Overview

overview

10

Static

static

3

OsmanliBot...32.dll

windows7-x64

3

OsmanliBot...32.dll

windows10-2004-x64

3

OsmanliBot...ad.exe

windows7-x64

10

OsmanliBot...ad.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e4e64b2bcc9c006b5e9d4fd169e1e1d2_JaffaCakes118

  • Size

    1.4MB

  • Sample

    240916-q2ebba1bpm

  • MD5

    e4e64b2bcc9c006b5e9d4fd169e1e1d2

  • SHA1

    f32b15f09e9ecf3bbec3227621e14983fdb80e4d

  • SHA256

    b10c09310d2c98dcffdfb2b7eb9c9c7ef2aad1795e00e19f9bbddb717dd5e132

  • SHA512

    15b49ec2f11334a6542e4efc425871b26a2efbcdcb1398473297edfe6372c4a6cac97e03aff6494e0b1e2a9be4ba7fdc50ace16a02e8cc8a5231beb01c33e439

  • SSDEEP

    24576:IgJPiXgCJXCvBt9hge5kZyMTCW9VllZCaRJfhLEDU3/6VPMo9LZOUi:IgJPiXgCJSvVmikZ/TrZCa3yYRoKp

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Targets

    • Target

      OsmanliBot/OsmanliBot/TABCTL32.OCX

    • Size

      204KB

    • MD5

      908938d3ba2d870ee9fc6238a4c6af95

    • SHA1

      e8648d6d69fd5cf900c4bf98b210f6921bed3ef5

    • SHA256

      40cadbfb2eb5732f025d687664f34239db7153a192bca0287f9208852b201fb6

    • SHA512

      f9433f48330f7ddc64edb8a64229c1490fa31978e9f4ffdc5fa5ff8b18430317a39a07a559d560051ba195b730429acfb18edb38bf712507b00ac788ffca0b74

    • SSDEEP

      3072:kBOrV7gwFcKneF9s2x+eDYIRXDc6VNeFjzBB9g3A/Vt8DbtUfREm/UmL/8zc8N9R:k0rVdCVrsEncIRXDdVNeFBIk2DgR4d

    Score
    3/10
    discovery
    behavioral1behavioral2

    • Target

      OsmanliBot/OsmanliBot/notepad.exe

    • Size

      1.3MB

    • MD5

      96adbbc5cc261417f9d10dcde2f9b4d1

    • SHA1

      6c8feb0425a512458668ece1402c87873d6c4d5a

    • SHA256

      29a003990bb109b15d5e2582dcc092cf70bec23906577b6aad6945589ca2b037

    • SHA512

      fab822ffc21bd0f30da7855c75af552cb377a9f1b6620bfa63035bc2da4c6fd3d8b6d798b98abfad90c3f66c71f4de4c5797ab46a8a0069b50f344fdaa8e7518

    • SSDEEP

      24576:9zwTT6p2lW0rfdULy6s+W5xLhOFVjkxwCK90DuZEUcbkbRMkR9Y9M9:9z+TfW0k85HIFVrCK9XZEzOGkR91

    Score
    10/10
    ardamaxdiscoverykeyloggerpersistencestealer

    • Ardamax

      A keylogger first seen in 2013.

      keyloggerstealerardamax

    • Ardamax main executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops file in System32 directory

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks