ffdroider | 8e5d1bf413e250f4e2964e715ab71277eb68baff8a9895fc28611f859f039207

Analysis

max time kernel
104s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2025, 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e5d1bf413e250f4e2964e715ab71277eb68baff8a9895fc28611f859f039207.exe
Size

1.2MB
MD5

2d751ef0dd4aeb0f1413738822697da7
SHA1

45101cb9a786c59d94a87f27cec7d402d5854669
SHA256

8e5d1bf413e250f4e2964e715ab71277eb68baff8a9895fc28611f859f039207
SHA512

5eae75df6c7657f873202968164d51297f3318b1f0c1a505c1e7f49e961939ca8026056879911648af7c83f1a854042414b48d549337a348f084fcd96b7c50c8
SSDEEP

24576:H5xIlrhX1p0AmmfLlmTqhtMhzrZyWCFRahDOv6uNQXQHrZ:2p5RatpuaX2rZ

Score

10^/10

ffdroider defense_evasion discovery spyware stealer trojan

Malware Config

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
Ffdroider family
ffdroider
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8e5d1bf413e250f4e2964e715ab71277eb68baff8a9895fc28611f859f039207.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e5d1bf413e250f4e2964e715ab71277eb68baff8a9895fc28611f859f039207.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	6024	8e5d1bf413e250f4e2964e715ab71277eb68baff8a9895fc28611f859f039207.exe
Token: SeManageVolumePrivilege	6024	8e5d1bf413e250f4e2964e715ab71277eb68baff8a9895fc28611f859f039207.exe
Token: SeManageVolumePrivilege	6024	8e5d1bf413e250f4e2964e715ab71277eb68baff8a9895fc28611f859f039207.exe

C:\Users\Admin\AppData\Local\Temp\8e5d1bf413e250f4e2964e715ab71277eb68baff8a9895fc28611f859f039207.exe
"C:\Users\Admin\AppData\Local\Temp\8e5d1bf413e250f4e2964e715ab71277eb68baff8a9895fc28611f859f039207.exe"
1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6024

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
ec73e5ead2ad926637234d9c88cc95a3

SHA1
a03a74a4022007893899e0e2c7a27853f6608348

SHA256
761af5e54169029e894ab05474bdb1c6bb15014255e05ed7a5b3a2517da4eb61

SHA512
feaa3e476157e456851d8270a1718a91d29fb33cf770ff457406058c034f552d5ca0b27e95fb037df87210e016de2446bfcec5edb3f7642cd5237c316e186c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
195c0263cf0cb2d561659702f3027c13

SHA1
c604a41230685b587baa8c403e6a88f56cf386c8

SHA256
2ab7b02253d89a6de12123d20a9167c2098ee8e7a482ba694881baf97101b550

SHA512
49240d316d4416c397ce9551d586c9e2aec4240f9456df6cea68f0853ed9585c6a355a6e4359a0feb9799a1492583c8a555ee53e44fefc280b3662dbbb78b2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
bfa88be13a707486e28b5337a3eb9136

SHA1
6f4baf02ce0b898feef2e8c4830c22534c437678

SHA256
bf2940e2a6601904cd09193482fac355863c19d2a18ef2782713cab08a9c70b8

SHA512
cfb66f1911b3c5d4d841d01e74ce4c5931cefe6343d69964043a55cafafaf12c3a93a249ba4dae6891f31810c856332a28a39f01937635ebee88460a04e99ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e05b24b0ae88d5c0ccf13fed4d392594

SHA1
866779f8f2dc8530bfcb8f1425acab23073c5ab4

SHA256
d0ea1cbc4601fb0b6f5ae40f68e1b04ed570e0d705992baeed541e35c70a65af

SHA512
55a39320e4bcedba7d522bc976bc6797da0d81083b96306c7e154265762e8617ea7e96b5d6f33856d1fb46b3fbd3369d46804dfd0132f91bc9265ceac575816e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d88f7e8b8191c973be531c20ccf8da27

SHA1
69d3074c19be28bad71b074f7ef507d664758821

SHA256
722bc68c77d271d72a1f8e280b45dd087c8ee335681bac941cda92d0ba8a73a5

SHA512
729870a8668c726f898d7c749b98ab6ba77dd39f6a16f6385397d9d7a9b1bc7c5bd0b1404cc5c4a2f2bc4a8c70b8f013bd928f5541ec0608d6eb74cac8303b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
eebb632e8da119ea6c4361b07529ee02

SHA1
a32175ad0ca764b87004d6af7e60a6139396573c

SHA256
117e01d1f3a08faf7e9eaa46fdecdf17320e86e3ddfb5b92a5c2fc3cf0dc845f

SHA512
397a7f92a68b8a095f33e692308ebe058de83c7a44d252e4147029e0f4a9e6831bc3a0bc9577ff50c3c5fb5dabac0131cee9a7beaaf1fb4a7d9db4e503877dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
8a6e1bb6321d0b6bdba9110dfd08fe11

SHA1
fa660d243f0a07fad2c67cb831ca6fd4265df4ca

SHA256
9be1f3d5b739a232cbe0f899376870b7c186d7656fe863bdd9e807ad798c9b07

SHA512
71c318ea35358bbf3320e3162dae0c8ade1967d8a9eb40fad34aec26a9853387c6492ddc74bff8200e7e35b74d508e21ee39d1d3cfe9090ef0034e63a44d69c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
81cd9b9de12a4a8d92423f2f130adaed

SHA1
a32eefe97681af9d2ae53a3d096f0a3f820004e0

SHA256
83300e48c2fccd8fec8f8a6bb8be4a78dff0fcd0acae6f208859147e209ac183

SHA512
c503c71dd999819bcd3f34daa5d334bb58ae8b6b2eb25caf20be977ee1fd0461405295983bb01b3f2579dc19f38a1c3a7a1e2453a8f84c3d990f19b85f4e0698

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
fcdd2622c67d758fd50d2083d604184f

SHA1
2f400c68c3f2f93f00f52b132405aaa3bde171ef

SHA256
1581b59bbe48b6ab487c3ab1ac71e4b3eeb261b4bff519e2e6207e16c346bcd0

SHA512
a9fec0e7ef7a50f7d08d0865de86854812c583a48f608cf52f011bf4cb32eee23661481f64123dc214620a89240228cd08c91016599b6b209b3e4551b2a55235

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
7b99d2a36828b6430bcf2107a5b9f4e7

SHA1
8939af85093144ef89e9552fdc6833c59b87dec6

SHA256
5f462d56365e60840e22d55854fef559b5002beb572e471c7acca1f3e73214ea

SHA512
d5c5b0518fd863319ec7aa4cc689f0a4e210418b0ae9b00d66581d51ef633bcd20638403a7b31f92096422c8c849320b0ff9ebdac20ae6ad008c32c63e463310

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
7581ba99f6024684e16512fa7a032026

SHA1
99c66327a054ef6c073e54584a778403e3fe9ead

SHA256
c3ff6e2260c17c51fd4cf401fc86fbdf483a4122ed30f7d4a030007aa7975821

SHA512
b6aba1eb775e785b8016cdacf14bc0073b56ce65d42e9e1cb41020d07aeb247da183062c7a2df4eb5f2ae734acba16d3329c7dfc38967ba3d3a34df9493c3095

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
5ecd859e1d6d38d2b8bd31b4b4736e63

SHA1
1e2f1e930ab82114d5df442606a32cddfbe2a561

SHA256
bb439f110f699054463a5ad835e505f8f78e920c9a5089e94ff2cd2bf8b4d329

SHA512
648a462b70ed8ce934e80b25b3079e1c1348b432ab1ba77cab14ece63b76ea5918be014180bddf18f6638c999689169410fbd4373c8a6224e4ec1af7c41550a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
71e5fa842146c1a5c9e9b91edfe28763

SHA1
1f0bf765dfca947f4d1507b7c45b4923ea06a4d0

SHA256
dcdbacbd329aec0825b42125ee8dda94579bafceb6bac7628932e57f6a9576ba

SHA512
a347aa87efecd0d9a3d00a62771f5ed7648d0f1faa40e6bc76feb768546c710bacff143a39d15d0919d206020d69e59f0cc9a153a37faf3281853f825910e57c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
c4822e9336824cd17bf8a1d7cf1d8e5c

SHA1
0c645c8530a1af773df0ee2aa7a82a05731c40d0

SHA256
a5fd052be81b9eba34a3a79b39e6bbadd5fdbc7ac540d8c8f82e943cbe099443

SHA512
1276354753e1493a6ea3b1fd9cad477c60a7c6642a0060e2ca15978a586b15d3bd4f2f4b34db170591069a3afbebec31cadd3baeecb4bf92321cee9e65b81f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
be74fdb7c35001695b1285a31f494d4b

