ardamax

General

Target

https://paste.fo/9253e43132b4
Sample

241103-pm75eawrhr

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://6.top4top.net/p_13529t6r71.jpg

Extracted

Family

limerat

Wallets

1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty

Attributes

aes_key
nulled
antivm
true
c2_url
https://pastebin.com/raw/cXuQ0V20
delay
33
download_payload
false
install
false
install_name
dual.exe
main_folder
AppData
pin_spread
false
sub_folder
\DualCore\
usb_spread
true

Extracted

Family

revengerat

Botnet

papa

C2

papa.hopto.org:3344

Mutex

RV_MUTEX-cawrHJfWfhaRC

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/cXuQ0V20
download_payload
false
install
false
pin_spread
false
usb_spread
false

Targets

- Target
  
  https://paste.fo/9253e43132b4
Score

10^/10

ardamax limerat revengerat papa agilenet discovery execution keylogger persistence privilege_escalation rat stealer trojan
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax family
  ardamax
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Limerat family
  limerat
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Revengerat family
  revengerat
- RevengeRat Executable
  stealer
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1