ardamax | 9ddd4c82e71888f24d83cae5b83c8ca78e4c6f95badd4cecf854a0065204c74d | Triage

Submit
Reports

Overview

overview

Static

static

3

2025-02-13...ia.exe

windows7-x64

2025-02-13...ia.exe

windows10-2004-x64

Sharing

General

Target

2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia
Size

9.8MB
Sample

250213-tevasszrbs
MD5

488305a7b3190c2c0fc6166a532b98d5
SHA1

5675580b0f37a5428acd9570457dc561068bffdb
SHA256

9ddd4c82e71888f24d83cae5b83c8ca78e4c6f95badd4cecf854a0065204c74d
SHA512

1f14d8b7ac8b0117987ce8e4b8e33ecf6936fbff3d5e169f4109717836a473218194c9e09181c47cd43faded5e41033c51d5ccfbb01c65a57c92e2796af71ecf
SSDEEP

196608:1zS1+mVNJzKCoBNdUMKnHlawrBaAQeNzeNGdzcW/NM9r+qRP:1zSLVHu77uMCFawVaATaNGdoW1qRP

Score

10^/10

ardamax discovery keylogger persistence stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe

Resource

win7-20240903-en

ardamax discovery keylogger persistence stealer

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe

Resource

win10v2004-20250207-en

ardamax discovery keylogger persistence stealer

windows10-2004-x64

24 signatures

150 seconds

Malware Config

Targets

- Target
  
  2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia
- Size
  
  9.8MB
- MD5
  
  488305a7b3190c2c0fc6166a532b98d5
- SHA1
  
  5675580b0f37a5428acd9570457dc561068bffdb
- SHA256
  
  9ddd4c82e71888f24d83cae5b83c8ca78e4c6f95badd4cecf854a0065204c74d
- SHA512
  
  1f14d8b7ac8b0117987ce8e4b8e33ecf6936fbff3d5e169f4109717836a473218194c9e09181c47cd43faded5e41033c51d5ccfbb01c65a57c92e2796af71ecf
- SSDEEP
  
  196608:1zS1+mVNJzKCoBNdUMKnHlawrBaAQeNzeNGdzcW/NM9r+qRP:1zSLVHu77uMCFawVaATaNGdoW1qRP
Score

10^/10

ardamax discovery keylogger persistence stealer
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax family
  ardamax
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ardamaxdiscoverykeyloggerpersistencestealer

behavioral2

ardamaxdiscoverykeyloggerpersistencestealer

© 2018-2025

Terms | Privacy