ardamax | a5c263a5bf6522fcaaab2cf772e5d257644734d78a7149ae511fe338da350325 | Triage

Submit
Reports

Overview

overview

Static

static

3

68288c29d8...32.exe

windows7-x64

68288c29d8...32.exe

windows10-2004-x64

Sharing

General

Target

68288c29d8546aadc301eda4436def32
Size

2.4MB
Sample

231226-mrgrxagcel
MD5

68288c29d8546aadc301eda4436def32
SHA1

b2f25aa72549ab250213e20850aa3e5beab1928f
SHA256

a5c263a5bf6522fcaaab2cf772e5d257644734d78a7149ae511fe338da350325
SHA512

d6b17aea77d4df88af97cebc0ecc40ec5bdb4e79f3ed44378c47438216eb03082544375327a93551c92ebe9e8003814781194983d88c12c525c95104bfa0b369
SSDEEP

49152:gX5TvrVpRCDhBeEJl+KVR/PKaF42Nt3XET4LTE7j5CS:gXxvrZeeEJRHa24sE71p

Score

10^/10

ardamax darkcomet discovery evasion keylogger persistence rat stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

68288c29d8546aadc301eda4436def32.exe

Resource

win7-20231215-en

darkcomet discovery evasion persistence rat trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

68288c29d8546aadc301eda4436def32.exe

Resource

win10v2004-20231215-en

ardamax darkcomet discovery evasion keylogger persistence rat stealer trojan

windows10-2004-x64

24 signatures

150 seconds

Malware Config

Targets

- Target
  
  68288c29d8546aadc301eda4436def32
- Size
  
  2.4MB
- MD5
  
  68288c29d8546aadc301eda4436def32
- SHA1
  
  b2f25aa72549ab250213e20850aa3e5beab1928f
- SHA256
  
  a5c263a5bf6522fcaaab2cf772e5d257644734d78a7149ae511fe338da350325
- SHA512
  
  d6b17aea77d4df88af97cebc0ecc40ec5bdb4e79f3ed44378c47438216eb03082544375327a93551c92ebe9e8003814781194983d88c12c525c95104bfa0b369
- SSDEEP
  
  49152:gX5TvrVpRCDhBeEJl+KVR/PKaF42Nt3XET4LTE7j5CS:gXxvrZeeEJRHa24sE71p
Score

10^/10

darkcomet discovery evasion persistence rat trojan ardamax keylogger stealer
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax main executable
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Drops file in Drivers directory
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometdiscoveryevasionpersistencerattrojan

behavioral2

ardamaxdarkcometdiscoveryevasionkeyloggerpersistenceratstealertrojan

© 2018-2025

Terms | Privacy