nullmixer | 318c2194ae43ddccf9ccf21d07087c6059683d3aba0d04f4fd720d503095950d

Analysis

max time kernel
0s
max time network
147s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b5164f044f2c3a2cc01b2448bc0eb8a.exe
Size

2.6MB
MD5

1b5164f044f2c3a2cc01b2448bc0eb8a
SHA1

d1b28f3d20560aa3ae207843b2605d53f645247e
SHA256

318c2194ae43ddccf9ccf21d07087c6059683d3aba0d04f4fd720d503095950d
SHA512

4ad85a2b6b4591ac690a16f778e38a514470fb078948b974e525b0388abc316df75add8df3b02016adae44918450fa9762d2e1887ccf6c64b5bdda10085b056f
SSDEEP

49152:EgBtIhtz0tHnR8mxEYh4YkoVZCiMDf4j/Ee3O9ilydBFgabowS9c/aA:JBt2tzcKmy04K4y/9BydBXokSA

Score

10^/10

nullmixer smokeloader vidar 933 pub5 aspackv2 backdoor dropper stealer trojan

Malware Config

Extracted

Family

nullmixer

http://lotzini.xyz/

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

vidar

Version

39.7

Botnet

933

https://shpak125.tumblr.com/

Attributes

profile_id
933

Extracted

Family

smokeloader

Version

2020

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Signatures

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2260	rUNdlL32.eXe	24

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/memory/2992-158-0x0000000002BD0000-0x0000000002C6D000-memory.dmp	family_vidar
behavioral1/memory/2992-159-0x0000000000400000-0x0000000002BCA000-memory.dmp	family_vidar
behavioral1/memory/2992-233-0x0000000000400000-0x0000000002BCA000-memory.dmp	family_vidar

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000600000001448a-45.dat	aspack_v212_v242
behavioral1/files/0x000600000001448a-40.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1828	setup_installer.exe

Loads dropped DLL 4 IoCs

pid	Process
2548	1b5164f044f2c3a2cc01b2448bc0eb8a.exe
1828	setup_installer.exe
1828	setup_installer.exe
1828	setup_installer.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	185.116.193.219
Destination IP	185.116.193.219
Destination IP	185.116.193.219
Destination IP	185.116.193.219

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
8	ipinfo.io
28	api.db-ip.com
31	api.db-ip.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2144	2600	WerFault.exe
1996	2992	WerFault.exe	29

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1828	2548	1b5164f044f2c3a2cc01b2448bc0eb8a.exe	45
PID 2548 wrote to memory of 1828	2548	1b5164f044f2c3a2cc01b2448bc0eb8a.exe	45
PID 2548 wrote to memory of 1828	2548	1b5164f044f2c3a2cc01b2448bc0eb8a.exe	45
PID 2548 wrote to memory of 1828	2548	1b5164f044f2c3a2cc01b2448bc0eb8a.exe	45
PID 2548 wrote to memory of 1828	2548	1b5164f044f2c3a2cc01b2448bc0eb8a.exe	45
PID 2548 wrote to memory of 1828	2548	1b5164f044f2c3a2cc01b2448bc0eb8a.exe	45
PID 2548 wrote to memory of 1828	2548	1b5164f044f2c3a2cc01b2448bc0eb8a.exe	45

C:\Users\Admin\AppData\Local\Temp\1b5164f044f2c3a2cc01b2448bc0eb8a.exe
"C:\Users\Admin\AppData\Local\Temp\1b5164f044f2c3a2cc01b2448bc0eb8a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_7.exe
1⤵
PID:1048
- C:\Users\Admin\AppData\Local\Temp\7zS42752626\sahiba_7.exe
  sahiba_7.exe
  2⤵
  PID:2760

C:\Users\Admin\AppData\Local\Temp\7zS42752626\sahiba_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS42752626\sahiba_1.exe" -a
1⤵
PID:2084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 408
1⤵
- Program crash
PID:2144

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
PID:628

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:1092

C:\Users\Admin\AppData\Local\Temp\7zS42752626\sahiba_3.exe
sahiba_3.exe
1⤵
PID:2992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 932
  2⤵
  - Program crash
  PID:1996

C:\Users\Admin\AppData\Local\Temp\7zS42752626\sahiba_6.exe
sahiba_6.exe
1⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\7zS42752626\sahiba_1.exe
sahiba_1.exe
1⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\7zS42752626\sahiba_5.exe
sahiba_5.exe
1⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\7zS42752626\sahiba_4.exe
sahiba_4.exe
1⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\7zS42752626\sahiba_2.exe
sahiba_2.exe
1⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_6.exe
1⤵
PID:2052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_5.exe
1⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_4.exe
1⤵
PID:2988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_3.exe
1⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_2.exe
1⤵
PID:816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_1.exe
1⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\7zS42752626\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS42752626\setup_install.exe"
1⤵
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS42752626\setup_install.exe

Filesize
287KB

MD5
b107ead1f6283a5015291f05a95e2925

SHA1
2ccdbe2634ac6df52d3d92c3cbf050b1eba6a039

SHA256
9d8516a59bc0e5dc78c032ae2ab2133eaa17055e76805d036df85c9384d542e9

SHA512
d9dea1e930273896a7a87f81b9e1282064f8f620d3438d59136f59b4d7383430fc1c959184f1b4ae7d872573b97e423858ad3ec976a26bc09caeaa549ce7456a

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
92KB

MD5
d772d6902200f5d4599a9b27d0d8f9e6

SHA1
564eefb3fabe655b2fb51f492959b158cb20e12d

SHA256
7bf11639663306b53a7fe0e3826d12f03e1dda7b1fb3abaa758e3281d35f8e17

SHA512
6682d79a013129aceba9cde75a82f0444a28d30bfbd1c4656d7e3774b469283027a780362657c908c991f9b5939db32792e6713a323667ab763a95b3f3e23d36

Download Submit
\Users\Admin\AppData\Local\Temp\7zS42752626\setup_install.exe

Filesize
92KB

MD5
5044ea78f1dd8a2de2b258641bc6bd67

SHA1
7b31b1bb312ea4537e435d05767b9e7ef9d0ec84

SHA256
0b227ac37c9d88683743327227ef6ab39d1b1b27873458f34caf288ab25730a3

SHA512
ad96d8787b7ae3887c5bc9eab5b354daf8e9302477ea0c96ed1090393544ab577a96952a5bedfb5577e60cf69429e8c6b17f1223ee915d3c12af51b3c27b9eff

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
2.4MB

MD5
582f8463e84bfad35941fadc41066b8e

SHA1
ed67a80ae56d15ff501c4a9e3c296206db12535f

SHA256
45201558ce4d5cb619357520a466524ecd55e6b4427b21d72b12feb4bfe0ef47

SHA512
b466d13461bdd624ff3af46074471b36059122dd7289f2ed918fe99320936778cfc98fddd360e7d95600ba4c900a2b378914bbc581251831ddf04011c32d52f8

Download Submit
memory/628-147-0x0000000000760000-0x00000000007BD000-memory.dmp

Filesize
372KB

Download
memory/628-146-0x0000000002080000-0x0000000002181000-memory.dmp

Filesize
1.0MB

Download
memory/784-145-0x0000000000060000-0x00000000000AC000-memory.dmp

Filesize
304KB

Download
memory/784-160-0x0000000000510000-0x0000000000581000-memory.dmp

Filesize
452KB

Download
memory/784-362-0x0000000000510000-0x0000000000581000-memory.dmp

Filesize
452KB

Download
memory/784-390-0x0000000000510000-0x0000000000581000-memory.dmp

Filesize
452KB

Download
memory/784-165-0x0000000000510000-0x0000000000581000-memory.dmp

Filesize
452KB

Download
memory/784-148-0x0000000000510000-0x0000000000581000-memory.dmp

Filesize
452KB

Download
memory/872-142-0x00000000013B0000-0x0000000001421000-memory.dmp

Filesize
452KB

Download
memory/872-363-0x0000000000CE0000-0x0000000000D2C000-memory.dmp

Filesize
304KB

Download
memory/872-144-0x0000000000CE0000-0x0000000000D2C000-memory.dmp

Filesize
304KB

Download
memory/872-161-0x0000000000CE0000-0x0000000000D2C000-memory.dmp

Filesize
304KB

Download
memory/872-162-0x00000000013B0000-0x0000000001421000-memory.dmp

Filesize
452KB

Download
memory/872-140-0x0000000000CE0000-0x0000000000D2C000-memory.dmp

Filesize
304KB

Download
memory/1160-155-0x000000001B180000-0x000000001B200000-memory.dmp

Filesize
512KB

Download
memory/1160-151-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/1160-122-0x00000000000E0000-0x00000000000E8000-memory.dmp

Filesize
32KB

Download
memory/1160-268-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/1160-359-0x000000001B180000-0x000000001B200000-memory.dmp

Filesize
512KB

Download
memory/1204-202-0x0000000002D90000-0x0000000002DA5000-memory.dmp

Filesize
84KB

Download
memory/1408-153-0x0000000000270000-0x0000000000279000-memory.dmp

Filesize
36KB

Download
memory/1408-163-0x0000000002C70000-0x0000000002D70000-memory.dmp

Filesize
1024KB

Download
memory/1408-203-0x0000000000400000-0x0000000002B6E000-memory.dmp

Filesize
39.4MB

Download
memory/1408-154-0x0000000000400000-0x0000000002B6E000-memory.dmp

Filesize
39.4MB

Download
memory/1828-49-0x0000000002FD0000-0x00000000030EE000-memory.dmp

Filesize
1.1MB

Download
memory/1828-47-0x0000000002FD0000-0x00000000030EE000-memory.dmp

Filesize
1.1MB

Download
memory/2600-52-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2600-228-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2600-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2600-87-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2600-86-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2600-85-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2600-84-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2600-81-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2600-80-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2600-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2600-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2600-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2600-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2600-69-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2600-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2600-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2600-56-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2600-70-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2600-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2600-78-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2600-227-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2600-230-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2600-231-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2600-82-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2600-229-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2600-232-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2652-156-0x000000001AFB0000-0x000000001B030000-memory.dmp

Filesize
512KB

Download
memory/2652-136-0x0000000000180000-0x0000000000186000-memory.dmp

Filesize
24KB

Download
memory/2652-138-0x00000000003E0000-0x000000000040C000-memory.dmp

Filesize
176KB

Download
memory/2652-124-0x00000000000E0000-0x000000000011E000-memory.dmp

Filesize
248KB

Download
memory/2652-382-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2652-141-0x0000000000190000-0x0000000000196000-memory.dmp

Filesize
24KB

Download
memory/2652-358-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2652-360-0x000000001AFB0000-0x000000001B030000-memory.dmp

Filesize
512KB

Download
memory/2652-152-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2992-158-0x0000000002BD0000-0x0000000002C6D000-memory.dmp

Filesize
628KB

Download
memory/2992-159-0x0000000000400000-0x0000000002BCA000-memory.dmp

Filesize
39.8MB

Download
memory/2992-361-0x0000000002D70000-0x0000000002E70000-memory.dmp

Filesize
1024KB

Download
memory/2992-233-0x0000000000400000-0x0000000002BCA000-memory.dmp

Filesize
39.8MB

Download
memory/2992-157-0x0000000002D70000-0x0000000002E70000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads