nullmixer | 91949edb9145bda3b1336a5513c44707a86300ca5a378411c9bf8800b8127db9

General

Target

ab82200859c0dd239561d9befa438267.exe
Size

3.2MB
MD5

ab82200859c0dd239561d9befa438267
SHA1

226d8a156cd89db03dbf16edd5a4986ba5a0d559
SHA256

91949edb9145bda3b1336a5513c44707a86300ca5a378411c9bf8800b8127db9
SHA512

87a7d321be8929e6cef6b2868040b10c348e973672707bafbb5c2e116f6396e2acf037b0728c25acaa1f5f185dd732c3415928a3897b54c0e7acf9191753dc04
SSDEEP

98304:xKri7ixZUvFyPxtWfX4MtZgP12nCvLUBsKaOJr:xKuWx+oPxtWv4Mt6P1dLUCKxB

Score

10^/10

nullmixer smokeloader vidar 933 pub5 aspackv2 backdoor dropper stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

nullmixer

C2

http://sokiran.xyz/

Extracted

Family

vidar

Version

39.6

Botnet

933

C2

https://sslamlssa1.tumblr.com/

Attributes

profile_id
933

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Signatures

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Nirsoft 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4508-132-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2704-150-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft

Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/1568-104-0x0000000000400000-0x00000000008F2000-memory.dmp	family_vidar
behavioral2/memory/1568-103-0x0000000000980000-0x0000000000A1D000-memory.dmp	family_vidar
behavioral2/memory/1568-157-0x0000000000400000-0x00000000008F2000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zSCA1B3317\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSCA1B3317\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSCA1B3317\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSCA1B3317\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSCA1B3317\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSCA1B3317\setup_install.exe	aspack_v212_v242

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4508-132-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4508-128-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2704-150-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/2704-144-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ipinfo.io
11 ipinfo.io
12 ip-api.com
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process

4220 3364 WerFault.exe
2252 4200 WerFault.exe
2876 1568 WerFault.exe sonia_3.exe
3784 1564 WerFault.exe sonia_2.exe

flow	ioc
10	ipinfo.io
11	ipinfo.io
12	ip-api.com

pid	pid_target	process
4220	3364	WerFault.exe
2252	4200	WerFault.exe
2876	1568	WerFault.exe	sonia_3.exe
3784	1564	WerFault.exe	sonia_2.exe

C:\Users\Admin\AppData\Local\Temp\ab82200859c0dd239561d9befa438267.exe
"C:\Users\Admin\AppData\Local\Temp\ab82200859c0dd239561d9befa438267.exe"
1⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_8.exe
1⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\7zSCA1B3317\sonia_8.exe
sonia_8.exe
2⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\7zSCA1B3317\sonia_4.exe
sonia_4.exe
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 460
1⤵
- Program crash
PID:4220

C:\Users\Admin\AppData\Local\Temp\7zSCA1B3317\sonia_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCA1B3317\sonia_1.exe" -a
1⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 608
1⤵
- Program crash
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4200 -ip 4200
1⤵
PID:3036

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
PID:4200

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3364 -ip 3364
1⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\7zSCA1B3317\sonia_1.exe
sonia_1.exe
1⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\7zSCA1B3317\sonia_6.exe
sonia_6.exe
1⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\7zSCA1B3317\sonia_7.exe
sonia_7.exe
1⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\7zSCA1B3317\sonia_3.exe
sonia_3.exe
1⤵
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 1804
2⤵
- Program crash
PID:2876

C:\Users\Admin\AppData\Local\Temp\7zSCA1B3317\sonia_2.exe
sonia_2.exe
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 396
2⤵
- Program crash
PID:3784

C:\Users\Admin\AppData\Local\Temp\7zSCA1B3317\sonia_5.exe
sonia_5.exe
1⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_7.exe
1⤵
PID:4516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_6.exe
1⤵
PID:3152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_5.exe
1⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_4.exe
1⤵
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_3.exe
1⤵
PID:536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_2.exe
1⤵
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_1.exe
1⤵
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1568 -ip 1568
1⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\7zSCA1B3317\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCA1B3317\setup_install.exe"
1⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1564 -ip 1564
1⤵
PID:3044

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSCA1B3317\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA1B3317\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA1B3317\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA1B3317\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA1B3317\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA1B3317\setup_install.exe
Filesize
86KB

MD5
2c39e05c474c7c6b7acafa569b95fef6

SHA1
d17988d218e57e52be4aec4a48625d0085914d82

SHA256
66210e1b825ff6f21d47dfd8eb84ef3c5e8f4d54781cf37cea4ff66b97c449a1

SHA512
4419ac9aa73060f5034750ea2563dcf2a2027363c71029a427e7f44eecd8dbad789ea660552e74809a12b50c0d858282c40a35775ca4593e6936c24e849e72ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA1B3317\setup_install.exe
Filesize
57KB

MD5
4f853054c25be715787d85951bfaeff3

SHA1
75b3254dcada135a883f9b62b4a47f209243f17f

SHA256
67047aec9a41b8a9133075c94e561e1c6d85813527622987172a44b26d510a86

SHA512
5d908005db8716288fe3c7afc010ddb4e28d7c159dfd7e5d706c7d5dd99fdff473a0abfd56f760311a79dfa76492f0cdf10bc8b328f5ccbd0ea1d029df491d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA1B3317\setup_install.exe
Filesize
287KB

MD5
95b9217ecfa6c0c46dd861fe3ef0d12b

SHA1
b6445601f4d383ed59e21e52f9cbc6b61d2b60dd

SHA256
b584a09e66bcf3347a1c69fbfbf4c5b2ba59e5aba84dcfec61823b8d374610d6

SHA512
765179fba93f7211189197a636ee535509d6088328ba4a061a2ead6c0812228f75e20bdd0b715e81ff1e475078f92f4fe63065bcbd9f8e62933f960e9e41a466

Download Submit
memory/1564-162-0x0000000000400000-0x0000000000891000-memory.dmp

Filesize
4.6MB

Download
memory/1564-116-0x0000000000C30000-0x0000000000D30000-memory.dmp

Filesize
1024KB

Download
memory/1564-117-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/1564-120-0x0000000000400000-0x0000000000891000-memory.dmp

Filesize
4.6MB

Download
memory/1568-157-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/1568-103-0x0000000000980000-0x0000000000A1D000-memory.dmp

Filesize
628KB

Download
memory/1568-104-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/1568-102-0x0000000000A20000-0x0000000000B20000-memory.dmp

Filesize
1024KB

Download
memory/1708-100-0x0000000002F40000-0x0000000002F46000-memory.dmp

Filesize
24KB

Download
memory/1708-93-0x0000000002F00000-0x0000000002F06000-memory.dmp

Filesize
24KB

Download
memory/1708-96-0x000000001BCD0000-0x000000001BCE0000-memory.dmp

Filesize
64KB

Download
memory/1708-85-0x0000000000F70000-0x0000000000FAE000-memory.dmp

Filesize
248KB

Download
memory/1708-86-0x00007FFFD6670000-0x00007FFFD7131000-memory.dmp

Filesize
10.8MB

Download
memory/1708-140-0x00007FFFD6670000-0x00007FFFD7131000-memory.dmp

Filesize
10.8MB

Download
memory/1708-98-0x0000000002F10000-0x0000000002F3C000-memory.dmp

Filesize
176KB

Download
memory/2704-144-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2704-150-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3364-66-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3364-49-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3364-34-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3364-48-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3364-112-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3364-110-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3364-109-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3364-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3364-60-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3364-121-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3364-118-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/3364-47-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3364-119-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3364-122-0x0000000000F50000-0x0000000000FDF000-memory.dmp

Filesize
572KB

Download
memory/3364-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3364-53-0x0000000000F50000-0x0000000000FDF000-memory.dmp

Filesize
572KB

Download
memory/3364-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3364-65-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3364-64-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3364-63-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3364-62-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3364-61-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3364-59-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3364-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3364-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3364-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3364-56-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3444-159-0x0000000002650000-0x0000000002665000-memory.dmp

Filesize
84KB

Download
memory/4416-91-0x000000001B9E0000-0x000000001B9F0000-memory.dmp

Filesize
64KB

Download
memory/4416-164-0x00007FFFD6670000-0x00007FFFD7131000-memory.dmp

Filesize
10.8MB

Download
memory/4416-163-0x000000001B9E0000-0x000000001B9F0000-memory.dmp

Filesize
64KB

Download
memory/4416-89-0x0000000000DD0000-0x0000000000DD8000-memory.dmp

Filesize
32KB

Download
memory/4416-94-0x00007FFFD6670000-0x00007FFFD7131000-memory.dmp

Filesize
10.8MB

Download
memory/4508-128-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4508-132-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5088-134-0x00007FFFD6670000-0x00007FFFD7131000-memory.dmp

Filesize
10.8MB

Download
memory/5088-97-0x0000000002150000-0x000000000217C000-memory.dmp

Filesize
176KB

Download
memory/5088-92-0x0000000002140000-0x0000000002146000-memory.dmp

Filesize
24KB

Download
memory/5088-87-0x00000000000A0000-0x00000000000DE000-memory.dmp

Filesize
248KB

Download
memory/5088-95-0x000000001ACD0000-0x000000001ACE0000-memory.dmp

Filesize
64KB

Download
memory/5088-90-0x00007FFFD6670000-0x00007FFFD7131000-memory.dmp

Filesize
10.8MB

Download
memory/5088-99-0x000000001AB70000-0x000000001AB76000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads