nullmixer | a5f4eb3b915bcfdd72cb81b7d89c0c0fd6b190b637db6ffad25604d24985f9e8

Analysis

max time kernel
0s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d3e5a2a2243d788901fb182156f4031.exe
Size

4.5MB
MD5

2d3e5a2a2243d788901fb182156f4031
SHA1

acf66cababaeba6d72e72d2962405f41052d79a0
SHA256

a5f4eb3b915bcfdd72cb81b7d89c0c0fd6b190b637db6ffad25604d24985f9e8
SHA512

74287eab6153bb074dc6b5c2f25624b70a4bda2eb54a1071a37a4adf0781646b7ecdccfc86e794ce1d6ceeb75b070f0e8ea78c9642fa67147f3c806f03245888
SSDEEP

98304:Jwg2hGtNVybTZMYTX1Wnlz1vdN0J5Nfm/Fb0bIQ81NN25Fv:JwvhoybtMYxWZBGBm9b0bIJ5Ol

Score

10^/10

nullmixer redline sectoprat smokeloader vidar 706 domani pub5 backdoor dropper infostealer rat stealer trojan upx

Malware Config

Extracted

Family

nullmixer

http://sokiran.xyz/

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

vidar

Version

39.4

Botnet

706

https://sergeevih43.tumblr.com/

Attributes

profile_id
706

Extracted

Family

redline

Botnet

DomAni

ergerr3.top:80

Extracted

Family

smokeloader

Version

2020

http://ppcspb.com/upload/

http://mebbing.com/upload/

http://twcamel.com/upload/

http://howdycash.com/upload/

http://lahuertasonora.com/upload/

http://kpotiques.com/upload/

rc4.i32

Signatures

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/1324-182-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/1324-182-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Nirsoft 6 IoCs

resource	yara_rule
behavioral2/memory/1936-153-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2576-174-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2244-228-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft
behavioral2/memory/2936-227-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft
behavioral2/memory/2936-229-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft
behavioral2/memory/2244-217-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft

Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral2/memory/3448-210-0x0000000000400000-0x00000000004BA000-memory.dmp	family_vidar
behavioral2/memory/3448-205-0x00000000020C0000-0x000000000215D000-memory.dmp	family_vidar
behavioral2/memory/3448-246-0x00000000020C0000-0x000000000215D000-memory.dmp	family_vidar
behavioral2/memory/3448-245-0x0000000000400000-0x00000000004BA000-memory.dmp	family_vidar

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1936-145-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1936-153-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2576-174-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2244-228-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/2936-227-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/2936-229-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/2244-217-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
94	ipinfo.io
95	ipinfo.io
12	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1948	5020	WerFault.exe
3564	620	WerFault.exe	46
3784	5292	WerFault.exe	55
5560	3448	WerFault.exe	34

C:\Users\Admin\AppData\Local\Temp\2d3e5a2a2243d788901fb182156f4031.exe
"C:\Users\Admin\AppData\Local\Temp\2d3e5a2a2243d788901fb182156f4031.exe"
1⤵
PID:2776
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  PID:4680
- - C:\Users\Admin\AppData\Local\Temp\7zS84280507\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS84280507\setup_install.exe"
    3⤵
    PID:5020

C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_3.exe
sonia_3.exe
1⤵
PID:3448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 1044
  2⤵
  - Program crash
  PID:5560

C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_5.exe
sonia_5.exe
1⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_6.exe
C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_6.exe
1⤵
PID:1324

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
1⤵
PID:6100
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  PID:2576
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  PID:2244

C:\Users\Admin\AppData\Local\Temp\liqian.exe
"C:\Users\Admin\AppData\Local\Temp\liqian.exe"
1⤵
PID:4780
- C:\Windows\SysWOW64\rUNdlL32.eXe
  "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
  2⤵
  PID:620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 608
    3⤵
    - Program crash
    PID:3564

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
1⤵
PID:1936

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",getmft
1⤵
PID:5344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5020 -ip 5020
1⤵
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 544
1⤵
- Program crash
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 620 -ip 620
1⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\UGloryStp.exe
"C:\Users\Admin\AppData\Local\Temp\UGloryStp.exe"
1⤵
PID:6012

C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_4.exe
sonia_4.exe
1⤵
PID:548
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  PID:2936

C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_6.exe
sonia_6.exe
1⤵
PID:6040

C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_7.exe
sonia_7.exe
1⤵
PID:6132

C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_2.exe
sonia_2.exe
1⤵
PID:5292
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 396
  2⤵
  - Program crash
  PID:3784

C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_1.exe
sonia_1.exe
1⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_7.exe
1⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_6.exe
1⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_5.exe
1⤵
PID:5312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_4.exe
1⤵
PID:3380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_3.exe
1⤵
PID:2744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_2.exe
1⤵
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_1.exe
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5292 -ip 5292
1⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3448 -ip 3448
1⤵
PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\raeajir

Filesize
225KB

MD5
3c5befb2d5ea426202a35707016d4996

SHA1
bc0bfa794f196db39697ffc5d91cc4f331b0ebc4

SHA256
1d8900c446e33374b82a8849eb66a0af2df370eec99864826e69c671745536dd

SHA512
40c3f5aaefb3154efd0a44931fb4c50b54db77da177d6926015359e6e5f2dd51cc11dbf0b90759bcc91300079372d5f9d9751972b1153ad8dbb990220166ebf3

Download Submit
memory/1324-194-0x0000000005610000-0x0000000005622000-memory.dmp

Filesize
72KB

Download
memory/1324-199-0x00000000056F0000-0x000000000573C000-memory.dmp

Filesize
304KB

Download
memory/1324-248-0x00000000734E0000-0x0000000073C90000-memory.dmp

Filesize
7.7MB

Download
memory/1324-207-0x0000000006080000-0x000000000618A000-memory.dmp

Filesize
1.0MB

Download
memory/1324-191-0x00000000734E0000-0x0000000073C90000-memory.dmp

Filesize
7.7MB

Download
memory/1324-182-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1324-249-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/1324-198-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/1324-197-0x00000000056B0000-0x00000000056EC000-memory.dmp

Filesize
240KB

Download
memory/1324-188-0x0000000005A60000-0x0000000006078000-memory.dmp

Filesize
6.1MB

Download
memory/1936-153-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1936-145-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2244-217-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2244-228-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2576-174-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2936-227-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2936-229-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3420-241-0x0000000002C80000-0x0000000002C96000-memory.dmp

Filesize
88KB

Download
memory/3448-201-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/3448-210-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3448-246-0x00000000020C0000-0x000000000215D000-memory.dmp

Filesize
628KB

Download
memory/3448-245-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3448-205-0x00000000020C0000-0x000000000215D000-memory.dmp

Filesize
628KB

Download
memory/5020-183-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/5020-55-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/5020-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/5020-190-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/5020-187-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/5020-62-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/5020-58-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/5020-181-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/5020-59-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/5020-60-0x00000000007B0000-0x000000000083F000-memory.dmp

Filesize
572KB

Download
memory/5020-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/5020-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/5020-180-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/5020-179-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/5020-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/5020-68-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/5020-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/5020-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/5020-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/5292-209-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5292-206-0x00000000006D0000-0x00000000006D9000-memory.dmp

Filesize
36KB

Download
memory/5292-208-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/5292-244-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/6012-135-0x0000000000AE0000-0x0000000000B02000-memory.dmp

Filesize
136KB

Download
memory/6012-146-0x0000000002A60000-0x0000000002A7E000-memory.dmp

Filesize
120KB

Download
memory/6012-237-0x00007FFE7D750000-0x00007FFE7E211000-memory.dmp

Filesize
10.8MB

Download
memory/6012-154-0x0000000002A80000-0x0000000002A90000-memory.dmp

Filesize
64KB

Download
memory/6012-254-0x00007FFE7D750000-0x00007FFE7E211000-memory.dmp

Filesize
10.8MB

Download
memory/6012-137-0x00007FFE7D750000-0x00007FFE7E211000-memory.dmp

Filesize
10.8MB

Download
memory/6012-247-0x0000000002A80000-0x0000000002A90000-memory.dmp

Filesize
64KB

Download
memory/6040-189-0x00000000734E0000-0x0000000073C90000-memory.dmp

Filesize
7.7MB

Download
memory/6040-87-0x0000000000840000-0x00000000008A4000-memory.dmp

Filesize
400KB

Download
memory/6040-91-0x00000000734E0000-0x0000000073C90000-memory.dmp

Filesize
7.7MB

Download
memory/6132-133-0x00000000734E0000-0x0000000073C90000-memory.dmp

Filesize
7.7MB

Download
memory/6132-88-0x00000000734E0000-0x0000000073C90000-memory.dmp

Filesize
7.7MB

Download
memory/6132-85-0x00000000004D0000-0x0000000000690000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads