ardamax

General

Target

Dispam.exe
Size

12.1MB
Sample

240919-ja8braxepq
MD5

a89b5a734cced64ae3cc202bdfac8759
SHA1

81a4254491dd554a5113f63ad7849d93cc30d3d7
SHA256

fd111c335073ae9b9f33d1f3e348bcbc46dd0b90de333156c2dbbee62412374b
SHA512

68ac8b1e4739fb444f1ef055015455094a3c768c84e96279996a11a9e1a4e7ae2192acb862cd896844c01cbed24e3fc0868fa8891d4806a46e70e2e3e2175e73
SSDEEP

393216:0GV2CSQhZ2YsHFUK2Jn1+TtIiFQS2NXNsI8VbTToP:TYQZ2YwUlJn1QtIm28IKzo

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
chernikova-a-v.my1.ru
Port:
21
Username:
5chernikova-a-v
Password:
8910743

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

http://klkjwre77638dfqwieuoi888.info/

Extracted

Family

latentbot

C2

gfaghrtehxvdfsqaj.zapto.org

1gfaghrtehxvdfsqaj.zapto.org

2gfaghrtehxvdfsqaj.zapto.org

3gfaghrtehxvdfsqaj.zapto.org

6gfaghrtehxvdfsqaj.zapto.org

4gfaghrtehxvdfsqaj.zapto.org

5gfaghrtehxvdfsqaj.zapto.org

Targets

- Target
  
  Dispam.exe
- Size
  
  12.1MB
- MD5
  
  a89b5a734cced64ae3cc202bdfac8759
- SHA1
  
  81a4254491dd554a5113f63ad7849d93cc30d3d7
- SHA256
  
  fd111c335073ae9b9f33d1f3e348bcbc46dd0b90de333156c2dbbee62412374b
- SHA512
  
  68ac8b1e4739fb444f1ef055015455094a3c768c84e96279996a11a9e1a4e7ae2192acb862cd896844c01cbed24e3fc0868fa8891d4806a46e70e2e3e2175e73
- SSDEEP
  
  393216:0GV2CSQhZ2YsHFUK2Jn1+TtIiFQS2NXNsI8VbTToP:TYQZ2YwUlJn1QtIm28IKzo
Score

10^/10

ardamax berbew blackmoon cobaltstrike latentbot mydoom sality xtremerat aspackv2 backdoor banker defense_evasion discovery evasion execution keylogger persistence pyinstaller rat spyware stealer trojan upx worm
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax main executable
- Berbew
  Berbew is a backdoor written in C++.
  backdoor berbew
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Cobalt Strike reflective loader
  Detects the reflective loader used by Cobalt Strike.
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Detect Blackmoon payload
- Detect XtremeRAT payload
- Detects MyDoom family
- Disables service(s)
  evasion execution
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- MyDoom
  MyDoom is a Worm that is written in C++.
  worm mydoom
- Sality
  Sality is backdoor written in C++, first discovered in 2003.
  backdoor sality
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
behavioral1