ardamax | e2e45cb35a6a9aaa1c827fb3bfcc102650bf3fa8df381e5d52cb8cd908119d91

General

Target

Payment confirmation.exe
Size

4.0MB
MD5

89da7df2747d184978be6103c71f26ef
SHA1

27de1fddf5c9b9ace59c5a2791eaac3219fd0cc3
SHA256

e2e45cb35a6a9aaa1c827fb3bfcc102650bf3fa8df381e5d52cb8cd908119d91
SHA512

34240cd0ae2391c300e48db8d22b0416a3fd98f84f5e4e1707479877167b27134e9300f9fbaa267551cdb83fc7360cbdf9a5da731d7be06990fa579b637acb65

Score

10^/10

persistence keylogger stealer ardamax

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax Main Executable 2 IoCs

Processes:

resource	yara_rule
\ProgramData\LCRHSB\NGT.exe	family_ardamax
C:\ProgramData\LCRHSB\NGT.exe	family_ardamax

Executes dropped EXE 3 IoCs

Processes:

NGT.exe

pid process

892 NGT.exe
1336
1164
Loads dropped DLL 7 IoCs

Processes:

Payment confirmation.exeNGT.exe

pid process

1016 Payment confirmation.exe
892 NGT.exe
892 NGT.exe
1500
1500
1016 Payment confirmation.exe
1336

pid	process
892	NGT.exe
1336
1164

pid	process
1016	Payment confirmation.exe
892	NGT.exe
892	NGT.exe
1500
1500
1016	Payment confirmation.exe
1336

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

NGT.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	NGT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NGT Start = "C:\\ProgramData\\LCRHSB\\NGT.exe"	NGT.exe

JavaScript code in executable 2 IoCs

Processes:

resource	yara_rule
\ProgramData\LCRHSB\NGT.exe	js
C:\ProgramData\LCRHSB\NGT.exe	js

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

NGT.exe

pid process

892 NGT.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

NGT.exe

pid process

892 NGT.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

NGT.exe

pid process

892 NGT.exe
892 NGT.exe
892 NGT.exe
892 NGT.exe
892 NGT.exe

pid	process
892	NGT.exe

pid	process
892	NGT.exe

pid	process
892	NGT.exe
892	NGT.exe
892	NGT.exe
892	NGT.exe
892	NGT.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Payment confirmation.exe

description	pid	process	target process
PID 1016 wrote to memory of 892	1016	Payment confirmation.exe	NGT.exe
PID 1016 wrote to memory of 892	1016	Payment confirmation.exe	NGT.exe
PID 1016 wrote to memory of 892	1016	Payment confirmation.exe	NGT.exe

C:\Users\Admin\AppData\Local\Temp\Payment confirmation.exe
"C:\Users\Admin\AppData\Local\Temp\Payment confirmation.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1016
- C:\ProgramData\LCRHSB\NGT.exe
  "C:\ProgramData\LCRHSB\NGT.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\LCRHSB\NGT.00

Download Submit
C:\ProgramData\LCRHSB\NGT.01

Download Submit
C:\ProgramData\LCRHSB\NGT.02

Download Submit
C:\ProgramData\LCRHSB\NGT.exe

Download Submit
\ProgramData\LCRHSB\NGT.01

Download Submit
\ProgramData\LCRHSB\NGT.01

Download Submit
\ProgramData\LCRHSB\NGT.01

Download Submit
\ProgramData\LCRHSB\NGT.01

Download Submit
\ProgramData\LCRHSB\NGT.01

Download Submit
\ProgramData\LCRHSB\NGT.02

Download Submit
\ProgramData\LCRHSB\NGT.02

Download Submit
\ProgramData\LCRHSB\NGT.02

Download Submit
\ProgramData\LCRHSB\NGT.exe

Download Submit
memory/892-1-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads