Submission Summary:

What's been foundSeverity Level
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Security RiskDescription
Application.Ardamax_Keylogger Ardamax Keylogger is a keystroke recorder that captures user's activity and saves it to an encrypted log file. The log file can be viewed with the powerful Log Viewer.
Trojan-Spy.Ardamax!sd6 Trojan-Spy.Ardamax!sd6 is a malicious application that attempts to steal passwords, login details, and other confidential information.

Threat CategoryDescription
A spyware program that represents security risk for a local system
A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %Temp%\@2.tmp 1,148,090 bytes MD5: 0xB2707130CE8F32AE3DA605FF9B541989
SHA-1: 0xF23EA52006E61113E7366309BEDC55BC097B825E
Spyware.Ardakey [Symantec]
Trojan-Spy.Ardamax.J [Ikarus]
2 %System%\28463\AKV.exe 468,480 bytes MD5: 0x97EEE85D1AEBF93D5D9400CB4E9C771B
SHA-1: 0x26FA2BF5FCE2D86B891AC0741A6999BFF31397DE
Spyware.Ardakey [Symantec]
not-a-virus:Monitor.Win32.Ardamax.akj [Kaspersky Lab]
Keylog-Ardamax [McAfee]
Mal/Generic-L [Sophos]
MonitoringTool:Win32/Ardamax [Microsoft]
Trojan.Generic [Ikarus]
Win-Trojan/Xema.variant [AhnLab]
3 %System%\28463\DPBJ.001 492 bytes MD5: 0x7A0F1FA20FD40C047B07379DA5290F2B
SHA-1: 0xE0FB8305DE6B661A747D849EDB77D95959186FCA
(not available)
4 %System%\28463\DPBJ.002 2,536 bytes MD5: 0xD3B2ED656CD80D534A84EA820B06E5CF
SHA-1: 0xBD7E2118DBEFCE926195CA3484B181B3FE8691ED
(not available)
5 %System%\28463\DPBJ.006 8,192 bytes MD5: 0x35B24C473BDCDB4411E326C6C437E8ED
SHA-1: 0xEC1055365BC2A66E52DE2D66D24D742863C1CE3D
Spyware.Ardakey [Symantec]
not-a-virus:Monitor.Win32.Ardamax.mh [Kaspersky Lab]
Keylog-Ardamax.dll [McAfee]
MonitoringTool:Win32/Ardamax [Microsoft]
MonitoringTool [Ikarus]
6 %System%\28463\DPBJ.007 5,632 bytes MD5: 0xA8E19DE6669E831956049685225058A8
SHA-1: 0x6D2546D49D92B18591AD4FEDBC92626686E7E979
Spyware.Ardakey [Symantec]
not-a-virus:Monitor.Win32.Ardamax.o [Kaspersky Lab]
Keylog-Ardamax.dll [McAfee]
MonitoringTool:Win32/Ardamax [Microsoft]
Virus.Win32.Ardamax.GG [Ikarus]
7 %System%\28463\DPBJ.009 1,025,550 bytes MD5: 0xA6F85747D6211D12A6D47330D292E53E
SHA-1: 0x756702224CBCD4CEE99CCE5DED4BE21256B4CBFB
(not available)
8 %System%\28463\DPBJ.exe 662,016 bytes MD5: 0xB863A9AC3BCDCDE2FD7408944D5BF976
SHA-1: 0x4BD106CD9AEFDF2B51F91079760855E04F73F3B0
Spyware.Ardakey [Symantec]
not-a-virus:Monitor.Win32.Ardamax.cdx [Kaspersky Lab]
Keylog-Ardamax [McAfee]
Mal/Generic-L [Sophos]
MonitoringTool:Win32/Ardamax [Microsoft]
Virus.Win32.Ardamax.CI [Ikarus]
Win-Trojan/Ardamax.662016.B [AhnLab]
9 %System%\28463\key.bin 106 bytes MD5: 0x639D75AB6799987DFF4F0CF79FA70C76
SHA-1: 0xBE2678476D07F78BB81E8813C9EE2BFFF7CC7EFB
(not available)
10 [file and pathname of the sample #1] 802,724 bytes MD5: 0xE33AF9E602CBB7AC3634C2608150DD18
SHA-1: 0x8F6EC9BC137822BC1DDF439C35FEDC3B847CE3FE
Suspicious.MH690 [Symantec]
Trojan-Spy.Win32.Ardamax.cko [Kaspersky Lab]
Spy-Agent.cv [McAfee]
TSPY_ARDAMAX.HR [Trend Micro]
TrojanSpy:Win32/Ardamax.AE [Microsoft]
Trojan-Spy.Win32.Ardamax [Ikarus]
Dropper/Downloader.817294 [AhnLab]

 

Memory Modifications

Process NameProcess FilenameMain Module Size
[filename of the sample #1][file and pathname of the sample #1]32,768 bytes
dpbj.exe%System%\28463\dpbj.exe913,408 bytes

Process NameMain Module Size
DPBJ.exe913,408 bytes

 

Registry Modifications

 

Other details

Remote HostPort Number
smtp.mail.yahoo.com587

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2017 ThreatExpert. All rights reserved.