MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 415a2e20decbdd7c6d62a40ea658fa2532266333a810556ef11542a4259b11ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FFDroider


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 415a2e20decbdd7c6d62a40ea658fa2532266333a810556ef11542a4259b11ba
SHA3-384 hash: e5a865e6312e62dae3a5f50b1ae62baa5eb67d4c68871131e0e4c0c9a69a29e0bf91d48249a4bed171e8aae6d71174e2
SHA1 hash: d4745496580953ad7c6d0bac0596a03113ccd04e
MD5 hash: dea021b9ac2821a419ec789f1befea4c
humanhash: october-mars-sink-blossom
File name:dea021b9ac2821a419ec789f1befea4c.exe
Download: download sample
Signature FFDroider
Create hunting rule
File size:2'572'800 bytes
First seen:2022-03-18 08:23:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bc0af54bfe5a6dbf622c36681683a00d (1 x FFDroider)
ssdeep 49152:zwHjGd1uj0NKO/jiMHePL7DomS8BJj4QTt5IeUTnm4LWcGdve9y4sZuSw6PSCBDa:xwINx/GUy3om5BJj4QTt5IeUTnmHcGdw
Threatray 3 similar samples on MalwareBazaar
TLSH T121C5F1D27E9D145CF88961738DF99D3D9E1BBCE87626252B205136BBF6337000E4A827
File icon (PE):PE icon
dhash icon 4a696ddce4f4f261 (26 x Gozi, 9 x AgentTesla, 4 x CoinMiner)
Reporter abuse_ch
Tags:exe FFDroider

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/252328/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Win.Malware.Passteal-9919428-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Delayed writing of the file
Reading critical registry keys
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/623441a9b94fb38cb4a129f2/reports/b5c7dc11-6ea9-4bd5-8456-09d04a0321dd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/645ab8c2-5b26-4b90-a252-891b0c429676
Result
Threat name:
Cookie Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/959309
Signature
Antivirus detection for URL or domain
Drops PE files to the document folder of the user
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Cookie Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/415a2e20decbdd7c6d62a40ea658fa2532266333a810556ef11542a4259b11ba/
Threat name:
Win32.Trojan.Variadic
Create hunting rule
Status:
Malicious
First seen:
2022-03-18 08:24:34 UTC
File Type:
PE (Exe)
Extracted files:
1567
AV detection:
19 of 42 (45.24%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
080e4f235b201b8ea6642f5f0d84b99ffc76be60fb6b96fc3d613eb45676349b
FFDroider
2cb277ec426e12c1b06cdd7b39d1d5a047db457590e5fdfcb7a99422572daec1
FFDroider
8b29e9ccade9fe2c7b10904abb38519cd22b896df00aa7e8798c32e2d37a2205
FFDroider
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion spyware stealer trojan upx
Link:
https://tria.ge/reports/220318-kar57shacl/
Behaviour
Suspicious use of AdjustPrivilegeToken
Checks whether UAC is enabled
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
879ad3f6226119bc5be197ac03b14c62c87060ebfb9efea4c8571d15772ef705
MD5 hash:
ab851b943282d306d3202c5d9ca9f9ed
SHA1 hash:
8745a5885dcbbd07b910e4e1e31a1be156442e5a
Link:
https://www.unpac.me/results/d890204d-95f2-418d-ae4d-bcedffd31399/
SH256 hash:
415a2e20decbdd7c6d62a40ea658fa2532266333a810556ef11542a4259b11ba
MD5 hash:
dea021b9ac2821a419ec789f1befea4c
SHA1 hash:
d4745496580953ad7c6d0bac0596a03113ccd04e
Link:
https://www.unpac.me/results/d890204d-95f2-418d-ae4d-bcedffd31399/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.37
Link:
https://yomi.yoroi.company/submissions/415a2e20decbdd7c6d62a40ea658fa2532266333a810556ef11542a4259b11ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

FFDroider

Executable exe 415a2e20decbdd7c6d62a40ea658fa2532266333a810556ef11542a4259b11ba

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2086288/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/252328/

Comments