nullmixer | bc10525a0911ba2c9c472e9d7130242e9f4c2c97bb0fce53bc4b97e42f8a2b36

Analysis

max time kernel
0s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2024 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9b89f25e9e8d52c313f26e0429068d8.exe
Size

2.6MB
MD5

e9b89f25e9e8d52c313f26e0429068d8
SHA1

6b9509635732c7fff640d65911e5a32a01573d4a
SHA256

bc10525a0911ba2c9c472e9d7130242e9f4c2c97bb0fce53bc4b97e42f8a2b36
SHA512

a1902f04df52cfb0c0fa696beb1fcb69cf6e8eb97e223db2c13524e1057717bdad1552612abfa875e6ec74732bcf44af0d9bf75a4621a081fed7735a3302da74
SSDEEP

49152:xcBbPkZVi7iKiF8cUvFyPOtPe3ri/lkmc6dHHpt/KyfI1KV1byEwJ84vLRaBtIly:x7ri7ixZUvFyPcPe3rlwpLfTV1tCvLUZ

Score

10^/10

nullmixer smokeloader vidar 933 pub5 aspackv2 backdoor dropper stealer trojan

Malware Config

Extracted

Family

nullmixer

http://lotzini.xyz/

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

vidar

Version

39.7

Botnet

933

https://shpak125.tumblr.com/

Attributes

profile_id
933

Extracted

Family

smokeloader

Version

2020

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Signatures

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	4516	rUNdlL32.eXe	32

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral2/memory/1324-110-0x0000000002D60000-0x0000000002DFD000-memory.dmp	family_vidar
behavioral2/memory/1324-113-0x0000000000400000-0x0000000002BCA000-memory.dmp	family_vidar

ASPack v2.12-2.42 8 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000023220-28.dat	aspack_v212_v242
behavioral2/files/0x000600000002321e-46.dat	aspack_v212_v242
behavioral2/files/0x000600000002321b-39.dat	aspack_v212_v242
behavioral2/files/0x000600000002321b-37.dat	aspack_v212_v242
behavioral2/files/0x000600000002321e-42.dat	aspack_v212_v242
behavioral2/files/0x000600000002321c-38.dat	aspack_v212_v242
behavioral2/files/0x000600000002321c-35.dat	aspack_v212_v242
behavioral2/files/0x0006000000023220-33.dat	aspack_v212_v242

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ipinfo.io
8	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process
4496	220	WerFault.exe
1900	5068	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\e9b89f25e9e8d52c313f26e0429068d8.exe
"C:\Users\Admin\AppData\Local\Temp\e9b89f25e9e8d52c313f26e0429068d8.exe"
1⤵
PID:2600
- C:\Users\Admin\AppData\Local\Temp\7zS82AA5957\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS82AA5957\setup_install.exe"
  2⤵
  PID:220

C:\Users\Admin\AppData\Local\Temp\7zS82AA5957\sahiba_2.exe
sahiba_2.exe
1⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 220 -ip 220
1⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 556
1⤵
- Program crash
PID:4496

C:\Users\Admin\AppData\Local\Temp\7zS82AA5957\sahiba_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS82AA5957\sahiba_1.exe" -a
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 600
1⤵
- Program crash
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5068 -ip 5068
1⤵
PID:4124

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
PID:5068

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:1268

C:\Users\Admin\AppData\Local\Temp\7zS82AA5957\sahiba_3.exe
sahiba_3.exe
1⤵
PID:1324

C:\Users\Admin\AppData\Local\Temp\7zS82AA5957\sahiba_1.exe
sahiba_1.exe
1⤵
PID:3676

C:\Users\Admin\AppData\Local\Temp\7zS82AA5957\sahiba_5.exe
sahiba_5.exe
1⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\7zS82AA5957\sahiba_4.exe
sahiba_4.exe
1⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\7zS82AA5957\sahiba_7.exe
sahiba_7.exe
1⤵
PID:3652

C:\Users\Admin\AppData\Local\Temp\7zS82AA5957\sahiba_6.exe
sahiba_6.exe
1⤵
PID:404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_7.exe
1⤵
PID:4000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_6.exe
1⤵
PID:4196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_5.exe
1⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_4.exe
1⤵
PID:3544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_3.exe
1⤵
PID:4872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_2.exe
1⤵
PID:5012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_1.exe
1⤵
PID:3060

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS82AA5957\libcurl.dll

Filesize
54KB

MD5
ca50aa8cc10ccd1f0177a59c671c1aeb

SHA1
48fb412930be7ed5f93e890a1f14a6a0e2f290aa

SHA256
8fd476c8e261d7dd3a9e3779104c0249958750b1cac0e642ec46f3a6170932f5

SHA512
7eb825932f7221cd5a9eacf62d1fd95fe4a3501d9427609a85ddd10b1bc8a123409535fcb6cd6681b0ac24fe46ed461a99b52ced079cba89470606439c50eb6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS82AA5957\libcurl.dll

Filesize
40KB

MD5
c368e83a74e3da2c5c973850442697a3

SHA1
7cebec1f7271bb106d4ae1805ccb7efc096f8594

SHA256
220c4cf7a0e92f2bb4b6e77fc1c5e2ec01e9dd175e35de2404d5858f3268889d

SHA512
6bcc74b3a7b8f89631ab08ae538ae6a6bf2ded8b5d614313b71c50d656fe0299d40668f24d366f768059233bc64fc6cfa26b47b11546e74ee078dd2c6c163b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS82AA5957\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS82AA5957\libcurlpp.dll

Filesize
38KB

MD5
0e9b6dc2122adebe2e63f28eb49a5ad7

SHA1
64548746d31a25e03873dee42de4660ad4123339

SHA256
90f4a8e0fba0c24cc454c5ba53721b1273727f7fed48c4c53d0d02fb87ef88b7

SHA512
58434e3ad7b0e9d06144b297dfd3f0003228a53fd34c0e88cd75b38d337ef3c66bff2a82f124fae970f5713b639ddc896e0685771ec4943fa3027609f6e7b6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS82AA5957\libgcc_s_dw2-1.dll

Filesize
31KB

MD5
7736cf662512953459b80ba9bf46260b

SHA1
520cc995db2f6e1ccceb6b65a59114ade2b58dcf

SHA256
f05bb40e3c371e194c7a11bc3a4bf29fd8141a9602ac01c4cd68d536a1b46ec8

SHA512
500cbda4d22311a5c72876ab9ca5dda96ed70440c5c3eea0e16d775a5bddfdaa94b74326fb60f342590cf1479785f4a07176a03eec55509f77f45afea7f46745

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS82AA5957\libgcc_s_dw2-1.dll

Filesize
57KB

MD5
c67d9c95df7a057fa6a1602bdfe744e4

SHA1
cc2591e7cbdfc02b365b8c54ebdf0c1078214f78

SHA256
769e713b2d7c6719af69011dea30aea5c8d6bfb01156d79cdd9c7d7b313532a8

SHA512
ee56a3ad853455c9e5003972f3534c54ff99bd5dc1e64b5d179d9c7009e1ff3060af08b8708bfd02ae2d0ac4a1df6e88197b4a5c93ff9e5b4744059fde76ee68

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS82AA5957\libstdc++-6.dll

Filesize
31KB

MD5
9a2dcd1b39c6b5ea1d0513fee3d10a78

SHA1
9fb3b9f534caf934e4b650b7c91f264e94b578a4

SHA256
df5c7a81e3df887f1c9adc431a5c6285f63453f8f5fb35edd38d9830d0eaad99

SHA512
a5471f850afd6c95e1cfedcac49bc8d794c5519dff0facd4c080f808b911eec60c997357c09b05b04ec0a7d12bbee0894fda8317c6c0fad6dc212c613d8cac23

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS82AA5957\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS82AA5957\libwinpthread-1.dll

Filesize
38KB

MD5
ab9c2ab81673388785cd76a0733019e6

SHA1
a174521dae6309f3fc1fc847e244de15704ba510

SHA256
ff4bdc4e8a9b42d794c52f2ac1fde22f8b50e9fb51eafbf24c378f6d62f15687

SHA512
01db7847172456efcedbf5856cf1d19f66013b695aeba0e1611626c6f305845f33bf642a6491b7e6ef5ff201553e9a1fb016de1b75aedae15c47fd2276c92dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS82AA5957\setup_install.exe

Filesize
53KB

MD5
6fae5a54acbc323e5a4867efe924b146

SHA1
bc4dcf99452d27ad8ffa4cebb952d879070fd3a4

SHA256
453067648c16ac54a5da9837265727931671ff04ac3fbf98c0747f0e24a6abdc

SHA512
75baa594d249ed0a0a613b624608446a21cdfe565dc0bce0c01649dd45e59750ed57d2fa402ec97ecae4b8e0f87d0e0a715d1da6e3850308471a15bbcf8470a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS82AA5957\setup_install.exe

Filesize
92KB

MD5
7f7d117816aa94ee6625dd7f5873acc7

SHA1
a0ff1995def972f9072a766b61a26edebf514e7e

SHA256
077bfc68b617860e81b57780ea69425fc01aa59da495823dd03e4e61f606f905

SHA512
4bafee9c8cc84e5c51a77c53b13de9b7c3d92a4035c96a34028eb3c9a35e5508af5ae6f71874fe8c68ad8ffc11fbe7d707e1d3e47a2ae870fc30448f5fbfc34e

Download Submit
memory/220-63-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/220-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/220-97-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/220-92-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/220-98-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/220-99-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/220-100-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/220-32-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/220-45-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/220-52-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/220-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/220-91-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/220-64-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/220-47-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/220-65-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/220-48-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/220-62-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/220-61-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/220-60-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/220-59-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/220-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/220-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/220-49-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/220-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/220-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/220-50-0x0000000000C90000-0x0000000000D1F000-memory.dmp

Filesize
572KB

Download
memory/220-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1168-84-0x000000001B390000-0x000000001B3A0000-memory.dmp

Filesize
64KB

Download
memory/1168-81-0x00007FFADD490000-0x00007FFADDF51000-memory.dmp

Filesize
10.8MB

Download
memory/1168-78-0x0000000000800000-0x0000000000808000-memory.dmp

Filesize
32KB

Download
memory/1324-113-0x0000000000400000-0x0000000002BCA000-memory.dmp

Filesize
39.8MB

Download
memory/1324-110-0x0000000002D60000-0x0000000002DFD000-memory.dmp

Filesize
628KB

Download
memory/1324-109-0x0000000002E00000-0x0000000002F00000-memory.dmp

Filesize
1024KB

Download
memory/1792-107-0x0000000000400000-0x0000000002B6E000-memory.dmp

Filesize
39.4MB

Download
memory/1792-102-0x0000000002C00000-0x0000000002C09000-memory.dmp

Filesize
36KB

Download
memory/1792-101-0x0000000002C30000-0x0000000002D30000-memory.dmp

Filesize
1024KB

Download
memory/3384-115-0x00000000033C0000-0x00000000033D5000-memory.dmp

Filesize
84KB

Download
memory/4044-89-0x00000000010C0000-0x00000000010C6000-memory.dmp

Filesize
24KB

Download
memory/4044-88-0x00000000012A0000-0x00000000012CC000-memory.dmp

Filesize
176KB

Download
memory/4044-86-0x00000000010B0000-0x00000000010B6000-memory.dmp

Filesize
24KB

Download
memory/4044-87-0x00007FFADD490000-0x00007FFADDF51000-memory.dmp

Filesize
10.8MB

Download
memory/4044-83-0x00000000008E0000-0x000000000091E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads