Keylogger[.]Ardamax[.]zip | Triage

Sharing

General

Target

Keylogger.Ardamax.zip
Size

778KB
MD5

5de75a478ffb3aa01a88f4e539f3edc0
SHA1

d4dbbdd4a8888b6b0738471e2e422c26f7e2f81b
SHA256

9c662e2c950e9cba8367a47f628553291f1e26b7e897a8533c00a4b27e174227
SHA512

05f2bcdfb298f294f58fc59709986f73c48d6d6d2b4b21dc8307c8dde57b5a5b632ab6e00af43457b30182fb8a5351239c3636231244dec10c45d4c7b62f5d70
SSDEEP

12288:9xq9i8r/n4c9ahANC6hddXrnD1v0bcijRd3byyzwgLE7EYY6GHKNwUdHlwYPwoG2:e9BjnbZX18bLRdrcp7lY62KquOYop2

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18

Files

Keylogger.Ardamax.zip
.zip

Password: infected
ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18
.exe windows:5 windows x86 arch:x86

Password: infected

86632da30434ccfc050190a47fb559c4

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
_acmdln
__p__fmode
__set_app_type
_except_handler3
_controlfp
_XcptFilter
_exit
_onexit
__dllonexit
??1type_info@@UAE@XZ
calloc
exit
memcpy
memset
_itow
??2@YAPAXI@Z
_wcsdup
??3@YAXPAX@Z
free
__p__commode

kernel32

GetModuleHandleA
GetTempPathW
GetModuleHandleW
GetModuleFileNameW
CreateFileW
SetFilePointer
CloseHandle
GetTempFileNameW
FreeLibrary
DeleteFileW
WriteFile
ReadFile
LoadLibraryW
GetProcAddress
GetStartupInfoA

user32

MessageBoxW

Sections

.text
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 928B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