MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c870eec48bc4ea1aca1f0c63c8a82aaadaf837f197708a7f0321238da8b6b75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Ardamax


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c870eec48bc4ea1aca1f0c63c8a82aaadaf837f197708a7f0321238da8b6b75
SHA3-384 hash: 71beb4d7c28e34e883b91cc2a3c28291c9978311b36c5a3ec871ed4104b7d1a70282b8446cec55b9c82b6efaf0d68fdf
SHA1 hash: 8f6ec9bc137822bc1ddf439c35fedc3b847ce3fe
MD5 hash: e33af9e602cbb7ac3634c2608150dd18
humanhash: west-orange-enemy-oregon
File name:ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18
Download: download sample
Signature Ardamax
Create hunting rule
File size:802'724 bytes
First seen:2023-10-29 22:30:52 UTC
Last seen:2023-10-31 06:48:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 86632da30434ccfc050190a47fb559c4 (1 x Ardamax)
ssdeep 12288:0E9uQlDTt8c/wtocu3HhGSrIilDhlPnRq/iI7UOvqF8dtbcZl36VBqWPH:FuqD2cYWzBGZohlE/zUD8/bgl2qW/
Threatray 190 similar samples on MalwareBazaar
TLSH T13D05234816605922FC292B770F0CDA946DAF47A8304D4F1F76622B491E5BB49FF337A8
TrID 50.0% (.EXE) Generic Win/DOS Executable (2002/3)
49.9% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 34a2a372de86acce (1 x Ardamax)
Reporter analisis
Tags:Ardamax exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
403
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://github.com/ytisf/theZoo/raw/master/malwares/Binaries/Keylogger.Ardamax/Keylogger.Ardamax.zip
Verdict:
Malicious activity
Analysis date:
2020-10-16 09:07:25 UTC
Tags:
keylogger
Link:
https://app.any.run/tasks/8706cfdb-f7a4-454e-a9db-6de62e95de53

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/456962/
Detection(s):
Win.Packed.Ardamax-6965118-0
Create hunting rule

Win.Trojan.Ardamax-310
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Setting a global event handler
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
ardamax buzus overlay packed threat
Link:
https://www.filescan.io/uploads/653edd27bc703e36b092e8de/reports/f16b3384-9bd2-4e1e-99e6-3bb14e7d9efd/overview
Verdict:
Malicious
Labled as:
Trojan.Ardamax
Link:
https://www.hybrid-analysis.com/sample/8c870eec48bc4ea1aca1f0c63c8a82aaadaf837f197708a7f0321238da8b6b75
Malware family:
Ardamax
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4ddda98d-78a3-412a-a911-85894f0092df
Result
Threat name:
Ardamax
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1045247
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to register a low level keyboard hook
Drops executables to the windows directory (C:\Windows) and starts them
Installs a global get message hook
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites Windows DLL code with PUSH RET codes
PE file has nameless sections
Yara detected Ardamax
Behaviour
Behavior Graph:
Download SVG
Score:
78%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8c870eec48bc4ea1aca1f0c63c8a82aaadaf837f197708a7f0321238da8b6b75
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c870eec48bc4ea1aca1f0c63c8a82aaadaf837f197708a7f0321238da8b6b75/
Threat name:
Win32.Keylogger.Ardamax
Create hunting rule
Status:
Malicious
First seen:
2013-06-11 02:18:00 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
35 of 38 (92.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rsdq53cixrhkdlfb6dddzcucvkw27a37df3qrj7qgijdrwulnn2q._file
Verdict:
malicious
Similar samples:
104fae3c4dcf6339429a9242d76cec45644e5b2e072fdfa0d5f477c7ec7ebcfb
Ardamax
38a2144651bd3980612f92a1cd2308adf10dd630d618ee05232bf1a8cf76444c
Ardamax
4e027b305b9bacf2392ffb062acba8bd54e5ce5e5e58951633317256bede4ba2
Ardamax
9c55d8b1e171b21b41833dcbab1b07157f3bd3a12a06578c9063a211bb0bc61e
Ardamax
d0f26970c628316459bff17f23f723edb14af4046949ef99381ca87c28da8830
Ardamax
d2e800b01162a5151738eb524ef4bd36faeba8dd33b8c3d68edb635c29d38d9b
Ardamax
d889c30e2b4f98e187979772794453f03b9f6a45253a6a926718022ad2900ed8
Ardamax
e847177037dc0ee3f1b92bfd3ee5294786998c4e151ba63727e8f3bd7c41aaaa
Ardamax
f31c3f1bc2ca3732cd557ec416ca54562daaf704f2d5b44e9b7d92d22168ac9e
Ardamax
feb365d784b06535c3bd3ab5c525e771521f0f7dcc71c8c3e800226fdb117085
Ardamax
+ 180 additional samples on MalwareBazaar
Result
Malware family:
ardamax
Create hunting rule
Score:
  10/10
Tags:
family:ardamax discovery keylogger persistence stealer
Link:
https://tria.ge/reports/231029-2fdcnshf4x/
Behaviour
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Ardamax
Ardamax main executable
Unpacked files
SH256 hash:
a0ee202ae0634037445bff5848de562c4011f11a4080bbc326a18534e1b7db9f
MD5 hash:
840e45fe5187c8b026a60532b48b911b
SHA1 hash:
a839b9f0c6c721fe182fe8b9e3a119a374703119
Link:
https://www.unpac.me/results/e0051338-173d-4d5b-8c4d-77725403217d/
SH256 hash:
5ecb39fa621caf0c7572c651689ed339b4c03b0926e7be027c4666e4531bb116
MD5 hash:
a1c1fbd25e24be20d37667644b5e9fb4
SHA1 hash:
1124b51a60b7d0a2531ea40ca571e5dbbf31eb2f
Link:
https://www.unpac.me/results/e0051338-173d-4d5b-8c4d-77725403217d/
SH256 hash:
756e0867fb12b23e2ad73e088565e019122e0ff9617827a3d714543a372f7d2c
MD5 hash:
9ef0188b448b6c4332e71c269d6ec6e4
SHA1 hash:
05d5762acd7757af6d3cc594d9cb495993578824
Link:
https://www.unpac.me/results/e0051338-173d-4d5b-8c4d-77725403217d/
SH256 hash:
8c870eec48bc4ea1aca1f0c63c8a82aaadaf837f197708a7f0321238da8b6b75
MD5 hash:
e33af9e602cbb7ac3634c2608150dd18
SHA1 hash:
8f6ec9bc137822bc1ddf439c35fedc3b847ce3fe
Link:
https://www.unpac.me/results/e0051338-173d-4d5b-8c4d-77725403217d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8c870eec48bc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c870eec48bc4ea1aca1f0c63c8a82aaadaf837f197708a7f0321238da8b6b75

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/456962/

Comments