a931e7e6ccee3fdcbfcd41c56c1f3d5bb092

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
51e4096ae3dfbab288c0f65dab08dd12

SHA1
7da8ba7416dd2cfc144b813d9ea68e97ba63c96d

SHA256
98b04ae34d07056448a6aea3b4a57d46e442b72e85b02c7b7e45e1a96907b2ea

SHA512
accc5318c62936b2b1b60289321dd207380afb238658ae67503d07fae9532582a42e6920038d562f3babfc13422bf78ab26350e8456d272496c099c15b604b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e22bd013fd9b490defa77f8f08e87cdb

SHA1
9b77ee4026b2e6a317a643c1339f7ec52dad7a9e

SHA256
aec640db57a028766d15f3f700cd505c4c9dddebbb78b69a192db17751ab0451

SHA512
cee6fecf1016501c8e9b60fe66410d1085814d1883ced2dd35cfc83858bf9726396bc8f055d4d0c5b0f4f8bd2f69e5ad6bb2583d98bab418bba119b52a355323

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
c3bb86ffaf75f7a11532be1bffe86e20

SHA1
6eb1891ef5bbf903a8531cc43732c1035eb113e4

SHA256
5af50f495a698286845e585d07a5eb77818915fc919507f9187954581564f490

SHA512
07ced55689c15c4daa9e538650a286691322ca1eae216b211aaeb8dfe6a5f6cb010b982f9c07bdc06c80ae7263d4ca430151bf3e4c0f78fefe053990c7c9665f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
afc7d63be3d6e542cf4b1a79acb8e2e4

SHA1
b7883c8d4da354ff3653e74e169e557116704b8a

SHA256
344d1a9eb697c3118843126e5f1bade9581d82db9186f53ae10b9171517b77cc

SHA512
6edab1b96e03c8bae34e8a41e8511de3cd536b8ca0c5778d11f0f4abb5ba29256c79525785b1f23c2cfb3ec702c3b20ae6a611c5e5a02a65e36fcf0246c04826

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
aff0d522f60be8258de5e5e22bc63616

SHA1
50ba9ef0e025df2a8c408c031fa618dced40c0c9

SHA256
13de15eb9e90df82b90b35284b76f1a2bb8c9a26fb394cd2b230a423ab04b150

SHA512
d996868caf1af61fcb0a7df3fc04eb791786a11cf63145a619cb2c375cd231ec686efa251a3e511aac9f2a0db2c3c0014512c08c4fd0c0641faf98ac2619e99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
6a738380c6fcdfc61982824f54a345a1

SHA1
42efe618b4e010e70c388f063b8c239c6ddadf67

SHA256
169d801dbc93a03e7f65f3ea27ceaf63f97eb53a5da778f849b591a685fe5f16

SHA512
703e1b817c4c3f617240de2e06eef57a3b7baecd33629c1ef5cf6772d56c5d5cd42995f48e696efc955bdb0c438772bfc1cee0c41e1c6e08b8d9f5f5b8d6d6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
46f26a5d37e1a0a53901e1bf703397df

SHA1
a94d225a74560eed92b0b1a062a4967f4246161d

SHA256
4c21ce5278c2f224e0d94877287b25d280dedc5810dd07db4c8d7f2aa47c818a

SHA512
7a510939d0e1f6945676552d408a599094b3e2cf8516b169112548da961540010aebbd81054f1d288b0665448aa2e60050624d949774c7bc25dc15f449e0eeb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
fff7faf534b62111382821fe748a5a64

SHA1
bc20d953118e6414ff4fd0526e3faca574ab15db

SHA256
e5798156ba826e5536918f9b98a495ecec7a488c534ac333cfe2f74e4b7395d0

SHA512
446462fa958dd3dd3f3c33849914f897b1ecdc87e90161a0651a7a01db0cdd85f087ae196472e3d347d06786f25f195d3dc8190a1eddfe6fec4b6f1cc09df541

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
4929cd821448d06ac39a0a884fff00f5

SHA1
421be29a12d7e66eb2892e9b581c39d93d20d670

SHA256
fef4b5601866daab4904481d47f3b6438a73746db0860a281b067845a3ab7ffc

SHA512
7be63184baa8c0cfb3511b087c1407b69a608e950ab3c5737917477ca1e4f6a50d3ff45ad0c7140ebcb2a5249be4551ad69324030501ac2a537706e45d96ef9a

Download Submit
memory/4616-112-0x00000000040B0000-0x00000000040B8000-memory.dmp

Filesize
32KB

Download
memory/4616-141-0x00000000040D0000-0x00000000040D8000-memory.dmp

Filesize
32KB

Download
memory/4616-63-0x00000000041F0000-0x00000000041F8000-memory.dmp

Filesize
32KB

Download
memory/4616-48-0x0000000004640000-0x0000000004648000-memory.dmp

Filesize
32KB

Download
memory/4616-71-0x0000000004770000-0x0000000004778000-memory.dmp

Filesize
32KB

Download
memory/4616-73-0x0000000004640000-0x0000000004648000-memory.dmp

Filesize
32KB

Download
memory/4616-40-0x00000000041F0000-0x00000000041F8000-memory.dmp

Filesize
32KB

Download
memory/4616-27-0x0000000004640000-0x0000000004648000-memory.dmp

Filesize
32KB

Download
memory/4616-0-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/4616-113-0x00000000040D0000-0x00000000040D8000-memory.dmp

Filesize
32KB

Download
memory/4616-121-0x0000000004170000-0x0000000004178000-memory.dmp

Filesize
32KB

Download
memory/4616-124-0x0000000004180000-0x0000000004188000-memory.dmp

Filesize
32KB

Download
memory/4616-125-0x0000000004300000-0x0000000004308000-memory.dmp

Filesize
32KB

Download
memory/4616-126-0x00000000043A0000-0x00000000043A8000-memory.dmp

Filesize
32KB

Download
memory/4616-127-0x00000000043B0000-0x00000000043B8000-memory.dmp

Filesize
32KB

Download
memory/4616-128-0x0000000004310000-0x0000000004318000-memory.dmp

Filesize
32KB

Download
memory/4616-26-0x00000000047E0000-0x00000000047E8000-memory.dmp

Filesize
32KB

Download
memory/4616-50-0x0000000004770000-0x0000000004778000-memory.dmp

Filesize
32KB

Download
memory/4616-25-0x00000000048E0000-0x00000000048E8000-memory.dmp

Filesize
32KB

Download
memory/4616-149-0x0000000004310000-0x0000000004318000-memory.dmp

Filesize
32KB

Download
memory/4616-151-0x0000000004340000-0x0000000004348000-memory.dmp

Filesize
32KB

Download
memory/4616-24-0x0000000004530000-0x0000000004538000-memory.dmp

Filesize
32KB

Download
memory/4616-164-0x00000000040D0000-0x00000000040D8000-memory.dmp

Filesize
32KB

Download
memory/4616-23-0x0000000004510000-0x0000000004518000-memory.dmp

Filesize
32KB

Download
memory/4616-172-0x0000000004340000-0x0000000004348000-memory.dmp

Filesize
32KB

Download
memory/4616-174-0x0000000004310000-0x0000000004318000-memory.dmp

Filesize
32KB

Download
memory/4616-20-0x0000000004290000-0x0000000004298000-memory.dmp

Filesize
32KB

Download
memory/4616-18-0x00000000041F0000-0x00000000041F8000-memory.dmp

Filesize
32KB

Download
memory/4616-17-0x00000000041D0000-0x00000000041D8000-memory.dmp

Filesize
32KB

Download
memory/4616-10-0x00000000036F0000-0x0000000003700000-memory.dmp

Filesize
64KB

Download
memory/4616-4-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/4616-2-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/4616-300-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download