General
-
Target
SecuriteInfo.com.Trojan.Mardom.MN.24.28876.20696.exe
-
Size
589KB
-
Sample
220920-mchewsgcen
-
MD5
1cce66219ac8c0def60f5a3c23d02f42
-
SHA1
c9c99c1e25835e3688f30adb6fe0f85e564f4d74
-
SHA256
47fe8af42f4b7360f7d6dcd89b161c1bec308d6598c17262d8bf234e1871b39a
-
SHA512
098484fba05b902c0747580693ea8c33bd15af605d67c3f50d1c114e060c8eff31a7e0fe43bff7d310e2692764bd6a30137fd0006bad6e8f1dc55daffbf190dc
-
SSDEEP
12288:dH5hE7rJpAEHrcQE05VZaCs8tAu+WCwUQzCHnQPz44aqMZeoW0rgm9MtBImQrwFo:ROzGavOLzHKmaX4
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Mardom.MN.24.28876.20696.exe
Resource
win7-20220812-en
Malware Config
Extracted
netwire
iphanyi.edns.biz:3360
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
RDP_SEPT_2022
-
install_path
%AppData%\Install\Host.exe
-
lock_executable
false
-
offline_keylogger
false
-
password
caster123
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
SecuriteInfo.com.Trojan.Mardom.MN.24.28876.20696.exe
-
Size
589KB
-
MD5
1cce66219ac8c0def60f5a3c23d02f42
-
SHA1
c9c99c1e25835e3688f30adb6fe0f85e564f4d74
-
SHA256
47fe8af42f4b7360f7d6dcd89b161c1bec308d6598c17262d8bf234e1871b39a
-
SHA512
098484fba05b902c0747580693ea8c33bd15af605d67c3f50d1c114e060c8eff31a7e0fe43bff7d310e2692764bd6a30137fd0006bad6e8f1dc55daffbf190dc
-
SSDEEP
12288:dH5hE7rJpAEHrcQE05VZaCs8tAu+WCwUQzCHnQPz44aqMZeoW0rgm9MtBImQrwFo:ROzGavOLzHKmaX4
-
NetWire RAT payload
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-