SHA1
befa765753d12a63bd2c72dd7a3f383f8ea8ec5b

SHA256
d67b9f1a0b92dfeb761d806e342fbf10c4c6d67b2945151f8b1f3f446209216f

SHA512
fd76522ce3625d26c2cfbd243dcb5673e372c14c4b91b88d60a9c28b75be9d9fadd96bebe2292f7ef3b3f354b3c0550cc63e3ed190c9c2adfb5faa8f1462663b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
3d3e88efc67f8fdaaa0c808c54738729

SHA1
d611e2838c97c14b6c1c0379bf1fc041fa741a09

SHA256
901d6a1ed957be2a47d6e30b047078086d90621eddc645d12c9393b46b0bd8cf

SHA512
9fe3f1edc7ca94e50ae2a786fbf259d062e1220f2851bab98138c856745ce0c01e53553c54c75cd8440356c6786bab1d6059f6a60ef42d5b935e7f2bc64335c5

Download Submit
memory/6024-112-0x00000000040D0000-0x00000000040D8000-memory.dmp

Filesize
32KB

Download
memory/6024-26-0x00000000047F0000-0x00000000047F8000-memory.dmp

Filesize
32KB

Download
memory/6024-50-0x0000000004790000-0x0000000004798000-memory.dmp

Filesize
32KB

Download
memory/6024-48-0x0000000004660000-0x0000000004668000-memory.dmp

Filesize
32KB

Download
memory/6024-71-0x0000000004790000-0x0000000004798000-memory.dmp

Filesize
32KB

Download
memory/6024-73-0x0000000004660000-0x0000000004668000-memory.dmp

Filesize
32KB

Download
memory/6024-40-0x0000000004210000-0x0000000004218000-memory.dmp

Filesize
32KB

Download
memory/6024-27-0x0000000004660000-0x0000000004668000-memory.dmp

Filesize
32KB

Download
memory/6024-0-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/6024-113-0x00000000040F0000-0x00000000040F8000-memory.dmp

Filesize
32KB

Download
memory/6024-121-0x0000000004190000-0x0000000004198000-memory.dmp

Filesize
32KB

Download
memory/6024-124-0x0000000004190000-0x0000000004198000-memory.dmp

Filesize
32KB

Download
memory/6024-125-0x0000000004310000-0x0000000004318000-memory.dmp

Filesize
32KB

Download
memory/6024-126-0x00000000043C0000-0x00000000043C8000-memory.dmp

Filesize
32KB

Download
memory/6024-127-0x00000000043D0000-0x00000000043D8000-memory.dmp

Filesize
32KB

Download
memory/6024-128-0x0000000004330000-0x0000000004338000-memory.dmp

Filesize
32KB

Download
memory/6024-141-0x00000000040F0000-0x00000000040F8000-memory.dmp

Filesize
32KB

Download
memory/6024-63-0x0000000004210000-0x0000000004218000-memory.dmp

Filesize
32KB

Download
memory/6024-25-0x00000000048F0000-0x00000000048F8000-memory.dmp

Filesize
32KB

Download
memory/6024-149-0x0000000004330000-0x0000000004338000-memory.dmp

Filesize
32KB

Download
memory/6024-151-0x0000000004360000-0x0000000004368000-memory.dmp

Filesize
32KB

Download
memory/6024-24-0x0000000004410000-0x0000000004418000-memory.dmp

Filesize
32KB

Download
memory/6024-164-0x00000000040F0000-0x00000000040F8000-memory.dmp

Filesize
32KB

Download
memory/6024-23-0x0000000004290000-0x0000000004298000-memory.dmp

Filesize
32KB

Download
memory/6024-172-0x0000000004360000-0x0000000004368000-memory.dmp

Filesize
32KB

Download
memory/6024-174-0x0000000004330000-0x0000000004338000-memory.dmp

Filesize
32KB

Download
memory/6024-20-0x00000000042D0000-0x00000000042D8000-memory.dmp

Filesize
32KB

Download
memory/6024-18-0x0000000004210000-0x0000000004218000-memory.dmp

Filesize
32KB

Download
memory/6024-17-0x00000000041F0000-0x00000000041F8000-memory.dmp

Filesize
32KB

Download
memory/6024-10-0x0000000003740000-0x0000000003750000-memory.dmp

Filesize
64KB

Download
memory/6024-4-0x00000000035A0000-0x00000000035B0000-memory.dmp

Filesize
64KB

Download
memory/6024-2-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/6024-300-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download