nullmixer

General

Target

d1adee00a2745df94375ba4d0026c637
Size

3.9MB
Sample

240317-x5ngqaed4t
MD5

d1adee00a2745df94375ba4d0026c637
SHA1

8840feba8025ce904c076cf35cc0835b718503aa
SHA256

486d5231a35dc4e4cb3417a1353c300298824a9df98890a100c596e7c1186aa5
SHA512

e7c332fe90e36ecc4ac7ad233f7728f95d4237e285c01dbfa9c909f7c55876face8e40cafb8da48bee685660388a8bcacf2b90a06e816b54218fd7125ee20941
SSDEEP

98304:yY31zkSBNIKE1pgbusbPh4NPIEuTw74qly:yK9BCKbbtK5I12Xy

Malware Config

Extracted

Family

nullmixer

C2

http://marisana.xyz/

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

vidar

Version

39.9

Botnet

706

C2

https://prophefliloc.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

C2

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

Build1

C2

45.142.213.135:30058

Targets

- Target
  
  d1adee00a2745df94375ba4d0026c637
- Size
  
  3.9MB
- MD5
  
  d1adee00a2745df94375ba4d0026c637
- SHA1
  
  8840feba8025ce904c076cf35cc0835b718503aa
- SHA256
  
  486d5231a35dc4e4cb3417a1353c300298824a9df98890a100c596e7c1186aa5
- SHA512
  
  e7c332fe90e36ecc4ac7ad233f7728f95d4237e285c01dbfa9c909f7c55876face8e40cafb8da48bee685660388a8bcacf2b90a06e816b54218fd7125ee20941
- SSDEEP
  
  98304:yY31zkSBNIKE1pgbusbPh4NPIEuTw74qly:yK9BCKbbtK5I12Xy
Score

10^/10

nullmixer privateloader redline risepro sectoprat smokeloader vidar 706 build1 pub6 aspackv2 backdoor dropper infostealer loader persistence rat spyware stealer trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  setup_installer.exe
- Size
  
  3.9MB
- MD5
  
  97a16c7e8ab8b16125957a42033e7047
- SHA1
  
  6a4830c58f1cda695bf43b40e152f28e611f9bff
- SHA256
  
  760ce585eb4dd375c916e4fae47e013090e8ca19b4abae149484dfa9b7761111
- SHA512
  
  2efc118a860b130c2ca6a1029b5dfac28abb1a6f7d0c67744638aa6cb9be32f40afa6e3dd79b9db916926bc7cf3fb9feea170f28dc54a7e35da49dc89206ab44
- SSDEEP
  
  98304:xLCvLUBsgdMVfV26M5xVW9KHO+jAiu5LhP5frWI2eDMmd:xwLUCgwfo5XY0Ps15xUIZp
Score

10^/10

nullmixer privateloader redline risepro sectoprat smokeloader vidar 706 build1 pub6 aspackv2 backdoor dropper infostealer loader persistence rat spyware stealer trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral3 behavioral4