nullmixer

General

Target

c061f6c696cde2214e0425839ae84f84
Size

2.6MB
Sample

231228-d4mn9afcf7
MD5

c061f6c696cde2214e0425839ae84f84
SHA1

907c23a4e0aed6b887e0f7c8b16e1b4f82d1f340
SHA256

d520edc59c5aee94806782d012efa7e0f905e90ce4e177f14cd612e7b8bb17ba
SHA512

c0dc8dc9e5569d0db1ac6c9ac084599111f16b60cf39c230c791327304c5452df6036dbc9f0564c05a283ba369cefb87daad3714029caa4a021b94e6d88eabd6
SSDEEP

49152:xcBxPkZVi7iKiF8cUvFyP2jckAjxt3htaPkvAesMMOZEwJ84vLRaBtIl9mT+Pep:xRri7ixZUvFyPScjVt4j/hCvLUBsKv

Score

10^/10

Malware Config

Extracted

Family

nullmixer

C2

http://razino.xyz/

Extracted

Family

vidar

Version

39.7

Botnet

933

C2

https://shpak125.tumblr.com/

Attributes

profile_id
933

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Targets

- Target
  
  c061f6c696cde2214e0425839ae84f84
- Size
  
  2.6MB
- MD5
  
  c061f6c696cde2214e0425839ae84f84
- SHA1
  
  907c23a4e0aed6b887e0f7c8b16e1b4f82d1f340
- SHA256
  
  d520edc59c5aee94806782d012efa7e0f905e90ce4e177f14cd612e7b8bb17ba
- SHA512
  
  c0dc8dc9e5569d0db1ac6c9ac084599111f16b60cf39c230c791327304c5452df6036dbc9f0564c05a283ba369cefb87daad3714029caa4a021b94e6d88eabd6
- SSDEEP
  
  49152:xcBxPkZVi7iKiF8cUvFyP2jckAjxt3htaPkvAesMMOZEwJ84vLRaBtIl9mT+Pep:xRri7ixZUvFyPScjVt4j/hCvLUBsKv
Score

10^/10

nullmixer smokeloader vidar 933 pub5 aspackv2 backdoor dropper stealer trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Process spawned unexpected child process

SmokeLoader

Vidar

Vidar Stealer

ASPack v2.12-2.42

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2