ardamax | 56fd3689a9d2f8bda193d356d09fb7d78aebae34f08caf6427fe81eb27ebbd76 | Triage

Sharing

General

Target

56fd3689a9d2f8bda193d356d09fb7d78aebae34f08caf6427fe81eb27ebbd76
Size

2.0MB
Sample

221123-vpnfnshf22
MD5

b87e56f89f90b540adbf18d77675e42f
SHA1

e51c15ec3841338438443008a249821dad396eaa
SHA256

56fd3689a9d2f8bda193d356d09fb7d78aebae34f08caf6427fe81eb27ebbd76
SHA512

fdcaa4678388b00c77dd60b5b64915b29c4e8157a1b58265601f09b07963cc010c0a42d4133ad0a613475cea66acbaeaac752a75c5aa0e4cbb6e818477f2ad38
SSDEEP

49152:625CA3AuHmRtvqP+k7J3N+XgAHNV89ZlG/z:/5CA3A5vqP+k19+XTtClK

Score

10^/10

ardamax keylogger persistence stealer

Malware Config

Targets

- Target
  
  56fd3689a9d2f8bda193d356d09fb7d78aebae34f08caf6427fe81eb27ebbd76
- Size
  
  2.0MB
- MD5
  
  b87e56f89f90b540adbf18d77675e42f
- SHA1
  
  e51c15ec3841338438443008a249821dad396eaa
- SHA256
  
  56fd3689a9d2f8bda193d356d09fb7d78aebae34f08caf6427fe81eb27ebbd76
- SHA512
  
  fdcaa4678388b00c77dd60b5b64915b29c4e8157a1b58265601f09b07963cc010c0a42d4133ad0a613475cea66acbaeaac752a75c5aa0e4cbb6e818477f2ad38
- SSDEEP
  
  49152:625CA3AuHmRtvqP+k7J3N+XgAHNV89ZlG/z:/5CA3A5vqP+k19+XTtClK
Score

10^/10

ardamax keylogger persistence stealer
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ardamaxkeyloggerpersistencestealer

behavioral2

ardamaxkeyloggerpersistencestealer