{
	"id": "596c654a-cc28-4b30-9927-8dfba50616ce",
	"created_at": "2026-04-06T01:32:31.632091Z",
	"updated_at": "2026-04-10T03:20:57.342488Z",
	"deleted_at": null,
	"sha1_hash": "0e7620b39feacf3ff687306240ed85c96fcf61bd",
	"title": "Dissecting Ardamax Keylogger » TrainSec",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1418707,
	"plain_text": "Dissecting Ardamax Keylogger » TrainSec\r\nBy Uriel Kosayev\r\nPublished: 2024-07-04 · Archived: 2026-04-06 00:28:48 UTC\r\nLast month, we decided to enrich our knowledge by delving into research on a popular hacking tool. We decided to go with\r\none that was only covered in the past. It is called – Ardamax Keylogger. In this blog post, we present the methods and\r\noperations analyzed, including key capabilities of the infection mechanism. We will also cover what data is being collected\r\nand how. In addition to the infection flow, we discovered a vulnerability in the Ardamax Keylogger that may allow attackers\r\nto exploit the keylogger’s DLL loading mechanism.\r\nLiked the content?\r\nSubscribe to the free TrainSec knowledge library, and get insider access to new content, discounts and additional materials.\r\nExecutive Summary\r\nThe Ardamax Keylogger developers have an official website that gives users the option to buy their product or only use it\r\nfor a “test drive”.\r\nWe tried to find out when they first started and the oldest sample we were able to gather was generated somewhere around\r\nthe year of 2013. In addition, these old versions are easily detected by existing AV engines. However, newer versions are\r\nstill in question. From a quick overview of samples uploaded to VirusTotal, we noticed that the developers successfully\r\nevaded detection in most cases. The detection rates are not that great compared to the fact that Ardamax is a “noisy”\r\nkeylogger with an extensive resume in the wild.\r\nWe’ve analyzed dozens of samples, from all versions we were able to find, and discovered that the vast majority of them\r\nwere vulnerable to the flaw we found.\r\nKill Chain\r\nThe infection kill chain comprises the following steps: \r\n1. Execution of the dropper Ardamax.exe, which drops several files, including a randomly named DLL to the %temp%\r\nfolder.\r\nhttps://trainsec.net/library/dissecting-ardamax-keylogger/\r\nPage 1 of 10\n\n2. The malicious process Ardamax.exe loads the dropped DLL that is used to drop the keylogger files under a hidden folder\r\nin the system folder.\r\n3. Finally, the keylogger DPBJ.exe is executed, logging keystrokes and capturing screenshots.\r\nArdamax Dropper\r\nFilename Ardamax.exe\r\nSize 784 KB\r\nMD5 E33AF9E602CBB7AC3634C2608150DD18\r\nSHA1 8F6EC9BC137822BC1DDF439C35FEDC3B847CE3FE\r\nOnce a victim launches the dropper, Ardamax.exe executes its initial routine GetTemp_Path (sub_401230), which obtains\r\nthe Windows %temp% path for later use, as shown in the following screenshot:\r\nBy looking at the disassembly output from IDA, the GetTemp_Path function calls GetTempPathW to retrieve the system’s\r\ntemporary folder.\r\nThe next routine calls CreateFileW. In this routine, Ardamax drops several files to the temp folder, including a randomly\r\nnamed DLL, as we mentioned earlier.\r\nhttps://trainsec.net/library/dissecting-ardamax-keylogger/\r\nPage 2 of 10\n\nUsing Process Monitor, it is possible to see the randomly named DLL being copied into the folder. In this case, the DLL\r\nfilename is @F9CD.tmp:\r\nArdamax DLL\r\nFilename [rand_name].tmp\r\nSize 4 KB\r\nMD5 D73D89B1EA433724795B3D2B524F596C\r\nSHA1 213514F48ECE9F074266B122EE2D06E842871C8C\r\nArdamax loads the randomly named DLL using LoadLibraryW.\r\nIf the DLL load is successful, the dropper will call GetProcAddress to get the DLL’s sfx_main address.\r\nThe following screenshot illustrates the operation above in a dynamic execution flow:\r\nNext, the dropper gets a string containing the system’s main directory, which is either System32 or SysWow64, depending\r\non the system architecture. Then, according to a hardcoded string, the dropper creates a hidden folder with the hardcoded\r\nname “28463” and copies several files into it. The batch of files will include DPBJ.exe, which is the actual keylogger.\r\nhttps://trainsec.net/library/dissecting-ardamax-keylogger/\r\nPage 3 of 10\n\nOnce all files are copied to the designated folder, the main file of the keylogger, dubbed DPBJ.exe is executed with\r\nShellExecuteW:\r\nhttps://trainsec.net/library/dissecting-ardamax-keylogger/\r\nPage 4 of 10\n\nThe list includes the following files:\r\nDPBJ.006 \u0026 DPBJ.007 – DLL files that are loaded by DPBJ.exe at runtime.\r\nDPBJ.exe – Keylogger’s main executable.\r\nkey.bin – Keylogger’s license serial key (Still in research).\r\nOther files that didn’t seem interesting for our research purposes.\r\nUsing Process Monitor again, it is possible to track the behavior of the hacking tool and its use of the hidden folder. The\r\nscreenshot below illustrates how the “DPBJ.exe” file is being called for execution:\r\nArdamax Keylogger\r\nFilename [rand_name].tmp\r\nSize 646.5 KB\r\nMD5 B863A9AC3BCDCDE2FD7408944D5BF976\r\nSHA1 4BD106CD9AEFDF2B51F91079760855E04F73F3B0\r\nAfter the keylogger is executed, it starts to collect the victim’s keystrokes and screenshots.\r\nIn the following routine, the SetWindowsHookEx function is being utilized with idHook of 2 (WH_KEYBOARD) that\r\nhandles keystroke events and thus logs them:\r\nhttps://trainsec.net/library/dissecting-ardamax-keylogger/\r\nPage 5 of 10\n\nBelow, we can see the use of several WinAPI functions to capture screenshots at runtime:\r\nNext, we see that the captured screenshots are stored under C:\\Windows\\SysWOW64\\28463 with the naming format of\r\n[Date_Hour].jpg:\r\nhttps://trainsec.net/library/dissecting-ardamax-keylogger/\r\nPage 6 of 10\n\nHere is an example of how the screenshots are being stored under the hidden folder discussed earlier:\r\nThe interesting part here is that the keylogger (DPBJ.exe) loads DPBJ.006 and DPBJ.007, DLLs that call the WinAPI\r\nfunctions below:\r\nSetWindowsHookEx – Keystrokes logging\r\nGetDesktopWindow – Screenshot taking and more\r\nThis can, in some way, make a researcher’s job harder while using dynamic tools, such as ProcMon, that have limited\r\ninsight into the process’s behavior. Furthermore, it can also fool some sandbox solutions that try to intercept system calls to\r\nunderstand the malware’s behavior.\r\nAlso, we can see, the “DPBJ Agent” persistency login object is created under the following registry element:\r\nHKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run \r\nUsing Autorun, it is possible to exhibit the Agent’s registry path and the executable location:\r\nhttps://trainsec.net/library/dissecting-ardamax-keylogger/\r\nPage 7 of 10\n\nNote: New versions of the Ardamax keylogger have the same behavior in the system, only with a different persistence path.\r\nIt drops the keylogger files into a randomly named folder under the %ProgramData% folder, which is also a hidden folder\r\nby default:\r\nEventually, the keylogger tries to communicate with a Yahoo-based SMTP server but the mailbox is unavailable:\r\nKeylogger Exploitation – DLL Hijacking\r\nAs we wrote earlier, “DPBJ.exe” is loading DLLs with LoadLibraryW. In other words, it is looking for a specific DLL file\r\nname (in this case DPBJ.006 and DPBJ.007) to load them:\r\nVulnerability\r\nA lack of validation in the call to LoadLibraryW creates a possible backdoor for the generated executable. It allows for\r\nloading a DLL only based on its name, hence any third-party attacker can abuse this mechanism by crafting their own\r\nmalicious DLL and replace it with the exact name (“DPBJ.006”, in this example). In conclusion, when the DPBJ.exe is\r\nexecuted, it’ll load the replaced attacker’s crafted DLL.\r\nTo make it even more visual for you, we generated a PoC video where we show a live detonation of the keylogger to get a\r\nreverse TCP shell on the victim system:\r\nhttps://trainsec.net/library/dissecting-ardamax-keylogger/\r\nPage 8 of 10\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nNote: New versions of the Ardamax keylogger are also vulnerable to this attack including the latest version of 5.1 which\r\nwas released in February 2019.\r\nConclusion\r\nWe saw that the Ardamax Keylogger has existed in the wild for over 6 years now. Although it’s been in the market for so\r\nlong, secure coding practices were not part of the process, hence it creates more threats for infected victims. In addition, we\r\nsaw a rather simple flow with features that are not unique enough to rate Ardamax as a strong offensive tool, but enough to\r\nevade some detections.\r\nIndicators of Compromise\r\nArdamax.exe – md5: E33AF9E602CBB7AC3634C2608150DD18\r\n[Rand Name].tmp – md5: D73D89B1EA433724795B3D2B524F596C\r\nDPBJ.exe – md5: B863A9AC3BCDCDE2FD7408944D5BF976\r\nRelated samples created recently\r\ncfd015112356dba7c4e81a6449e37e3d\r\na2b833052cb2743ec60f422f0e7bc185\r\n340b5cc3eb29cdabc4e9647dddc7dea6\r\nb0400b1bf445f8ad5aa978212b04ab94\r\ned866bf88b059caa4f73211ee62685ab\r\n21fd08a181b865e9b34db69590056dab\r\n83d597b8db70ccf56528a96c1aa48a22\r\n0ea2a4502f86f58fde206f7fe2f8d084\r\nd983a4f16933d3a9cee74283b7a5514b\r\na258f4a843decccf0e14026b8af4ffb3\r\nhttps://trainsec.net/library/dissecting-ardamax-keylogger/\r\nPage 9 of 10\n\nc9c546f94488025839760d02514b979b\r\n0f94f7c7ee0e1966c1f3eea4b22a61fe\r\n73a3c61a7272485b9826fac769f0e95d\r\n6cbe9e7fd502e785b43c3e2ba1e66b7f\r\n6bf292ef5e463a40edc9ab4008c242b7\r\n4a57ce1565f05454e9b5a4a80d048865\r\n352e021537a6edfb9d5fa10084d43c96\r\nd49b103ecc47c5e619594dc9e623ff02\r\n568d70bc8109785fb50a92dbf1c173cc\r\n68a7db6168393d289982d3935b8e0f53\r\nSource: https://trainsec.net/library/dissecting-ardamax-keylogger/\r\nhttps://trainsec.net/library/dissecting-ardamax-keylogger/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://trainsec.net/library/dissecting-ardamax-keylogger/"
	],
	"report_names": [
		"dissecting-ardamax-keylogger"
	],
	"threat_actors": [],
	"ts_created_at": 1775439151,
	"ts_updated_at": 1775791257,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0e7620b39feacf3ff687306240ed85c96fcf61bd.pdf",
		"text": "https://archive.orkl.eu/0e7620b39feacf3ff687306240ed85c96fcf61bd.txt",
		"img": "https://archive.orkl.eu/0e7620b39feacf3ff687306240ed85c96fcf61bd.jpg"
	}
}