nullmixer | 52d2303ef0ca3af61a62ab3041abdd1782189394a97777c7d5d9b488b85f1cdd

Analysis

max time kernel
0s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28048a470181ea26c44efccc5613248d.exe
Size

4.4MB
MD5

28048a470181ea26c44efccc5613248d
SHA1

ecf49125ae5fbab3046a36550c7e46074acbfdb2
SHA256

52d2303ef0ca3af61a62ab3041abdd1782189394a97777c7d5d9b488b85f1cdd
SHA512

142e2b907d235d1d94d8133be70d475b1aa147c18c89a40433e4e13e78c8241b1c84a9d614be535febbb3c7ec5fe4731c681048faed6a38fa18c232829898c9d
SSDEEP

98304:yuROg/xvMXxNE+yK7cRAMM3mLwhd9Rb050ldg+nmJbeLMYBHSAkUBIi2:yuRb/xArEKwyMM38wtR450Dg+mVAHS2S

Score

10^/10

nullmixer redline sectoprat smokeloader vidar 706 pub1 pub5 aspackv2 backdoor dropper infostealer rat stealer trojan

Malware Config

Extracted

Family

nullmixer

http://hsiens.xyz/

Extracted

Family

vidar

Version

40.1

Botnet

706

https://eduarroma.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

redline

Botnet

pub1

viacetequn.site:80

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Signatures

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/memory/860-155-0x0000000004B70000-0x0000000004B92000-memory.dmp	family_redline
behavioral2/memory/860-157-0x0000000004BD0000-0x0000000004BF0000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/860-155-0x0000000004B70000-0x0000000004B92000-memory.dmp	family_sectoprat
behavioral2/memory/860-157-0x0000000004BD0000-0x0000000004BF0000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral2/memory/3604-117-0x0000000004040000-0x00000000040DD000-memory.dmp	family_vidar
behavioral2/memory/3604-121-0x0000000000400000-0x0000000002403000-memory.dmp	family_vidar

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00060000000231fe-53.dat	aspack_v212_v242
behavioral2/files/0x00060000000231ff-54.dat	aspack_v212_v242

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4524	1644	WerFault.exe	40

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3544	PING.EXE

C:\Users\Admin\AppData\Local\Temp\28048a470181ea26c44efccc5613248d.exe
"C:\Users\Admin\AppData\Local\Temp\28048a470181ea26c44efccc5613248d.exe"
1⤵
PID:5076
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  PID:3844
- - C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\setup_install.exe"
    3⤵
    PID:1644
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 572
      4⤵
      Program crash
      PID:4524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat041b8c13f01a.exe
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat0467ed277dbd5c.exe
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat04436aa032.exe
      4⤵
      PID:312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat04a3dff8dec.exe
      4⤵
      PID:1732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat043dfd5d2de5535b.exe
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat046b489ca6a4ca7b.exe
      4⤵
      PID:2628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat044149d0d9a89f.exe
      4⤵
      PID:1744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat0489e5e7edba.exe
      4⤵
      PID:4284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat0451bd044df656.exe
      4⤵
      PID:2184
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:3036

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\Sat046b489ca6a4ca7b.exe
Sat046b489ca6a4ca7b.exe
1⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\Sat041b8c13f01a.exe
Sat041b8c13f01a.exe
1⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\Sat0489e5e7edba.exe
Sat0489e5e7edba.exe
1⤵
PID:2208

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
1⤵
PID:3324

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Abbassero.wmv
1⤵
PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd
  2⤵
  PID:4504
- - C:\Windows\SysWOW64\PING.EXE
    ping AVCIKYMG -n 30
    3⤵
    - Runs ping.exe
    PID:3544
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com
    Piu.exe.com L
    3⤵
    PID:1948

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\Sat0451bd044df656.exe
"C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\Sat0451bd044df656.exe" -a
1⤵
PID:5080

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^VHwgFRxzxxLcwcGoqrvwdRkyDDkqmNLTpdmTOMvFsotvynnSaSEGawtrcWKeGzUGIRjLVNzgHQJiNPZttzIGotBijvbSexZYgbNhjNWFndZB$" Rugiada.wmv
1⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com L
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1644 -ip 1644
1⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\Sat04a3dff8dec.exe
Sat04a3dff8dec.exe
1⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\Sat0467ed277dbd5c.exe
Sat0467ed277dbd5c.exe
1⤵
PID:2932

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\Sat044149d0d9a89f.exe
Sat044149d0d9a89f.exe
1⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\Sat04436aa032.exe
Sat04436aa032.exe
1⤵
PID:4884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
1⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\Sat0451bd044df656.exe
Sat0451bd044df656.exe
1⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\Sat043dfd5d2de5535b.exe
Sat043dfd5d2de5535b.exe
1⤵
PID:860

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\setup_install.exe

Filesize
832KB

MD5
176da3b4ae2c18efcdf8ef40acab3197

SHA1
da9153f6e669140f4bea834f34fc7f5e36762777

SHA256
285afb639d43b31e8a79c981312162d207d41ef110bff241e8f70c044d40bf36

SHA512
4930019a62ece49638dc6f73c3d88056a095abae2013d02217e7ae6b517784a0c6dccd8d2e0bfe6ace43ecd3ef2b4f9c92a003387c1c70130b6ed925325d87ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS40FE3277\setup_install.exe

Filesize
2.1MB

MD5
8c4543c3763d632ac4ccdea76d425512

SHA1
183753707e946d33b16b63470f189172221364fe

SHA256
6ad79b3927d69e4d51409342f37f31c720be9ab0a0bbf468da5f681a67b1ed8f

SHA512
dd02394c9dd20bbb9a9e53ab5378500c5b8d2a83860af868dfcc2703f0547563ee1baff58d645cfc9cb6ff355896d79e26735fb66536fbb389dbfda076e6b17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
92KB

MD5
d772d6902200f5d4599a9b27d0d8f9e6

SHA1
564eefb3fabe655b2fb51f492959b158cb20e12d

SHA256
7bf11639663306b53a7fe0e3826d12f03e1dda7b1fb3abaa758e3281d35f8e17

SHA512
6682d79a013129aceba9cde75a82f0444a28d30bfbd1c4656d7e3774b469283027a780362657c908c991f9b5939db32792e6713a323667ab763a95b3f3e23d36

Download Submit
memory/860-160-0x0000000000400000-0x0000000002CCD000-memory.dmp

Filesize
40.8MB

Download
memory/860-207-0x0000000002D60000-0x0000000002D8F000-memory.dmp

Filesize
188KB

Download
memory/860-164-0x0000000004EB0000-0x0000000004EEC000-memory.dmp

Filesize
240KB

Download
memory/860-183-0x00000000080D0000-0x00000000081DA000-memory.dmp

Filesize
1.0MB

Download
memory/860-156-0x0000000007450000-0x00000000079F4000-memory.dmp

Filesize
5.6MB

Download
memory/860-157-0x0000000004BD0000-0x0000000004BF0000-memory.dmp

Filesize
128KB

Download
memory/860-180-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/860-185-0x0000000073D90000-0x0000000074540000-memory.dmp

Filesize
7.7MB

Download
memory/860-178-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/860-155-0x0000000004B70000-0x0000000004B92000-memory.dmp

Filesize
136KB

Download
memory/860-154-0x0000000002D60000-0x0000000002D8F000-memory.dmp

Filesize
188KB

Download
memory/860-153-0x0000000002E10000-0x0000000002F10000-memory.dmp

Filesize
1024KB

Download
memory/860-179-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/860-162-0x0000000004E90000-0x0000000004EA2000-memory.dmp

Filesize
72KB

Download
memory/860-158-0x0000000007A00000-0x0000000008018000-memory.dmp

Filesize
6.1MB

Download
memory/1008-147-0x0000000006190000-0x00000000061DC000-memory.dmp

Filesize
304KB

Download
memory/1008-176-0x0000000007060000-0x0000000007103000-memory.dmp

Filesize
652KB

Download
memory/1008-131-0x0000000005AE0000-0x0000000005B46000-memory.dmp

Filesize
408KB

Download
memory/1008-145-0x00000000060A0000-0x00000000060BE000-memory.dmp

Filesize
120KB

Download
memory/1008-134-0x0000000005C30000-0x0000000005F84000-memory.dmp

Filesize
3.3MB

Download
memory/1008-163-0x0000000074E80000-0x0000000074ECC000-memory.dmp

Filesize
304KB

Download
memory/1008-133-0x0000000005BC0000-0x0000000005C26000-memory.dmp

Filesize
408KB

Download
memory/1008-104-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/1008-119-0x0000000005920000-0x0000000005942000-memory.dmp

