ardamax | 4aa09fa0529beb0d2096a1aa86cf4111cfff56b479a4048e8dcd13b937c7c0c7

General

Target

4aa09fa0529beb0d2096a1aa86cf4111cfff56b479a4048e8dcd13b937c7c0c7N.exe
Size

3.2MB
MD5

0ac08d19b395d553f50168235f7c7ed0
SHA1

1a9b02b39fe52066db32e233b541f2b0db68cb23
SHA256

4aa09fa0529beb0d2096a1aa86cf4111cfff56b479a4048e8dcd13b937c7c0c7
SHA512

9a65bad63e1da4a8d6c2567eb71733b318cb68f0eebbe6a1ef3eb0cbbea50b63a1649a80d6e5253de17964a3e3a7150dca5faef01c171bd95aacb5f4a26b7d9a
SSDEEP

98304:R57Up17aZGruoEinbe6xKpCxlronCUsvm:DweWuoDDKgxpoU

Score

10^/10

ardamax discovery keylogger link pdf persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Executes dropped EXE 1 IoCs

pid	Process
2840	HIS.exe

Loads dropped DLL 3 IoCs

pid	Process
2224	4aa09fa0529beb0d2096a1aa86cf4111cfff56b479a4048e8dcd13b937c7c0c7N.exe
2840	HIS.exe
2788	AcroRd32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HIS Start = "C:\\ProgramData\\CDDLSI\\HIS.exe"	HIS.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral1/files/0x0006000000019242-20.dat	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4aa09fa0529beb0d2096a1aa86cf4111cfff56b479a4048e8dcd13b937c7c0c7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HIS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2840	HIS.exe
2840	HIS.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2840	HIS.exe
2788	AcroRd32.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2840	HIS.exe
2840	HIS.exe
2840	HIS.exe
2840	HIS.exe
2788	AcroRd32.exe
2788	AcroRd32.exe
2788	AcroRd32.exe
2788	AcroRd32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2840	2224	4aa09fa0529beb0d2096a1aa86cf4111cfff56b479a4048e8dcd13b937c7c0c7N.exe	31
PID 2224 wrote to memory of 2840	2224	4aa09fa0529beb0d2096a1aa86cf4111cfff56b479a4048e8dcd13b937c7c0c7N.exe	31
PID 2224 wrote to memory of 2840	2224	4aa09fa0529beb0d2096a1aa86cf4111cfff56b479a4048e8dcd13b937c7c0c7N.exe	31
PID 2224 wrote to memory of 2840	2224	4aa09fa0529beb0d2096a1aa86cf4111cfff56b479a4048e8dcd13b937c7c0c7N.exe	31
PID 2224 wrote to memory of 2788	2224	4aa09fa0529beb0d2096a1aa86cf4111cfff56b479a4048e8dcd13b937c7c0c7N.exe	32
PID 2224 wrote to memory of 2788	2224	4aa09fa0529beb0d2096a1aa86cf4111cfff56b479a4048e8dcd13b937c7c0c7N.exe	32
PID 2224 wrote to memory of 2788	2224	4aa09fa0529beb0d2096a1aa86cf4111cfff56b479a4048e8dcd13b937c7c0c7N.exe	32
PID 2224 wrote to memory of 2788	2224	4aa09fa0529beb0d2096a1aa86cf4111cfff56b479a4048e8dcd13b937c7c0c7N.exe	32

C:\Users\Admin\AppData\Local\Temp\4aa09fa0529beb0d2096a1aa86cf4111cfff56b479a4048e8dcd13b937c7c0c7N.exe
"C:\Users\Admin\AppData\Local\Temp\4aa09fa0529beb0d2096a1aa86cf4111cfff56b479a4048e8dcd13b937c7c0c7N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224
- C:\ProgramData\CDDLSI\HIS.exe
  "C:\ProgramData\CDDLSI\HIS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2840
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\MasturbacaoFeminina.pdf"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CDDLSI\HIS.00

Filesize
2KB

MD5
26d6bf276f84648747ea5b23fc8428bb

SHA1
c5ce10312cfa9ec2996fdd9fdd0f9e7bd78a29fd

SHA256
40f3ea70192c256d0f26467dae63edbc48b64feff0e08272ebd9cdf1bded9262

SHA512
e4850c2e11fd7ec838068f7d3938532898128b3dd840ac74752c94d68ae5dff99f221396211ba5a465750e6538e158293b7080da3c6951c214ecbeea534961e2

Download Submit
C:\ProgramData\CDDLSI\HIS.01

Filesize
80KB

MD5
0be24f7df280c4989c2e0095fa5295f1

SHA1
95a0e64f5e161835ccfe5e3b46416fc4e83b9e8b

SHA256
693644e3efa419806932a680601b8f037b314b0b957d3716838174a7958c49b6

SHA512
1f34a626ae87dbf0604523a6058e116a0eb743e00a58e5be8d69375c1567f61029f91f4bba4b5293b0abfc7300862deb13fa047108648c8a3fd812802fe49c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\MasturbacaoFeminina.pdf

Filesize
793KB

MD5
026aa9f78e651c1f26626c5ea7038f10

SHA1
7cae80b0f4d8fd3e8acbb1d7e849d0b3c71bbeee

SHA256
ddd2528e349289ed7c3aedd73d1f79fcc5b7cf5e54eda793cb7b0c726c98f9d3

SHA512
bde39e87ed23bf4fb2d2a138a2e6bce3d8303323444fbf5aa3491a2604a29fb99f08b54b3122cc4d983480010b7e3945254d4ed2a6d3bacdb25083238b6145fd

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
4d3907bb119520bf42ccbf793b42c141

SHA1
deafd01040e93574fd42be41479252d28fac43d9

SHA256
26da52658ccd9c2b13e87a36a749327b0022cfe2ba98007b320266ff4b3a3fa4

SHA512
6419531347e8995871194eab9db7b237417953c06290bcf96ecce53206631219b375120363b77d207e6b106de32ea6f15331f932585a7458d771b67b15dcad70

Download Submit
\ProgramData\CDDLSI\HIS.exe

Filesize
2.3MB

MD5
84bd1dd4eabec5fe9b2911c461c5a883

SHA1
d9ca77eaba19d6f2656e0f3ac79ad1924eb7aea4

SHA256
479a4e8f6f4dfe58308e6816bf5de0f16bc47734d61a7bd0b8b68809f14db60b

SHA512
fac4f43f371ed34bb26b1e89054162febeee61052b1eb7e8ce9cfb7a8edc200c8a76a0948a0bea74354aa723446d76a494a908189eaef03430bc3a3ae0edbd2f

Download Submit
memory/2224-0-0x0000000000811000-0x0000000000812000-memory.dmp

Filesize
4KB

Download
memory/2224-1-0x0000000000810000-0x0000000000B3F000-memory.dmp

Filesize
3.2MB

Download
memory/2224-12-0x0000000000810000-0x0000000000B3F000-memory.dmp

Filesize
3.2MB

Download
memory/2840-15-0x0000000000400000-0x0000000000684000-memory.dmp

Filesize
2.5MB

Download
memory/2840-14-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/2840-18-0x0000000001FE0000-0x0000000001FF9000-memory.dmp

Filesize
100KB

Download
memory/2840-39-0x0000000000400000-0x0000000000684000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads