ardamax

Sharing

Copy URL

Twitter E-mail

General

Target

Account_Generators_PACK.rar
Size

143.9MB
Sample

240415-lpbx7sdf9x
MD5

983c588c86f23ac481c602e72d2796b9
SHA1

d53cba99bc9201672b5de292c59b25c4de3205d7
SHA256

6887a011a50a7d456068aecba506feb3db57be4710d190141a60afa00d5aa97a
SHA512

389951d6c3d3e5d8149502f31cdebcfccee47c07a803f7d4c69c9989738ab15b06dab0628b059b4f1c67c4058f755fb5ce155796e2ee3f9b27b1c7f4f359d16e
SSDEEP

3145728:ZV1Y1ZNWhzBwzWhzBwGiIt8a4KvqXRv8h4iLKRBdnFw77isUiWQL/vq:ZV1Qmh2qh2JAh42KRBoPWQ7vq

Score

10^/10

Malware Config

Targets

- Target
  
  Generators PACK/Generators PACK/Amazong GC Generator by Acquire/AGC by Acquire.exe
- Size
  
  196KB
- MD5
  
  49237f897197176f8ed16d1cf9a3fc4b
- SHA1
  
  670a098226870359616218aea0455299bf4302d8
- SHA256
  
  78785e18a8eac7a00a5458f63d397ab7739aa075bdbb4480f8e87987bde1ea53
- SHA512
  
  17e3436f812e82d3fee41df02c39250599f4c7fd87eb09a493f028367e0eb3e25cb1a6d89f589fe3dea3127828268ae0dd683b2f28e9d9672b4efe39262d4fdc
- SSDEEP
  
  1536:E4l/ePiz1tO6UWOD1ClIzuHqFOc350x+Z+:E4l/TMWOeIzuHdc356
Score

7^/10

persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  Generators PACK/Generators PACK/Amazong GC Generator by Acquire/WebDriver/Ionic.Zip.dll
- Size
  
  480KB
- MD5
  
  f6933bf7cee0fd6c80cdf207ff15a523
- SHA1
  
  039eeb1169e1defe387c7d4ca4021bce9d11786d
- SHA256
  
  17bb0c9be45289a2be56a5f5a68ec9891d7792b886e0054bc86d57fe84d01c89
- SHA512
  
  88675512daa41e17ce4daf6ca764ccb17cd9633a7c2b7545875089cae60f6918909a947f3b1692d16ec5fa209e18e84bc0ff3594f72c3e677a6cca9f3a70b8d6
- SSDEEP
  
  6144:OhagC/Mq25o9sXGtSV41OJDsTDDVUMle6ZjxLV/kHu4Bht79I9:iagxWS4msNUCe65fkHdBf9
Score

1^/10
behavioral3 behavioral4
- Target
  
  Generators PACK/Generators PACK/Amazong GC Generator by Acquire/WebDriver/LICENCE.dat
- Size
  
  74KB
- MD5
  
  f7d55578b3709f1519805272e3e64c33
- SHA1
  
  5f1f8f05a629052ef5289c0f7e438625c559339d
- SHA256
  
  3147a9c9015f7e54c8acdb8d413da93ef3e4b04fb27ec578dcd188a70bb53301
- SHA512
  
  3a853dd66f731dc0c929b1f65f28a64a51e47c82058e05689e6ca0877d50bcd32503c734bf1e4f246f3cf341029496685cf4c741d0af54f0428f07ded24b65fd
- SSDEEP
  
  1536:e+tepwZ57dDgyzGa3RgTsQcnP7oF/si4JZbDDm4X16PZfisWNADQ0bVC86WGTmL:dzBxzV37TnsZs7UPliFR6gWGa
Score

1^/10
behavioral5 behavioral6
- Target
  
  Generators PACK/Generators PACK/Amazong GC Generator by Acquire/WebDriver/Launcher.exe
- Size
  
  53KB
- MD5
  
  c6d4c881112022eb30725978ecd7c6ec
- SHA1
  
  ba4f96dc374195d873b3eebdb28b633d9a1c5bf5
- SHA256
  
  0d87b9b141a592711c52e7409ec64de3ab296cddc890be761d9af57cea381b32
- SHA512
  
  3bece10b65dfda69b6defbf50d067a59d1cd1db403547fdf28a4cbc87c4985a4636acfcff8300bd77fb91f2693084634d940a91517c33b5425258835ab990981
- SSDEEP
  
  768:FKtnBTTQi/YqMFlVt52ftDhKeoNzZq8OujxUu5XEAb4b9yvMzUV5:qBTUgYFveDRuFEAb4b99QV5
Score

7^/10

persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral7 behavioral8
- Target
  
  Generators PACK/Generators PACK/Amazong GC Generator by Acquire/WebDriver/user32.exe
- Size
  
  60.7MB
- MD5
  
  6a76b7fff35a2a53136891d8cd75276d
- SHA1
  
  46276f3a9cb1c27bbf60440fdc3347f4923f3b75
- SHA256
  
  01e01ecf5928a659dd34297a1cd1098606686da5465e9227b6eac79dfe2044ac
- SHA512
  
  eba41822ef3e2891b32d9fbbdb3e5f8c8b50ef29958d0c754d9a47c10949904e5abd63d92c0f5776b2a64d3375020ca105b1707298ba14bbe65a426e3b5d15b6
- SSDEEP
  
  393216:vu4EJVLu58+/UUqC6euQ96MjSluRizWs07ySsuB6xahl7YwbUfIW21nKNXCcZFU4:sHhC9MkW3xahl7PW21nQIbh+N5n
Score

1^/10
behavioral10 behavioral9
- Target
  
  Generators PACK/Generators PACK/Amazong GC Generator by Acquire/giftcards.txt
- Size
  
  180B
- MD5
  
  8e11cef7e606b4d0167470c40e1c5302
- SHA1
  
  2d63e812971b9a9d4ee4336362f9d6e57d09678c
- SHA256
  
  2abf12837ae0776e772ff65640baf61402af45781f85ad378f7aac5b65e5b90e
- SHA512
  
  35743c2eb4a442499a3e68654ecd6c446bb9b3fa50cd15b24f5295472cf7a663275da01ce2383bf5b53a86c526e42c2aabfc61184838de403862687a449f79d3
Score

1^/10
behavioral11 behavioral12
- Target
  
  Generators PACK/Generators PACK/Amazong GC Generator by Acquire/ieproxy.dll
- Size
  
  821KB
- MD5
  
  a52340ac4406a97da302cf07db678076
- SHA1
  
  5710c1e5bae5c8c88586568d5196b10960c96202
- SHA256
  
  0957751bce6e15e08f1b589ab9e6bc315388eac793ab10da9d304c3fe14924e4
- SHA512
  
  b6634b3e8c9c74172d6a39faff5efe79beeb2956e75a8437c2e5adb5778de0127b7cd17558313f15bef72c35487f9bc9855396ef6c17efd2a63ffbfad17c4437
- SSDEEP
  
  6144:QKwVZbJQYfYJJdsDQ4zJerJEINHyrojdEZp8yfzKSSduO2wBmhyFQGR6sFWmxbjH:lwVZbmYfYjdsDQ00JEINHyrojdEZO5h
Score

10^/10

ardamax evasion keylogger persistence stealer themida
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
  persistence
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral13
- Target
  
  Generators PACK/Generators PACK/Discord Account Generator v2/RDXService/LICENCE.dat
- Size
  
  74KB
- MD5
  
  f7d55578b3709f1519805272e3e64c33
- SHA1
  
  5f1f8f05a629052ef5289c0f7e438625c559339d
- SHA256
  
  3147a9c9015f7e54c8acdb8d413da93ef3e4b04fb27ec578dcd188a70bb53301
- SHA512
  
  3a853dd66f731dc0c929b1f65f28a64a51e47c82058e05689e6ca0877d50bcd32503c734bf1e4f246f3cf341029496685cf4c741d0af54f0428f07ded24b65fd
- SSDEEP
  
  1536:e+tepwZ57dDgyzGa3RgTsQcnP7oF/si4JZbDDm4X16PZfisWNADQ0bVC86WGTmL:dzBxzV37TnsZs7UPliFR6gWGa
Score

1^/10
behavioral14 behavioral15
- Target
  
  Generators PACK/Generators PACK/Discord Account Generator v2/RDXService/config/discord_usernames.txt
- Size
  
  1KB
- MD5
  
  402e7bafed2c4809b28ec8dd11034e7a
- SHA1
  
  c37a9a34b0a6d1e25fa82d83960a7a1adb5cbd32
- SHA256
  
  5845a840528fba158202aefa288fe9ca68d42cc5d7ef6bd4ef509a85bd65fc83
- SHA512
  
  ac68768391da6e6e4f60733f53651e20aded3be126590057f327279c2a881367aba877d9e9b8747ba74478c512101c31bccf68625dfa34359fef45e55916f751
Score

1^/10
behavioral16 behavioral17
- Target
  
  Generators PACK/Generators PACK/Proxy Generator 1.3.6 BETA/bin/LICENCE.dat
- Size
  
  74KB
- MD5
  
  f7d55578b3709f1519805272e3e64c33
- SHA1
  
  5f1f8f05a629052ef5289c0f7e438625c559339d
- SHA256
  
  3147a9c9015f7e54c8acdb8d413da93ef3e4b04fb27ec578dcd188a70bb53301
- SHA512
  
  3a853dd66f731dc0c929b1f65f28a64a51e47c82058e05689e6ca0877d50bcd32503c734bf1e4f246f3cf341029496685cf4c741d0af54f0428f07ded24b65fd
- SSDEEP
  
  1536:e+tepwZ57dDgyzGa3RgTsQcnP7oF/si4JZbDDm4X16PZfisWNADQ0bVC86WGTmL:dzBxzV37TnsZs7UPliFR6gWGa
Score

1^/10
behavioral18 behavioral19
- Target
  
  Generators PACK/Generators PACK/TSP Dork generator v8.0/Data/TSP.exe
- Size
  
  416KB
- MD5
  
  8f8ff6b696859c3afe7936c345b098bd
- SHA1
  
  9bb88f703e234a89ff523514a5c676ac12ae6225
- SHA256
  
  9cd46027d63c36e53f4347d43554336c2ea050d38be3ff9a608cb94cca6ab74b
- SHA512
  
  7817186633c86f95409213994b458937cc56eae49265db3051d061c9ddda1421acccf38f70f6c92ff782936c75420713842a62de4f62cf17a6cd6fc1dc7d1164
- SSDEEP
  
  3072:KpDlT1fcjwpur6aIT2j1m53+3ZuzLiA9V+KUnOoJddibbJb/Fs+c6CUiAsC57Cex:TJmZdLi/nOkrcsU7CRLi/nOkrccU3C
Score

1^/10
behavioral20 behavioral21

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Registers COM server for autorun

Themida packer

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21