FidRW.exe is a multi-stage demonstration binary designed for security awareness and training. While it mimics real-world ransomware behavior by downloading additional stages, the final payload is ultimately benign.
Filename: FidRW.exe
MD5: 4ff4a8ac43c73b3829ec8452f7ef5ad7
Sample: Download via Malwr
Technical Analysis Walkthrough
Stage 1: FTP Command & Control
The infection begins with FidRW.exe establishing a connection to an external FTP server to retrieve secondary payloads.
Upon authentication, the dropper identifies seven files. It specifically targets exfiltrator.pdf, which is actually an executable disguised with a PDF extension. This file is saved locally as notepadd.exe and executed.
Stage 2: Payload Delivery & System Survey
The second stage (notepadd.exe) mimics the first by logging back into the FTP server. This time, it retrieves persist.bat. Analysis of the batch file indicates it is intended for persistence mechanisms, though currently under development.
The final stage, Demo_Ransomware.exe, performs a system survey, collecting host details to simulate exfiltration back to the C2 server.
The "Ransom" & Conclusion
To complete the simulation, the application drops a file named Ransom Note.txt to the Public User directory. The note informs the user that they have been "swindled" by a demonstration application.
Detection: Most modern AV solutions flag the initial dropper and secondary stages due to the suspicious use of FTP-based delivery and disguised extensions.
Conclusion: While benign, this sample provides an excellent look at the multi-stage architecture used by modern malware. It serves as a great practice case for researchers to observe FTP exfiltration and process chain behavior in a safe environment.
Happy hunting.