MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42c3da89a0fe1ffb934b035c421fbf621cb2f6eea481485469bf3c711f878bef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FFDroider


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42c3da89a0fe1ffb934b035c421fbf621cb2f6eea481485469bf3c711f878bef
SHA3-384 hash: fa3d081f4ebc5172259e054a0f38a822eca15c17539bff4a2bd7db57a7fb49852ba3d1e5f07cd14726cdee9aee1bfc3d
SHA1 hash: ade946ed933e02d1569d4694783ecf86fd427de7
MD5 hash: e0075451ca38929f3215fe53d14ea7ce
humanhash: item-april-mobile-island
File name:42C3DA89A0FE1FFB934B035C421FBF621CB2F6EEA4814.exe
Download: download sample
Signature FFDroider
Create hunting rule
File size:9'604'878 bytes
First seen:2023-04-02 04:25:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 196608:JeXSnFrBnEboyukjwioL1ArXXk8Y/3OXEPPtvew651nHdEht6a6vkIzQUwGT:8inDnooyDkGXXkTBew651n9EhAajIJT
Threatray 8 similar samples on MalwareBazaar
TLSH T16FA633A2F9D105B1E86229712978BF24E9BFF0201B340B8F57585F1E2D74A84F736762
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c8e6eae6a292c2ee (1 x FFDroider)
Reporter abuse_ch
Tags:exe FFDroider


Avatar
abuse_ch
FFDroider C2:
http://md.tthbnmy.com/seemorebty/il.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
305
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
42C3DA89A0FE1FFB934B035C421FBF621CB2F6EEA4814.exe
Verdict:
Malicious activity
Analysis date:
2023-04-02 04:27:30 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/fd123b08-c6fc-4f5a-95bd-8cc416671b34

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLAgent14
Create hunting rule
Link:
https://www.capesandbox.com/analysis/379288/
Detection(s):
Win.Dropper.Pswtool-9857488-0
Create hunting rule

Win.Packed.Jaik-9862233-0
Create hunting rule

Win.Trojan.Jaik-9869659-0
Create hunting rule

Win.Trojan.Jaik-9873403-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.44081008.21193.10752.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Running batch commands
Launching a process
Unauthorized injection to a recently created process
Searching for the browser window
DNS request
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/76067/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
emotet exploit greyware mikatz mimikatz overlay packed setupapi.dll shdocvw.dll shell32.dll socelars zpevdo
Link:
https://www.filescan.io/uploads/642903dc667ab8a2f1a46189/reports/e377edc6-e62f-454c-afaa-d2e0e3a73acc/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/42c3da89a0fe1ffb934b035c421fbf621cb2f6eea481485469bf3c711f878bef
Result
Verdict:
MALICIOUS
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e635440b-4e84-4646-bb49-c365fe72177c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1206491
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 839407 Sample: 42C3DA89A0FE1FFB934B035C421... Startdate: 02/04/2023 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic 2->61 63 Multi AV Scanner detection for domain / URL 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 10 other signatures 2->67 9 42C3DA89A0FE1FFB934B035C421FBF621CB2F6EEA4814.exe 10 2->9         started        process3 file4 33 C:\Users\user\AppData\Local\Temp\...behaviorgraphame.exe, PE32 9->33 dropped 35 C:\Users\user\AppData\...behaviorgraphame Files.exe, PE32 9->35 dropped 12 Game.exe 19 9->12         started        process5 file6 37 C:\Users\user\AppData\Local\...\setup.upx.exe, PE32 12->37 dropped 39 C:\Users\user\AppData\Local\Temp\...\pub4.exe, PE32 12->39 dropped 41 C:\Users\user\AppData\...\md11_note123.exe, PE32 12->41 dropped 43 7 other malicious files 12->43 dropped 75 Multi AV Scanner detection for dropped file 12->75 77 Machine Learning detection for dropped file 12->77 16 md11_note123.exe 14 12->16         started        21 cmd.exe 13 12->21         started        signatures7 process8 dnsIp9 45 md.tthbnmy.com 54.65.172.3, 49795, 80 AMAZON-02US United States 16->45 47 star-mini.c10r.facebook.com 157.240.9.35, 443, 49796 FACEBOOKUS United States 16->47 49 www.facebook.com 16->49 31 C:\Users\user\AppData\Local\...\RICHED40.DLL,, PE32 16->31 dropped 69 Antivirus detection for dropped file 16->69 71 Multi AV Scanner detection for dropped file 16->71 73 Tries to harvest and steal browser information (history, passwords, etc) 16->73 23 chrome.exe 15 1 21->23         started        26 conhost.exe 21->26         started        file10 signatures11 process12 dnsIp13 51 192.168.2.1 unknown unknown 23->51 53 239.255.255.250 unknown Reserved 23->53 28 chrome.exe 23->28         started        process14 dnsIp15 55 counter.yadro.ru 88.212.202.52, 443, 49702, 49705 UNITEDNETRU Russian Federation 28->55 57 iplogger.org 148.251.234.83, 443, 49696, 49703 HETZNER-ASDE Germany 28->57 59 6 other IPs or domains 28->59
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/42c3da89a0fe1ffb934b035c421fbf621cb2f6eea481485469bf3c711f878bef/
Threat name:
Win32.Hacktool.Mikatz
Create hunting rule
Status:
Malicious
First seen:
2023-03-30 23:59:00 UTC
File Type:
PE (Exe)
Extracted files:
277
AV detection:
32 of 37 (86.49%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ilb5vcna7yp7xe2lanoeeh57miolf5xousauqvdjx46hch4hrpxq._file
Verdict:
malicious
Similar samples:
3419cd3aa1836577742af73aefa4d0fd5a198cbc4474af670408e6752f0dd89e
FFDroider
3bd0eb640c37fb31423b560aeb5bf4f9f6117cb60c2a9e4509b7a0db80e0a092
FFDroider
4e951cc7ebedf796e72ec656959c2e4d543aac734e436f2ed6531e52d53a5d9b
FFDroider
62d0160c7b22e6474d9a7fc70c3f97c07997e11bc734f0698a285aece71957e0
FFDroider
6fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850
FFDroider
7a79f0c95e891b939e275fa19e641b676f2eb70471945fb3b15d6a649cafe071
FFDroider
a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65
FFDroider
a96e7065e6d2e724aa734cbdd99467f3c25f079da753c7681ee9d3c4bb6259f5
FFDroider
Result
Malware family:
cryptbot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/230402-e2h4qaga3y/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Blocklisted process makes network request
Identifies VirtualBox via ACPI registry values (likely anti-VM)
CryptBot
CryptBot payload
Malware Config
C2 Extraction:
tuytee16.top
moriiikk08.top
Unpacked files
SH256 hash:
71e2ed8d7c9ddd31b022e244ba249f60dc37c113e573707200e7d0e7af688ca5
MD5 hash:
a7a1c529ebb44a1f49210ef7f2aeec3c
SHA1 hash:
fd80aef36d6364feb65efb2f10b00abb65d6692e
Detections:
win_ffdroider_w0
Create hunting rule
Link:
https://www.unpac.me/results/71a52d0f-04b4-4827-b13d-cbb5b6490568/
Parent samples :
4e951cc7ebedf796e72ec656959c2e4d543aac734e436f2ed6531e52d53a5d9b
42c3da89a0fe1ffb934b035c421fbf621cb2f6eea481485469bf3c711f878bef
SH256 hash:
8cbe878cc4e230d810a6e2d1bac35b42c4ec85a635a525357d31c6e931973cb0
MD5 hash:
75a119677c42217da9e5928179de7c79
SHA1 hash:
9b0070ff116556d9629940a3d5bc4d0357b917be
Link:
https://www.unpac.me/results/71a52d0f-04b4-4827-b13d-cbb5b6490568/
SH256 hash:
835cbebc1f4eea30efb590181b407021e25d0808425d417d638b4bb0d5659d82
MD5 hash:
0188e8f8a1bb10d4475fbcbad724a38d
SHA1 hash:
5804290bcf0576ea62bcf878609253859b684062
Link:
https://www.unpac.me/results/71a52d0f-04b4-4827-b13d-cbb5b6490568/
SH256 hash:
42c3da89a0fe1ffb934b035c421fbf621cb2f6eea481485469bf3c711f878bef
MD5 hash:
e0075451ca38929f3215fe53d14ea7ce
SHA1 hash:
ade946ed933e02d1569d4694783ecf86fd427de7
Link:
https://www.unpac.me/results/71a52d0f-04b4-4827-b13d-cbb5b6490568/
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/42c3da89a0fe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/42c3da89a0fe1ffb934b035c421fbf621cb2f6eea481485469bf3c711f878bef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/379288/

Comments