nullmixer | 7e85e9eea33b5c3576d801f9206cba0132f81e569c31e0f76f0ba9229b50b083

Analysis

max time kernel
0s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b174fea183b59e9fd82bbbf4d6ca51a.exe
Size

3.9MB
MD5

0b174fea183b59e9fd82bbbf4d6ca51a
SHA1

d3a5217af89a4144b292798fe35b81981f16f640
SHA256

7e85e9eea33b5c3576d801f9206cba0132f81e569c31e0f76f0ba9229b50b083
SHA512

6359c2dd3d33a519831d05ec058e3caaba6de4be2911ad1e519412e04d1d1ec537b07add719f366b4fa6936187a3e10c268e307fceca5eaaaa7278198085cd75
SSDEEP

98304:xDCvLUBsgUtB/0xIOUg2im1HKHSCK85OXovU/FqL:x4LUCgQZ0mS2im1qSZaFUc

Score

10^/10

nullmixer smokeloader vidar 706 pub5 agilenet aspackv2 backdoor dropper stealer trojan upx

Malware Config

Extracted

Family

nullmixer

http://razino.xyz/

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

vidar

Version

39.3

Botnet

706

https://bandakere.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://ppcspb.com/upload/

http://mebbing.com/upload/

http://twcamel.com/upload/

http://howdycash.com/upload/

http://lahuertasonora.com/upload/

http://kpotiques.com/upload/

rc4.i32

Signatures

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Nirsoft 2 IoCs

resource	yara_rule
behavioral2/memory/2952-154-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3180-184-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft

Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral2/memory/1272-167-0x0000000002900000-0x0000000002997000-memory.dmp	family_vidar
behavioral2/memory/1272-173-0x0000000000400000-0x0000000000C68000-memory.dmp	family_vidar
behavioral2/memory/1272-191-0x0000000000400000-0x0000000000C68000-memory.dmp	family_vidar
behavioral2/memory/1272-203-0x0000000002900000-0x0000000002997000-memory.dmp	family_vidar

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000600000002320f-28.dat	aspack_v212_v242
behavioral2/files/0x00070000000231f4-34.dat	aspack_v212_v242
behavioral2/files/0x000600000002320f-33.dat	aspack_v212_v242

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/4936-101-0x00000000003C0000-0x00000000004CE000-memory.dmp	agile_net

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2952-154-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3180-184-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/3180-178-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
3996	976	WerFault.exe
1876	4016	WerFault.exe
4656	3816	WerFault.exe	40
4400	1272	WerFault.exe	36
1736	3172	WerFault.exe	141

C:\Users\Admin\AppData\Local\Temp\0b174fea183b59e9fd82bbbf4d6ca51a.exe
"C:\Users\Admin\AppData\Local\Temp\0b174fea183b59e9fd82bbbf4d6ca51a.exe"
1⤵
PID:3140
- C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\setup_install.exe"
  2⤵
  PID:976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c metina_2.exe
1⤵
PID:1604
- C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\metina_2.exe
  metina_2.exe
  2⤵
  PID:3816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 396
    3⤵
    - Program crash
    PID:4656

C:\Users\Admin\AppData\Local\Temp\is-JT5M1.tmp\metina_5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JT5M1.tmp\metina_5.tmp" /SL5="$8005E,189670,105984,C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\metina_5.exe"
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 460
1⤵
- Program crash
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 976 -ip 976
1⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4016 -ip 4016
1⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 600
1⤵
- Program crash
PID:1876

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",init
1⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SVHOST.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SVHOST.exe
1⤵
PID:4936
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SVHOST.exe
  "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SVHOST.exe"
  2⤵
  PID:2680

C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\metina_3.exe
metina_3.exe
1⤵
PID:1272
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 1040
  2⤵
  - Program crash
  PID:4400

C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\metina_5.exe
metina_5.exe
1⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\metina_7.exe
metina_7.exe
1⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\metina_6.exe
metina_6.exe
1⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\metina_4.exe
metina_4.exe
1⤵
PID:3672
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  PID:3180

C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\metina_1.exe
metina_1.exe
1⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c metina_7.exe
1⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c metina_6.exe
1⤵
PID:1232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c metina_5.exe
1⤵
PID:2256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c metina_4.exe
1⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c metina_3.exe
1⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c metina_1.exe
1⤵
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3816 -ip 3816
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1272 -ip 1272
1⤵
PID:3624

C:\Users\Admin\AppData\Roaming\urvwhgw
C:\Users\Admin\AppData\Roaming\urvwhgw
1⤵
PID:3172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 408
  2⤵
  - Program crash
  PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3172 -ip 3172
1⤵
PID:3340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\setup_install.exe

Filesize
290KB

MD5
af41d6d43df35d8c831695e584169a71

SHA1
bb8d6f081e93d2860ce62fabefbe9cdf80ebf06e

SHA256
cbab323219211a8bb57f5b0ee9bdd97b45724c61da8b842f02174ed87f908141

SHA512
5fce8bb65d14ca38178ac1cf9ba7d012a2e64b7af9ae3c6cf31b6cf7be44708474b9381da50cb9c9eea9a4b0429eb4b2e280afba0424b6f5ef0a26379221af9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\setup_install.exe

Filesize
92KB

MD5
66e4d85d4ca9857cf96683f0a03956a1

SHA1
658d0f967a411314dc5e0f8d8da583c611eca53c

SHA256
f58ea6ce680f31fb59c3b69588e6be86a400e6963782a8466cb62b92e5304d73

SHA512
c20f28cc43720694338fba1f12e2a68ac80ad669b960b337c502a9c4765c184a466a2da474e0181da081c97ea54f9c3aea59cdb66bbe0d6e7d455be62ce5835e

Download Submit
memory/760-142-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/760-80-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/976-61-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/976-146-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/976-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/976-57-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/976-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/976-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/976-32-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/976-159-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/976-60-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/976-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/976-62-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/976-63-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/976-145-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/976-48-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/976-64-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/976-59-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/976-155-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/976-150-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/976-50-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/976-147-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/976-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/976-51-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/976-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/976-47-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/976-49-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/976-40-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/976-46-0x0000000000760000-0x00000000007EF000-memory.dmp

Filesize
572KB

Download
memory/1272-167-0x0000000002900000-0x0000000002997000-memory.dmp

Filesize
604KB

Download
memory/1272-166-0x0000000000E10000-0x0000000000F10000-memory.dmp

Filesize
1024KB

Download
memory/1272-173-0x0000000000400000-0x0000000000C68000-memory.dmp

Filesize
8.4MB

Download
memory/1272-191-0x0000000000400000-0x0000000000C68000-memory.dmp

Filesize
8.4MB

Download
memory/1272-203-0x0000000002900000-0x0000000002997000-memory.dmp

Filesize
604KB

Download
memory/2680-218-0x0000000005380000-0x00000000053BC000-memory.dmp

Filesize
240KB

Download
memory/2680-219-0x00000000053C0000-0x000000000540C000-memory.dmp

Filesize
304KB

Download
memory/2680-217-0x0000000005320000-0x0000000005332000-memory.dmp

Filesize
72KB

Download
memory/2680-220-0x0000000005610000-0x000000000571A000-memory.dmp

Filesize
1.0MB

Download
memory/2680-216-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/2680-231-0x0000000073690000-0x0000000073E40000-memory.dmp

Filesize
7.7MB

Download
memory/2680-215-0x0000000073690000-0x0000000073E40000-memory.dmp

Filesize
7.7MB

Download
memory/2680-214-0x00000000058E0000-0x0000000005EF8000-memory.dmp

Filesize
6.1MB

Download
memory/2680-209-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2680-236-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/2840-163-0x00007FFC51190000-0x00007FFC51C51000-memory.dmp

Filesize
10.8MB

Download
memory/2840-90-0x00007FFC51190000-0x00007FFC51C51000-memory.dmp

Filesize
10.8MB

Download
memory/2840-81-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download
memory/2840-95-0x0000000000B20000-0x0000000000B30000-memory.dmp

Filesize
64KB

Download
memory/2952-154-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3172-230-0x0000000000400000-0x0000000000C0F000-memory.dmp

Filesize
8.1MB

Download
memory/3172-235-0x0000000000400000-0x0000000000C0F000-memory.dmp

Filesize
8.1MB

Download
memory/3172-229-0x0000000000E60000-0x0000000000F60000-memory.dmp

Filesize
1024KB

Download
memory/3180-178-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3180-184-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3428-185-0x00000000029F0000-0x0000000002A06000-memory.dmp

Filesize
88KB

Download
memory/3428-232-0x0000000002A30000-0x0000000002A46000-memory.dmp

Filesize
88KB

Download
memory/3816-189-0x0000000000C90000-0x0000000000C99000-memory.dmp

Filesize
36KB

Download
memory/3816-188-0x0000000000400000-0x0000000000C0F000-memory.dmp

Filesize
8.1MB

Download
memory/3816-164-0x0000000000D20000-0x0000000000E20000-memory.dmp

Filesize
1024KB

Download
memory/3816-165-0x0000000000C90000-0x0000000000C99000-memory.dmp

Filesize
36KB

Download
memory/3816-172-0x0000000000400000-0x0000000000C0F000-memory.dmp

Filesize
8.1MB

Download
memory/4320-131-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4320-111-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/4936-208-0x0000000008B40000-0x0000000008B78000-memory.dmp

Filesize
224KB

Download
memory/4936-121-0x0000000072110000-0x0000000072199000-memory.dmp

Filesize
548KB

Download
memory/4936-113-0x0000000004DD0000-0x0000000004E62000-memory.dmp

Filesize
584KB

Download
memory/4936-134-0x0000000005DA0000-0x0000000005DC6000-memory.dmp

Filesize
152KB

Download
memory/4936-130-0x0000000005280000-0x000000000528A000-memory.dmp

Filesize
40KB

Download
memory/4936-122-0x0000000005AF0000-0x0000000005B8C000-memory.dmp

Filesize
624KB

Download
memory/4936-213-0x0000000073690000-0x0000000073E40000-memory.dmp

Filesize
7.7MB

Download
memory/4936-114-0x0000000004E70000-0x00000000051C4000-memory.dmp

Filesize
3.3MB

Download
memory/4936-207-0x0000000006340000-0x00000000063BA000-memory.dmp

Filesize
488KB

Download
memory/4936-192-0x0000000073690000-0x0000000073E40000-memory.dmp

Filesize
7.7MB

Download
memory/4936-102-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/4936-112-0x00000000052A0000-0x0000000005844000-memory.dmp

Filesize
5.6MB

Download
memory/4936-101-0x00000000003C0000-0x00000000004CE000-memory.dmp

Filesize
1.1MB

Download
memory/4936-100-0x0000000073690000-0x0000000073E40000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads