MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e138b146881c3fced251a3508f5db1155dd576cde014d88819b2d682a8174b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FFDroider


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e138b146881c3fced251a3508f5db1155dd576cde014d88819b2d682a8174b9
SHA3-384 hash: 534c6855e0e9cd556fad72b10e36fea6f739cb7e0bc25be8643e2e74be5eb9180e0c213840c634f5d866a6dfba6389c7
SHA1 hash: 5b47a3fc77881d4079b29ea838dcc0ef64a50c7f
MD5 hash: 85e8199020aad414907657674a493ddb
humanhash: don-spaghetti-oven-echo
File name:85e8199020aad414907657674a493ddb.exe
Download: download sample
Signature FFDroider
Create hunting rule
File size:2'693'120 bytes
First seen:2022-03-18 11:43:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f76dad4ffdd62822640c834a696a30a2 (1 x FFDroider)
ssdeep 49152:9l4Hg5fo706cqRLF1gLMXG/xmW2OMu1I5Ho2jReJ76KNqvehZ4IDuSwUPSCwDS+c:+g5A7uqRLFVuNMu1I5Ho2jReMKNqvehX
Threatray 42 similar samples on MalwareBazaar
TLSH T144C501E27E9D045CF8C861738EF69D399A17BCDC7626162B20557ABBF6337000D4A827
File icon (PE):PE icon
dhash icon 4a696ddce4f4f261 (26 x Gozi, 9 x AgentTesla, 4 x CoinMiner)
Reporter abuse_ch
Tags:exe FFDroider

Intelligence

File Origin
# of uploads :
1
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/252561/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

Win.Malware.Passteal-9919428-0
Create hunting rule

SecuriteInfo.com.Dropper.Agent.AVHF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Delayed writing of the file
Reading critical registry keys
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/623470a50cd58dbd92b62bc8/reports/67f0937f-1193-4147-babc-103b9beffb18/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6d87e89f-c120-4548-a86e-8bbe6f81109a
Result
Threat name:
Cookie Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/959452
Signature
Antivirus detection for URL or domain
Drops PE files to the document folder of the user
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Cookie Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6e138b146881c3fced251a3508f5db1155dd576cde014d88819b2d682a8174b9/
Threat name:
Win32.Trojan.SpyAgent
Create hunting rule
Status:
Malicious
First seen:
2022-03-18 12:21:56 UTC
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
03e11ce0887aaabf456f42385c0b85c9099457393137df7bf2b97ec1dae28c47
FFDroider
2c44f7515715ebafdc7bb8cf40adf36adce1e1bf7fd2555d56427a6d73a850d8
FFDroider
3596982adf10806e7128f8f64621ec7546f4c56e445010523a1a5a584254f786
FFDroider
3b36f51b91f67c01015777197970e7ea37e291ff8b6401a853e9582b0a1d90cb
FFDroider
542bb14d2ceec30c45ece43b1d282076ed64872c06b86e7d9fc660b054812dfb
FFDroider
83b3a04479c4310f0ac695041b3c1d60c144be650d4b8838a395ca5a46e722e2
FFDroider
8e4f30afa8d0ce48c46a39e2754d8f7adad90ae8ccaf0132b354be76076b20cc
FFDroider
9c8057521a53904ce86837434f6ca9075fea66d1c31914db6a6b49f68649191f
FFDroider
cb3c387163302fbf8ddb4c13e9d786c1070a4185a74bdd3faebd1649d02b2b30
FFDroider
e13ba9f6e63e4013b75c3d45b012d8cbdda80913669bdd10942828b05d66e798
FFDroider
+ 32 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion spyware stealer trojan upx
Link:
https://tria.ge/reports/220318-nv7yyahea6/
Behaviour
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Drops file in Windows directory
Checks whether UAC is enabled
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
c7c3e7dacaff1a870ec38965ce609777cb5f3f72b58127c2f32595f2bc9f87b6
MD5 hash:
2697eb2a100d422ce12e552b29ec315b
SHA1 hash:
1cbf88be5a88d520ee033bf50708cbcde3356029
Link:
https://www.unpac.me/results/8c974a70-d11a-4918-abf8-f5de703c79c3/
SH256 hash:
6e138b146881c3fced251a3508f5db1155dd576cde014d88819b2d682a8174b9
MD5 hash:
85e8199020aad414907657674a493ddb
SHA1 hash:
5b47a3fc77881d4079b29ea838dcc0ef64a50c7f
Link:
https://www.unpac.me/results/8c974a70-d11a-4918-abf8-f5de703c79c3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6e138b146881c3fced251a3508f5db1155dd576cde014d88819b2d682a8174b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

FFDroider

Executable exe 6e138b146881c3fced251a3508f5db1155dd576cde014d88819b2d682a8174b9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2086288/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/252561/

Comments