nullmixer

General

Target

9cf8a802217928175088777f3f886dde3cba71c0a5c427ed169e24581e1c7a9b.exe
Size

3.5MB
Sample

240107-w3vmksbfgm
MD5

56cb37005dc4d9b3fa94a9eab2140346
SHA1

74fe4e4afb9f0f09ae04e4da02948115ec8fcd9b
SHA256

9cf8a802217928175088777f3f886dde3cba71c0a5c427ed169e24581e1c7a9b
SHA512

58aa443355395ce765b151ce1f13042107a67f3793f9a09625974c030da83749f664679e5b6d765bc5d355b2a797297c27362b7eb0092efa924716ef2e43777e
SSDEEP

49152:9g8p3UukoA1LvVLYU8fAKLECM7ht+29LuSKco6oF4Nphe9+tiI6dU/izKVwtyYn:y8p3E1WU8fAKACaZlu6oee9nBzXyYn

Score

10^/10

Malware Config

Extracted

Family

nullmixer

C2

http://hsiens.xyz/

Extracted

Family

privateloader

C2

http://37.0.10.214/proxies.txt

http://37.0.10.244/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.237

Extracted

Family

vidar

Version

40.3

Botnet

706

C2

https://lenko349.tumblr.com/

Attributes

profile_id
706

Extracted

Family

redline

Botnet

pab777

C2

185.215.113.15:6043

Targets

- Target
  
  9cf8a802217928175088777f3f886dde3cba71c0a5c427ed169e24581e1c7a9b.exe
- Size
  
  3.5MB
- MD5
  
  56cb37005dc4d9b3fa94a9eab2140346
- SHA1
  
  74fe4e4afb9f0f09ae04e4da02948115ec8fcd9b
- SHA256
  
  9cf8a802217928175088777f3f886dde3cba71c0a5c427ed169e24581e1c7a9b
- SHA512
  
  58aa443355395ce765b151ce1f13042107a67f3793f9a09625974c030da83749f664679e5b6d765bc5d355b2a797297c27362b7eb0092efa924716ef2e43777e
- SSDEEP
  
  49152:9g8p3UukoA1LvVLYU8fAKLECM7ht+29LuSKco6oF4Nphe9+tiI6dU/izKVwtyYn:y8p3E1WU8fAKACaZlu6oee9nBzXyYn
Score

10^/10

nullmixer privateloader redline sectoprat vidar 706 pab777 aspackv2 dropper infostealer loader rat stealer trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

PrivateLoader

RedLine

RedLine payload

SectopRAT

SectopRAT payload

Vidar

Vidar Stealer

ASPack v2.12-2.42

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2