ardamax | 5c75ee21c19716d90fe00a16f5b879281c07fc3c6bcab6e3ab8baba306d12a5c | Triage

Submit
Reports

Overview

overview

Static

static

7

3d4c151e2d...68.exe

windows7-x64

3d4c151e2d...68.exe

windows10-2004-x64

Sharing

General

Target

3d4c151e2d8b7ce62eb3363f19fcee86cc339e8c23a011cc000a0c476535c368.7z
Size

602KB
Sample

240524-yyxx9ahe61
MD5

48878232d07d066a6b1c1b77c9cef732
SHA1

f7dc3657da8c5a37e653f7399edbf3fd04471d68
SHA256

5c75ee21c19716d90fe00a16f5b879281c07fc3c6bcab6e3ab8baba306d12a5c
SHA512

be7cfd82bec3992dda0cfdbd3f162668a789a65915dc13fd515a8196e9354e6062714456e4df3718ec5408df05685c5c32a416ae7cb884906b2aa342175e92bd
SSDEEP

12288:uJ0JcQ82GekEtpDRIJgAaZRzM8BkXzn6L4SPGaTPRqfx+aK2wEh7:DcQ9pkEHR7AgRzM6+znvSPwx+Z2w6

Score

10^/10

ardamax aspackv2 discovery evasion keylogger persistence stealer

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

3d4c151e2d8b7ce62eb3363f19fcee86cc339e8c23a011cc000a0c476535c368.exe

Resource

win7-20240215-en

ardamax aspackv2 discovery evasion keylogger persistence stealer

windows7-x64

20 signatures

120 seconds

Behavioral task

behavioral2

Sample

3d4c151e2d8b7ce62eb3363f19fcee86cc339e8c23a011cc000a0c476535c368.exe

Resource

win10v2004-20240508-en

ardamax aspackv2 discovery evasion keylogger persistence stealer

windows10-2004-x64

18 signatures

120 seconds

Malware Config

Targets

- Target
  
  3d4c151e2d8b7ce62eb3363f19fcee86cc339e8c23a011cc000a0c476535c368
- Size
  
  678KB
- MD5
  
  9025c7ce34c69fffec9365167918383e
- SHA1
  
  438d4ed9dcc92a02ecdfdbbd50cc28bad371c534
- SHA256
  
  3d4c151e2d8b7ce62eb3363f19fcee86cc339e8c23a011cc000a0c476535c368
- SHA512
  
  7a024cb3070abd12051f1fa30aeb683021a87a5bfad4fc77561b060dd39e0f83fdea80dea1c93fdd8827722d82a56fbf9f89f98d0bdf85695e3b440e38cf3d42
- SSDEEP
  
  12288:V3TdtLW5WIj1YSSdFxd4E4roEgFRRBSXyMzBUWb9lx/9AgHLo8OW+rBj:9Dsj1dENV43gFRRBcJ9nPx/igrp+1
Score

10^/10

ardamax aspackv2 discovery evasion keylogger persistence stealer
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax main executable
- Modifies WinLogon for persistence
  persistence
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

ardamaxaspackv2discoveryevasionkeyloggerpersistencestealer

behavioral2

ardamaxaspackv2discoveryevasionkeyloggerpersistencestealer

© 2018-2024

Terms | Privacy