Overview

overview

10

Static

static

PT2.exe

windows7-x64

10

PT2.exe

windows10-2004-x64

10

ho tro.exe

windows7-x64

1

ho tro.exe

windows10-2004-x64

1

hotro.dll

windows7-x64

1

hotro.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a24f2481ff62eeb9226fef4ea4178e891ba7044805e01fa539edf31dc0616c73

  • Size

    1.9MB

  • Sample

    221124-n9g13afe9w

  • MD5

    0a2bfb65a98d2da1dbdcb4c7f89bfef2

  • SHA1

    395f0e6f36c385f6629a15b767eabdbc8de4c36c

  • SHA256

    a24f2481ff62eeb9226fef4ea4178e891ba7044805e01fa539edf31dc0616c73

  • SHA512

    130c0364c00de3147bd1ef5ffa38fcd315c5168256dabca4a2eafd91e50aa2c1b1f45589b3a55e81a129ade68d33d2d60dbbf4cfa5dbe1120def82c00222f5a9

  • SSDEEP

    49152:zjeMB2LuUHDsc4EsX2G2S8Khaji4dY6h5gdl/6p+S48ZW6:zjeM0LXHDl4Esb2Etz6gdcoSW6

Score
10/10
ardamaxkeyloggerpersistencestealer

Malware Config

Targets

    • Target

      PT2.exe

    • Size

      2.0MB

    • MD5

      3b5d02a465997d981ea5c9684cda7def

    • SHA1

      ef02b7170c64531618291491109d838762455625

    • SHA256

      99b771a89d4b9c820ce279e2a56ce9572848a42dd3076e66e1cc2494531688a5

    • SHA512

      5c6ee43049034101c6d6fe3ff9f21b5a54bddc80fe100f4dea97d26b06ee4bbb0c0cce0fe104f9e1de3d0ceef36d21fe7f0c4436ee4996c00d4c78d4d75e72cc

    • SSDEEP

      49152:CoJ9Nyhdl0L7VKYvKpATtnweNjk+fJgHFJlIcqpd:gl27jvKpATtwe7Bsick

    Score
    10/10
    ardamaxkeyloggerpersistencestealer

    • Ardamax

      A keylogger first seen in 2013.

      keyloggerstealerardamax

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      ho tro.exe

    • Size

      404KB

    • MD5

      75dce15f75a89c9afc3d541ee4c8d5fa

    • SHA1

      1804f8edc4faaa582a7bc61eb566a0f100820ec6

    • SHA256

      d251866b786cb2784a66a8c22df6af32bf278484fc96b7bcfd46c31aa2249f54

    • SHA512

      6ed2796e65a6fb953e648ac1ba7ed1b1ea605194978363c1fcc407952d8fc32058f9c72e8f69d5284b581281ea44776954ee4e7d5b1fd416cb70cf354d1ae541

    • SSDEEP

      12288:4HLAHmzWNoHnp5z33/abda3WTOYjAV5LhG:gLEKnpl3vEdaW6YjAV5LE

    Score
    1/10
    behavioral3behavioral4

    • Target

      hotro.dll

    • Size

      40KB

    • MD5

      b7325a3e4fda321b7201f4639626aa16

    • SHA1

      837e66ffc65dfbc6c09b7630a1df45c7e40fa121

    • SHA256

      723849489c9294855a0be5c309d1de8888803258adf5b5d3e46cab380eb5c219

    • SHA512

      ce97e2355982dd48efd71dc64c28a9354403d1d2763341c3d5c9ec41bbe5823285a4c0e2bce285d44f204df430d9b964d981fe111fb8d76b6d067f9f2d81e7f8

    • SSDEEP

      768:Vqgq4wKh8ERKTYbbX7yX9FScCjCB4ZT8oUb:XDkTUbX7iHSchdoI

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks