ardamax | 263b41f42d5b9e564bd527b80bf6dc499367af7f1c1b6436dc70fc072d5a5f4d | Triage

Submit
Reports

Overview

overview

Static

static

3

DoomRat.exe

windows10-2004-x64

Resubmissions

19-09-2024 16:35

240919-t3mwmaydma 10

19-09-2024 15:27

240919-svslgawara 666

Sharing

General

Target

DoomRat.exe
Size

12.1MB
Sample

240919-t3mwmaydma
MD5

de44552631e89947e4654a39f41c18fc
SHA1

b1370d875efcf7bbba3ec1a9cfbd2bb20ae23c6d
SHA256

263b41f42d5b9e564bd527b80bf6dc499367af7f1c1b6436dc70fc072d5a5f4d
SHA512

d876bd63a929791e49dd5119fcf488a7c89eb471a183c71b287fb621144f5ffc72c606f3a3dc250ed65649d3bf3b69427abc4c5fc5d03b86324386708ee77def
SSDEEP

393216:vGV2CSQhZ2YsHFUK2Jn1+TtIiFQS2NXNsI8VbTToP:SYQZ2YwUlJn1QtIm28IKzo

Score

10^/10

ardamax berbew blackmoon xenorat backdoor banker execution keylogger pyinstaller rat stealer trojan upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

DoomRat.exe

Resource

win10v2004-20240802-en

ardamax berbew blackmoon xenorat backdoor banker execution keylogger rat stealer trojan upx

windows10-2004-x64

14 signatures

1800 seconds

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

http://kadet.ru/index.htm

http://cvv.ru/index.htm

http://crutop.nu/index.htm

http://crutop.ru/index.htm

http://mazafaka.ru/index.htm

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://kidos-bank.ru/index.htm

http://kavkaz.ru/index.htm

http://fethard.biz/index.htm

http://master-x.com/index.php

http://kaspersky.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://kaspersky.ru/index.htm

Targets

- Target
  
  DoomRat.exe
- Size
  
  12.1MB
- MD5
  
  de44552631e89947e4654a39f41c18fc
- SHA1
  
  b1370d875efcf7bbba3ec1a9cfbd2bb20ae23c6d
- SHA256
  
  263b41f42d5b9e564bd527b80bf6dc499367af7f1c1b6436dc70fc072d5a5f4d
- SHA512
  
  d876bd63a929791e49dd5119fcf488a7c89eb471a183c71b287fb621144f5ffc72c606f3a3dc250ed65649d3bf3b69427abc4c5fc5d03b86324386708ee77def
- SSDEEP
  
  393216:vGV2CSQhZ2YsHFUK2Jn1+TtIiFQS2NXNsI8VbTToP:SYQZ2YwUlJn1QtIm28IKzo
Score

10^/10

ardamax berbew blackmoon xenorat backdoor banker execution keylogger rat stealer trojan upx
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax main executable
- Berbew
  Berbew is a backdoor written in C++.
  backdoor berbew
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Detect XenoRat Payload
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Legitimate hosting services abused for malware hosting/C2
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

ardamaxberbewblackmoonxenoratbackdoorbankerexecutionkeyloggerratstealertrojanupx

© 2018-2025

Terms | Privacy