File name:

Keylogger.Ardamax.zip

Full analysis: https://app.any.run/tasks/5fdd4742-a7ec-44a6-a3b5-e9e3a7fde60f
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: January 16, 2024, 22:28:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
keylogger
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

5DE75A478FFB3AA01A88F4E539F3EDC0

SHA1:

D4DBBDD4A8888B6B0738471E2E422C26F7E2F81B

SHA256:

9C662E2C950E9CBA8367A47F628553291F1E26B7E897A8533C00A4B27E174227

SSDEEP:

24576:b6JaUTbmuh0O6/M4GCC97DlftL8omDeLmBcMebyCbkb53X35rY8:b6JaUTbmuh0O6/bGCC97DlftL8peLmBP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2044)
      • ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe (PID: 2172)

    • Creates a writable file in the system directory

      • ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe (PID: 2172)
      • DPBJ.exe (PID: 2168)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe (PID: 2172)

    • Writes files like Keylogger logs

      • ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe (PID: 2172)

    • Reads the Internet Settings

      • ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe (PID: 2172)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2044)

    • Manual execution by a user

      • ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe (PID: 2172)

    • Checks supported languages

      • ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe (PID: 2172)
      • DPBJ.exe (PID: 2168)

    • Reads the computer name

      • ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe (PID: 2172)
      • DPBJ.exe (PID: 2168)

    • Reads the machine GUID from the registry

      • DPBJ.exe (PID: 2168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 2013:06:06 16:22:30
ZipCRC: 0x5f827015
ZipCompressedSize: 796882
ZipUncompressedSize: 802724
ZipFileName: ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe ardamaxkeylogger_e33af9e602cbb7ac3634c2608150dd18.exe dpbj.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2044"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Keylogger.Ardamax.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2168"C:\Windows\system32\28463\DPBJ.exe" C:\Windows\System32\28463\DPBJ.exeArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\system32\28463\dpbj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2172"C:\Users\admin\Desktop\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe" C:\Users\admin\Desktop\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\desktop\ardamaxkeylogger_e33af9e602cbb7ac3634c2608150dd18.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
Total events
1 254
Read events
1 225
Write events
29
Delete events
0

Modification events

(PID) Process:(2044) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
6
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2172ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exeC:\Users\admin\AppData\Local\Temp\@93C1.tmpbinary
MD5:B2707130CE8F32AE3DA605FF9B541989
SHA256:A67B19BADAD7B971CF7918716CCE81FA3B63C3E7B593C583C5F99F744937F136
2172ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exeC:\Users\admin\AppData\Local\Temp\@93C0.tmpexecutable
MD5:D73D89B1EA433724795B3D2B524F596C
SHA256:8AEF975A94C800D0E3E4929999D05861868A7129B766315C02A48A122E3455D6
2044WinRAR.exeC:\Users\admin\Desktop\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18executable
MD5:E33AF9E602CBB7AC3634C2608150DD18
SHA256:8C870EEC48BC4EA1ACA1F0C63C8A82AAADAF837F197708A7F0321238DA8B6B75
2172ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exeC:\Windows\system32\28463\key.binbinary
MD5:639D75AB6799987DFF4F0CF79FA70C76
SHA256:FC42AB050FFDFED8C8C7AAC6D7E4A7CAD4696218433F7CA327BCFDF9F318AC98
2172ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exeC:\Windows\system32\28463\AKV.exeexecutable
MD5:97EEE85D1AEBF93D5D9400CB4E9C771B
SHA256:30DF6C8CBD255011D80FA6E959179D47C458BC4C4D9E78C4CF571AA611CD7D24
2168DPBJ.exeC:\Windows\system32\28463\DPBJ.009binary
MD5:AC6C9CDB2BCC64F90CE7691C5076C56A
SHA256:6BD2065BC3AD9039E22027370D834664C124BDA6CF744E6FB845B494CA8159F4
2172ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exeC:\Windows\system32\28463\DPBJ.001binary
MD5:7A0F1FA20FD40C047B07379DA5290F2B
SHA256:B0AD9E9D3D51E8434CC466BEC16E2B94FC2D03BAB03B48CCF57DB86AE8E2C9B6
2172ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exeC:\Windows\system32\28463\DPBJ.006executable
MD5:35B24C473BDCDB4411E326C6C437E8ED
SHA256:4530FCC91E4D0697A64F5E24D70E2B327F0ACAB1A9013102FF04236841C5A617
2172ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exeC:\Windows\system32\28463\DPBJ.007executable
MD5:A8E19DE6669E831956049685225058A8
SHA256:34856528D8B7E31CAA83F350BC4DBC861120DC2DA822A9EB896B773BC7E1F564
2172ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exeC:\Windows\system32\28463\DPBJ.exeexecutable
MD5:B863A9AC3BCDCDE2FD7408944D5BF976
SHA256:0FE8E3CD44A89C15DEC75FF2949BAC1A96E1EA7E0040F74DF3230569AC9E37B0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Keylogger.Ardamax.zip