ardamax | aa4ceede8befb8dee83626234805595b81f582906f679724ec540cc51b0f8125 | Triage

Submit
Reports

Overview

overview

Static

static

8

aa4ceede8b...25.exe

windows7-x64

aa4ceede8b...25.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

aa4ceede8befb8dee83626234805595b81f582906f679724ec540cc51b0f8125
Size

602KB
Sample

221106-tjj1macfan
MD5

0e089d2651f67c2bc68323f244efaa10
SHA1

ba4ed19a8cbac62042c62c141cb95948558d4733
SHA256

aa4ceede8befb8dee83626234805595b81f582906f679724ec540cc51b0f8125
SHA512

91f68af7e86470190c5d757a1f7ff2a6325828a91d09eb2b356a622c41071911ee70bc7239a3a1fbdefafeab58bdde902c39cfdc7cdbbe3bfe4dab6134645df7
SSDEEP

12288:L3TdtLW5WIj1YSSdFxzBSXyMzBUWb9lx/9AgHLo8OW+rB0:LDsj1dEjBcJ9nPx/igrp+G

Score

10^/10

ardamax aspackv2 discovery evasion keylogger persistence stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

aa4ceede8befb8dee83626234805595b81f582906f679724ec540cc51b0f8125.exe

Resource

win7-20220812-en

ardamax discovery evasion keylogger persistence stealer

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

aa4ceede8befb8dee83626234805595b81f582906f679724ec540cc51b0f8125.exe

Resource

win10v2004-20220901-en

ardamax discovery evasion keylogger persistence stealer

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  aa4ceede8befb8dee83626234805595b81f582906f679724ec540cc51b0f8125
- Size
  
  602KB
- MD5
  
  0e089d2651f67c2bc68323f244efaa10
- SHA1
  
  ba4ed19a8cbac62042c62c141cb95948558d4733
- SHA256
  
  aa4ceede8befb8dee83626234805595b81f582906f679724ec540cc51b0f8125
- SHA512
  
  91f68af7e86470190c5d757a1f7ff2a6325828a91d09eb2b356a622c41071911ee70bc7239a3a1fbdefafeab58bdde902c39cfdc7cdbbe3bfe4dab6134645df7
- SSDEEP
  
  12288:L3TdtLW5WIj1YSSdFxzBSXyMzBUWb9lx/9AgHLo8OW+rB0:LDsj1dEjBcJ9nPx/igrp+G
Score

10^/10

ardamax discovery evasion keylogger persistence stealer
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax main executable
- Modifies WinLogon for persistence
  persistence
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ardamaxdiscoveryevasionkeyloggerpersistencestealer

behavioral2

ardamaxdiscoveryevasionkeyloggerpersistencestealer

© 2018-2025

Terms | Privacy