MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4c1df15712b32ba96bfd375ee306f67fa29751007774d06b08cd092e7feeb9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FFDroider


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4c1df15712b32ba96bfd375ee306f67fa29751007774d06b08cd092e7feeb9a
SHA3-384 hash: 93b1b87c0e249df67c2fc6cde316ef752484eb8a654e5f28405c7490c2ebda1861ff200cd6e7ddc6ad8571754cbe7559
SHA1 hash: ff4cbb0d01cade27d26a67f4cfe7c46a9e554b87
MD5 hash: 925bd0fe97f5dfd06ba90e824edcc312
humanhash: louisiana-happy-mississippi-black
File name:file
Download: download sample
Signature FFDroider
Create hunting rule
File size:1'905'664 bytes
First seen:2022-10-02 15:20:46 UTC
Last seen:2022-10-02 16:27:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 873d43715839668195ceddbe18a941f7 (1 x FFDroider)
ssdeep 24576:KvkGHxBMzQo3rsiKYO42mx/RHsG9/DKELiGNNx/D1aR3ugA+IChSAD/v1Xu6rnI4:KvlRGEohleo/RMUrBWwx/5U3uPKSqA
Threatray 18 similar samples on MalwareBazaar
TLSH T1C295012139EF685DF074F5BA4BEAC6BECA5DF9EAA0570E7F1095028B0B446507F42834
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 787c78fa87f7e6c4 (16 x Gh0stRAT, 11 x Pikabot, 9 x ManusCrypt)
Reporter andretavare5
Tags:exe FFDroider


Avatar
andretavare5
Sample downloaded from http://103.106.202.174:8888/down/UCUNO7W9hMYe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://103.106.202.174/seemorebty/il.php https://threatfox.abuse.ch/ioc/866114/

Intelligence

File Origin
# of uploads :
14
# of downloads :
315
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/315773/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
DNS request
Sending a custom TCP request
Creating a file in the system32 subdirectories
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Gathering data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e808eba2-e8be-4dc0-ae18-66a138d69d49
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1081948
Signature
Detected unpacking (changes PE section rights)
Drops PE files to the document folder of the user
Multi AV Scanner detection for dropped file
PE file has a writeable .text section
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a4c1df15712b32ba96bfd375ee306f67fa29751007774d06b08cd092e7feeb9a/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2022-10-02 15:21:18 UTC
File Type:
PE (Exe)
Extracted files:
69
AV detection:
27 of 40 (67.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uta56flrfmzlvfv72n264mdpm75cs5iqa53u2bvqrtijfz765ona._file
Verdict:
unknown
Similar samples:
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
FFDroider
312b8df4b550cd6e10545f37f76a00aa107fe7da27d4f54784c7a6be83833477
FFDroider
4101bd379660a169d50442c9921d6fb0329620efbc5a163856c2f5e5f41e601c
FFDroider
4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c
FFDroider
61c3287d0736d24d7e00a7050d6c248eeda41d38a985a449d255054b96a68753
FFDroider
72339997aa5cf9d313e2c7a44b8649d343a057cd45a6b190036bbed489cd828a
FFDroider
8ab95f9e0939440cdf4b85fcb1e5c950d3dc1ec99181633ae0953d1095e9dc2c
FFDroider
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
FFDroider
dcf4ecc6d3b70a3e11077862b9e3830806191f0718eecb525a3e7d24246c0287
FFDroider
+ 8 additional samples on MalwareBazaar
Result
Malware family:
ffdroider
Create hunting rule
Score:
  10/10
Tags:
family:ffdroider aspackv2 evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/221002-srbhsacce2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Adds Run key to start application
Checks whether UAC is enabled
Reads user/profile data of web browsers
FFDroider
FFDroider payload
Malware Config
C2 Extraction:
http://103.106.202.174
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/68101a6e-4574-4def-ba0e-66cb82b02659
Unpacked files
SH256 hash:
1c54e6feebbf63d8b0baa806e0032ddbaf0c0ccf5d68a4f1680c73a042ba1afe
MD5 hash:
c9e1f0a949c6c2fd10a6c3cb1888375c
SHA1 hash:
9417a10a96a512fa4907878719e0a8f9a4a58921
Detections:
win_ffdroider_w0
Create hunting rule
Link:
https://www.unpac.me/results/8d0d4de6-4ba9-477a-9dfb-e4fe59efced8/
SH256 hash:
a4c1df15712b32ba96bfd375ee306f67fa29751007774d06b08cd092e7feeb9a
MD5 hash:
925bd0fe97f5dfd06ba90e824edcc312
SHA1 hash:
ff4cbb0d01cade27d26a67f4cfe7c46a9e554b87
Link:
https://www.unpac.me/results/8d0d4de6-4ba9-477a-9dfb-e4fe59efced8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/a4c1df15712b32ba96bfd375ee306f67fa29751007774d06b08cd092e7feeb9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RansomwareTest8
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:win_ffdroider_w0
Create hunting rule
Author:Johannes Bader @viql
Description:detects FFDroider

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2344954/
Cape
Cape
https://www.capesandbox.com/analysis/315773/

Comments