ardamax | 46f3133bf678fd9038fffd1a6f096aaed1e2e3a5c6f949373e3252dfbe00e4c4 | Triage

Sharing

General

Target

JaffaCakes118_6f508563ea940ab46a84f48211f208fa
Size

1.1MB
Sample

250201-h1qnyswjbj
MD5

6f508563ea940ab46a84f48211f208fa
SHA1

2126d3e5b2c25d82b9a71bfc66d9d25d7518cacf
SHA256

46f3133bf678fd9038fffd1a6f096aaed1e2e3a5c6f949373e3252dfbe00e4c4
SHA512

c077800b1c1eb8ab72ea01a44236cb47160b6e5e94d26599612b2ff77a0149fce31400a8b1f5bfb9d3fc3a40d44a0cf7124f84e23ecceb946158ca72502a8034
SSDEEP

24576:Lb+dUPvL79rIXJeiIXUyGRqmJfImtstjutPNBojinod5YU+29hYAfXgsO9FV4:LbosvL5rIXEWNquIRutP3idWUpYAfy9Q

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Targets

- Target
  
  NeoMc.exe
- Size
  
  1.1MB
- MD5
  
  4f255e042e257c230a643e67bef86d79
- SHA1
  
  d62aace2c8ac45f5485a3f3daf8fbaab2193dd8b
- SHA256
  
  e816fe735894aed6786fff66c1794364c25f518808d8968f3aa38856904886ff
- SHA512
  
  8d0dfb77548207ee876b55d9366862b146f54477bc0b6e8981cf627dd41069238bf39d5eb9375d929d0a3a3cabbf97e8086244c645f55b85f96e81e24f433f93
- SSDEEP
  
  24576:VbPTHFFG9exqCdx4bc7dam0vQdCrgrNi9NsxQ8F+xVpd:V7Ta9c9EIxBCWusx5F+x
Score

10^/10

ardamax discovery keylogger persistence stealer
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax family
  ardamax
- Ardamax main executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ardamaxdiscoverykeyloggerpersistencestealer

behavioral2

ardamaxdiscoverykeyloggerpersistencestealer