Filesize
136KB

Download
memory/1008-95-0x0000000002B00000-0x0000000002B36000-memory.dmp

Filesize
216KB

Download
memory/1008-111-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/1008-196-0x0000000007700000-0x000000000771A000-memory.dmp

Filesize
104KB

Download
memory/1008-102-0x0000000073D90000-0x0000000074540000-memory.dmp

Filesize
7.7MB

Download
memory/1008-99-0x00000000052F0000-0x0000000005918000-memory.dmp

Filesize
6.2MB

Download
memory/1008-175-0x0000000007000000-0x000000000701E000-memory.dmp

Filesize
120KB

Download
memory/1008-159-0x0000000007020000-0x0000000007052000-memory.dmp

Filesize
200KB

Download
memory/1008-182-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/1008-181-0x000000007F010000-0x000000007F020000-memory.dmp

Filesize
64KB

Download
memory/1008-200-0x0000000073D90000-0x0000000074540000-memory.dmp

Filesize
7.7MB

Download
memory/1008-186-0x00000000073D0000-0x00000000073EA000-memory.dmp

Filesize
104KB

Download
memory/1008-190-0x0000000007450000-0x000000000745A000-memory.dmp

Filesize
40KB

Download
memory/1008-192-0x0000000007640000-0x00000000076D6000-memory.dmp

Filesize
600KB

Download
memory/1008-193-0x00000000075D0000-0x00000000075E1000-memory.dmp

Filesize
68KB

Download
memory/1008-197-0x00000000076F0000-0x00000000076F8000-memory.dmp

Filesize
32KB

Download
memory/1008-184-0x0000000007A10000-0x000000000808A000-memory.dmp

Filesize
6.5MB

Download
memory/1008-195-0x0000000007610000-0x0000000007624000-memory.dmp

Filesize
80KB

Download
memory/1008-194-0x0000000007600000-0x000000000760E000-memory.dmp

Filesize
56KB

Download
memory/1516-93-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/1516-204-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

Filesize
64KB

Download
memory/1516-187-0x00007FF8C5300000-0x00007FF8C5DC1000-memory.dmp

Filesize
10.8MB

Download
memory/1516-96-0x00007FF8C5300000-0x00007FF8C5DC1000-memory.dmp

Filesize
10.8MB

Download
memory/1516-103-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

Filesize
64KB

Download
memory/1644-139-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1644-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1644-142-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1644-143-0x0000000000F10000-0x0000000000F9F000-memory.dmp

Filesize
572KB

Download
memory/1644-65-0x0000000000F10000-0x0000000000F9F000-memory.dmp

Filesize
572KB

Download
memory/1644-136-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1644-140-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/1644-138-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1644-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1644-75-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1644-59-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1644-141-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1644-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1644-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1644-67-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1644-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1644-74-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1644-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1644-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1644-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1644-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2208-135-0x0000000000400000-0x00000000023AF000-memory.dmp

Filesize
31.7MB

Download
memory/2208-137-0x0000000002720000-0x0000000002820000-memory.dmp

Filesize
1024KB

Download
memory/2208-132-0x00000000025D0000-0x00000000025D9000-memory.dmp

Filesize
36KB

Download
memory/3596-203-0x00000000029D0000-0x00000000029E6000-memory.dmp

Filesize
88KB

Download
memory/3596-206-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/3604-121-0x0000000000400000-0x0000000002403000-memory.dmp

Filesize
32.0MB

Download
memory/3604-116-0x0000000002560000-0x0000000002660000-memory.dmp

Filesize
1024KB

Download
memory/3604-117-0x0000000004040000-0x00000000040DD000-memory.dmp

Filesize
628KB

Download
memory/4884-115-0x00007FF8C5300000-0x00007FF8C5DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4884-202-0x00007FF8C5300000-0x00007FF8C5DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4884-100-0x0000000000040000-0x000000000006C000-memory.dmp

Filesize
176KB

Download
memory/4884-112-0x0000000001FC0000-0x0000000001FE2000-memory.dmp

Filesize
136KB

Download
memory/4884-118-0x000000001AE90000-0x000000001AEA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads