Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.MSIL.Mardom.SA

Trojan.MSIL.Mardom.SA

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 10,390
Threat Level: 80 % (High)
Infected Computers: 214
First Seen: September 13, 2023
Last Seen: September 28, 2025
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.MSIL.Mardom.SA
Signature status: No Signature

Known Samples

MD5: 2a2488ebaaa020afa9bb15873a46b55c
SHA1: f735e70bbae34464d38b776bdd245733af4fdb53
File Size: 2.32 MB, 2316033 bytes
MD5: 2dd0db83ed96ba73a8e7b492757a4db7
SHA1: 4bdc14483ace76b7370592a5620d405694355759
File Size: 1.96 MB, 1959936 bytes
MD5: 427408e3f0082d034f24e6a7cc8aeb3b
SHA1: de0cc722c9c6d309ffe01302846c781fa63066ea
File Size: 1.96 MB, 1959424 bytes
MD5: ea73b20ae0c740859ed79d1f70068b17
SHA1: 68ed76706222a7e3a66b6be97cf6a74231b0f59b
SHA256: 57231AD43F7FDFAA57CF96A4B3E6A0983B81CAC3800DED46436AB33F7BFF0004
File Size: 1.92 MB, 1916928 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have security information
  • File has exports table
  • File is .NET application
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
Show More
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
File Version 1.2.7.1277
Internal Name SpotifyStartupTask
Legal Copyright Copyright (c) 2023, Spotify Ltd
Original Filename SpotifyStartupTask.exe
Product Version 1.2.7.1277

File Traits

  • .NET
  • GenKrypt
  • HighEntropy
  • Reactor
  • Reflective
  • RijndaelManaged
  • x86

Block Information

Total Blocks: 400
Potentially Malicious Blocks: 4
Whitelisted Blocks: 347
Unknown Blocks: 49

Visual Map

0 ? 0 0 0 0 0 0 ? 0 ? 0 0 ? 0 0 0 0 0 0 ? ? x 0 0 0 0 ? 0 0 0 ? ? ? ? ? 0 0 ? ? 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? 0 0 ? ? ? ? ? ? 0 x 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 0 0 0 0 ? ? x ? x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • MSIL.Agent.AKM
  • MSIL.Agent.ONF
  • MSIL.Agent.ONO
  • MSIL.AgentTesla.PH
  • MSIL.ClipBanker.TJ
Show More
  • MSIL.Mardom.SA
  • MSIL.Mardom.SC
  • MSIL.Mardom.U
  • MSIL.Stealer.RACB
  • MSIL.Stealer.RACC

Files Modified

File Attributes
c:\users\user\appdata\local\temp\soundpad Synchronize,Write Attributes
c:\users\user\appdata\local\temp\soundpad\__tmp_rar_sfx_access_check_316937 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\soundpad\iikoxwk11lycn5magkwecalmxv.vbe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\soundpad\iikoxwk11lycn5magkwecalmxv.vbe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\soundpad\o9cyujhdcgnyvqnfvfaclb44ygu6fizgl0qv4hmotqm9krefgei6az.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\soundpad\o9cyujhdcgnyvqnfvfaclb44ygu6fizgl0qv4hmotqm9krefgei6az.bat Synchronize,Write Attributes
c:\users\user\appdata\local\temp\soundpad\soundpadhelper.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\soundpad\soundpadhelper.exe Synchronize,Write Attributes
c:\users\user\desktop\jklmchif.log Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\applicationassociationtoasts::vbefile_.vbe RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\muicache::c:\windows\system32\wscript.exe.friendlyappname Microsoft ® Windows Based Script Host RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\muicache::c:\windows\system32\wscript.exe.applicationcompany Microsoft Corporation RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
Show More
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetComputerName
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserName
  • GetUserObjectInformation
Keyboard Access
  • GetKeyState
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • ShellExecuteEx
Syscall Use
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
Show More
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTransaction
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFlushProcessWriteBuffers
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForMultipleObjects
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtYieldExecution
  • UNKNOWN
Other Suspicious
  • AdjustTokenPrivileges
Encryption Used
  • BCryptOpenAlgorithmProvider
  • CryptAcquireContext

Shell Command Execution

(NULL) C:\Users\Kuwrzmjw\AppData\Local\Temp\SoundPad\iIkoXWk11lYCn5MAGkWeCalMxv.vbe

Trending

Most Viewed

Loading...