MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b200a3dc7f79701d7b09d3c0fcd99d086f5009053cb86fe6e0232373747ca236. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FFDroider

Vendor detections: 13

Intelligence 13 IOCs YARA 5 File information Comments

SHA256 hash:	b200a3dc7f79701d7b09d3c0fcd99d086f5009053cb86fe6e0232373747ca236
SHA3-384 hash:	a3f41692c024763a499796cfe030b9d90e68a7ed49afd1371393f47162707726d531b3a872cc674f9badcb62e2da7cd6
SHA1 hash:	21d056b5618af26858c8d5a69ea09eb95de22f9c
MD5 hash:	e878e6121f88df7375c43775fa2bee97
humanhash:	oranges-speaker-emma-avocado
File name:	file
Download:	download sample
Signature	FFDroider Create hunting rule
File size:	3'012'096 bytes
First seen:	2022-10-01 14:48:22 UTC
Last seen:	2022-10-02 15:18:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	aac52d04412b870c29e83d3bb05cf64c (1 x FFDroider)
ssdeep	49152:pdD1LN0ogT5Kyp4IMknbRGvjfuqFzF+DCnpNuDehql1cKE40c1jy9H/8xBv+M7kg:v7ihJxbRGvKqZF1npNuqIcKEHQjy9H/l
TLSH	T1C7D5AF11F6809039E5B303B28E6E727CA578BA701735E1D763C82E2D2FA15D27E35663
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	99d1909cb8bd3b8b (1 x FFDroider)
Reporter	andretavare5
Tags:	exe FFDroider

andretavare5

Sample downloaded from http://103.106.202.174:8888/down/UCUNO7W9hMYe

Intelligence

File Origin

# of uploads :

# of downloads :

298

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/315521/

Detection(s):

SecuriteInfo.com.Variant.Doina.1985.19833.1976.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file

Sending an HTTP GET request

DNS request

Sending a custom TCP request

Creating a file in the system32 subdirectories

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/40455/overview

Behaviour

MalwareBazaar

CursorPosition

MeasuringTime

CheckScreenResolution

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware icedid keylogger rat shell32.dll

Link:

https://www.filescan.io/uploads/6338535edace43a378f3d4e5/reports/a1067b16-e672-4e2e-bfea-2fe5cf76462b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/ea0a7bf6-c609-43c6-986f-10d3aff249a9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b200a3dc7f79701d7b09d3c0fcd99d086f5009053cb86fe6e0232373747ca236/

Threat name:

Win32.Infostealer.Passteal

Status:

Malicious

First seen:

2022-10-01 14:49:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wiakhxd7pfyb26yj2papzwm5bbxvacifhs4g7zxaemrxg5d4ui3a._file

Verdict:

malicious

Result

Malware family:

ffdroider

Score:

10/10

Tags:

family:ffdroider evasion persistence spyware stealer trojan

Link:

https://tria.ge/reports/221001-r6z91shbep/

Behaviour

Suspicious use of AdjustPrivilegeToken

Adds Run key to start application

Checks whether UAC is enabled

Reads user/profile data of web browsers

FFDroider

Malware Config

C2 Extraction:

http://103.106.202.174

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/149bbe7f-2e04-4de3-9cc1-2f0fe7587834

Unpacked files

SH256 hash:

b200a3dc7f79701d7b09d3c0fcd99d086f5009053cb86fe6e0232373747ca236

MD5 hash:

e878e6121f88df7375c43775fa2bee97

SHA1 hash:

21d056b5618af26858c8d5a69ea09eb95de22f9c

Detections:

win_ffdroider_w0

Link:

https://www.unpac.me/results/ee8e4caa-eee7-45ec-8026-e07f05ec685b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b200a3dc7f79701d7b09d3c0fcd99d086f5009053cb86fe6e0232373747ca236

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	RansomwareTest8 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	win_ffdroider_w0 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects FFDroider

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/315521/

URLhaus

https://urlhaus.abuse.ch/url/2344954/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample