ardamax | 36cecacdbdb2f7edd35f23f078a267802df70880e3a2f31c2510b24b87bb75f1

General

Target

65045c4e39d37186060c8354a5eaf660_NeikiAnalytics.exe
Size

480KB
MD5

65045c4e39d37186060c8354a5eaf660
SHA1

48c0ee66b70bab8324eab6a3ecafe6607194e71e
SHA256

36cecacdbdb2f7edd35f23f078a267802df70880e3a2f31c2510b24b87bb75f1
SHA512

eb389f28ea44cc49187285454e0c2cce48fb0f1d523aac659287b8f73450cbc4396a1aae303d137de60967b0e9dd8191b7ed1355ef9aa31f30dec48051b8aab8
SSDEEP

12288:HrQlu27+apb6VIdPjmfiKJX89obYIZGzSvKNeFgTVz:8luBVeWthbDGBeiZz

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015d88-9.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
1960	RDBC.exe

Loads dropped DLL 5 IoCs

pid	Process
2892	65045c4e39d37186060c8354a5eaf660_NeikiAnalytics.exe
2892	65045c4e39d37186060c8354a5eaf660_NeikiAnalytics.exe
2892	65045c4e39d37186060c8354a5eaf660_NeikiAnalytics.exe
1960	RDBC.exe
1960	RDBC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RDBC Agent = "C:\\Windows\\SysWOW64\\Sys32\\RDBC.exe"	RDBC.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\RDBC.001	65045c4e39d37186060c8354a5eaf660_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Sys32\RDBC.006	65045c4e39d37186060c8354a5eaf660_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Sys32\RDBC.007	65045c4e39d37186060c8354a5eaf660_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Sys32\RDBC.exe	65045c4e39d37186060c8354a5eaf660_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	65045c4e39d37186060c8354a5eaf660_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	RDBC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1960	RDBC.exe
Token: SeIncBasePriorityPrivilege	1960	RDBC.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1960	RDBC.exe
1960	RDBC.exe
1960	RDBC.exe
1960	RDBC.exe
1960	RDBC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 1960	2892	65045c4e39d37186060c8354a5eaf660_NeikiAnalytics.exe	28
PID 2892 wrote to memory of 1960	2892	65045c4e39d37186060c8354a5eaf660_NeikiAnalytics.exe	28
PID 2892 wrote to memory of 1960	2892	65045c4e39d37186060c8354a5eaf660_NeikiAnalytics.exe	28
PID 2892 wrote to memory of 1960	2892	65045c4e39d37186060c8354a5eaf660_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\65045c4e39d37186060c8354a5eaf660_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\65045c4e39d37186060c8354a5eaf660_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\SysWOW64\Sys32\RDBC.exe
  "C:\Windows\system32\Sys32\RDBC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
390KB

MD5
43e6915644bbfb14f8e1eeec11c10c1e

SHA1
cc2ecbc247c3f69983181720b1c422bb8712b3ea

SHA256
c7af5213f17c45368be3a03c012f19b85359ba2f3ee0b99a1d69651f24ee7fc7

SHA512
f56040f04e9e8e2dd836e62d2102d50ad565de2aeffbf579da544b8977d0ef51ec37d04b9f65effaabce86d99b0b843a8d0fe0b07309f46518e0d1bcaf9c30ff

Download Submit
C:\Windows\SysWOW64\Sys32\RDBC.001

Filesize
368B

MD5
f51e2aeac44bd531bd7216600831fe28

SHA1
194f01ab49d05d6be0e78dcd4c94ef07e6c0360b

SHA256
5dbd4cf729186b74b3aa182c532af32db8469d174361a0bb4ccd42a5e8961323

SHA512
8decc6eea926ed572817775b94ecc18afb8871b129c25ea22b2915faa4cb8e4d59f298eac95a7a2d26c7c8b07c0854aa5a9665c52e19a3fb6aa3ee077d8e956f

Download Submit
C:\Windows\SysWOW64\Sys32\RDBC.006

Filesize
7KB

MD5
e46933fcb66309989c062d479b57826b

SHA1
95811c79e4cc425acf4b80b82c8c5042870d65dd

SHA256
855127ada33de42f0c40d0ae24fcadd7c2f994067c8324f6713b273d5f9ba9bb

SHA512
7f4f8c4b7d0ca3791adf4d451eeb05971ede3251bc85171fdb280f017c2df56d777f140e543f33a93e3b76531e634eb3648f3c83026e1c6815f106f5b3b98187

Download Submit
C:\Windows\SysWOW64\Sys32\RDBC.007

Filesize
5KB

MD5
580556e0ba771c2d7b308966e7dd19ee

SHA1
d62cf701c1f2f63823ef5e69fe34ef11b2e26264

SHA256
ffb6b4b690402a86f6a57f59766d63dc510517466de11fd9456299b65ca8f025

SHA512
0c331c1bb91442b8c1ec034bbcf429a4852b9c9ed4fb50cc2537823812512a48684fc3e667324525e36cb0b627f5e050a8b758d47c0f86f3534128ff2306867c

Download Submit
\Users\Admin\AppData\Local\Temp\@9000.tmp

Filesize
4KB

MD5
3f52df517da5032c1ab53305bcbc70f9

SHA1
2048e88bffa0aba69aa6a04f643bdf7ca5958be1

SHA256
afc65177185d3e425d443f385327865fb1bcdc8ed8c332fbff4d5d0ddd04bfbb

SHA512
b15456918af953fb7373fbe847e2c49db910cf04dbfebb8a1afe79f8732d5d6cc343a3fcf3c0a95841a48c8363becd001366ee751680d5bca0977b4d49b28ede

Download Submit
\Windows\SysWOW64\Sys32\RDBC.exe

Filesize
477KB

MD5
cc24cbd172349340b8276be37a8a6d6c

SHA1
5b2fe881be92f7d28d4e9bda18be118e5c86313a

SHA256
c75e8c96e14f8a1794c20a8f5be2fda2ea91e70c1b18d7540a19612088f9b3f4

SHA512
e82556e7e47ecb3c361feb0ec83c70630a83b19963be03b4219ae6cf87fd9d964e53b4365caac10cae0ea77e818c60fb272a09f71a096396a03da437204e88d5

Download Submit
memory/1960-24-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1960-27-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads