nullmixer

General

Target

e9b89f25e9e8d52c313f26e0429068d8.exe
Size

2.6MB
Sample

240109-xd9kwahch6
MD5

e9b89f25e9e8d52c313f26e0429068d8
SHA1

6b9509635732c7fff640d65911e5a32a01573d4a
SHA256

bc10525a0911ba2c9c472e9d7130242e9f4c2c97bb0fce53bc4b97e42f8a2b36
SHA512

a1902f04df52cfb0c0fa696beb1fcb69cf6e8eb97e223db2c13524e1057717bdad1552612abfa875e6ec74732bcf44af0d9bf75a4621a081fed7735a3302da74
SSDEEP

49152:xcBbPkZVi7iKiF8cUvFyPOtPe3ri/lkmc6dHHpt/KyfI1KV1byEwJ84vLRaBtIly:x7ri7ixZUvFyPcPe3rlwpLfTV1tCvLUZ

Score

10^/10

Malware Config

Extracted

Family

nullmixer

C2

http://lotzini.xyz/

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Extracted

Family

vidar

Version

39.7

Botnet

933

C2

https://shpak125.tumblr.com/

Attributes

profile_id
933

Targets

- Target
  
  e9b89f25e9e8d52c313f26e0429068d8.exe
- Size
  
  2.6MB
- MD5
  
  e9b89f25e9e8d52c313f26e0429068d8
- SHA1
  
  6b9509635732c7fff640d65911e5a32a01573d4a
- SHA256
  
  bc10525a0911ba2c9c472e9d7130242e9f4c2c97bb0fce53bc4b97e42f8a2b36
- SHA512
  
  a1902f04df52cfb0c0fa696beb1fcb69cf6e8eb97e223db2c13524e1057717bdad1552612abfa875e6ec74732bcf44af0d9bf75a4621a081fed7735a3302da74
- SSDEEP
  
  49152:xcBbPkZVi7iKiF8cUvFyPOtPe3ri/lkmc6dHHpt/KyfI1KV1byEwJ84vLRaBtIly:x7ri7ixZUvFyPcPe3rlwpLfTV1tCvLUZ
Score

10^/10

nullmixer smokeloader pub5 aspackv2 backdoor dropper trojan vidar 933 stealer
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Executes dropped EXE
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Process spawned unexpected child process

SmokeLoader

Vidar

Vidar Stealer

ASPack v2.12-2.42

Executes dropped EXE

Loads dropped DLL

Unexpected DNS network traffic destination

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2