nullmixer

Sharing

General

Target

5590707d57f936098e12cdeb2b0509cb7a280de296ac0140cc7741b8f345dd8f
Size

71.4MB
Sample

241105-ggypsavnfz
MD5

64025eaffa7d2859d64207242ffe37a1
SHA1

65f46e2ad836eb98cd76ed055553e7b2fbd7ce4f
SHA256

5590707d57f936098e12cdeb2b0509cb7a280de296ac0140cc7741b8f345dd8f
SHA512

98ee34a39ca0c951f15326f564434e2fb17ba574c54056922a659172f2ca9823725dbe8e8edeba62cd3ffa086228089709d629e1362bdfdcd09e77fb98318dae
SSDEEP

786432:D161Z1x1n1r1o181B1R1b1VZvykyUyqyWyby3y6y7yByBy/y2yEyTytym:DkTjlJuKn393ZvN1jHqGJU2OAFfMyV

Score

10^/10

Malware Config

Extracted

Family

nullmixer

http://sokiran.xyz/

Extracted

Family

redline

Botnet

Cana

176.111.174.254:56328

Targets

- Target
  
  FD3E3 (1).exe
- Size
  
  2.7MB
- MD5
  
  fd3e375cbd09c6e1260ce52d3fe91b9c
- SHA1
  
  59eac2602d5955b8d846fb337665bfc43934c87e
- SHA256
  
  036d1b5b7a9bc9526fb0825cebe7b937ef0a8e00428a4ffc15eeb41858efc854
- SHA512
  
  f9ee4e85f1f7ea23c7c51b72fa43c87bb06168856c4dfead982c64dcba3c11a5129a045c510c15fad213e808f476e7d56848d249d639bed1dd4353749e337810
- SSDEEP
  
  49152:EgxoWgP85EYFbZvPl+JxNfWp0+hByCXmiwDrlkp2HIKxw7QGvpPQumyjVU3ndWwG:JxU85EqNMJxNfq0UwCXmNdHIsEnQHyj3
Score

10^/10

nullmixer privateloader redline sectoprat vidar cana aspackv2 discovery dropper evasion infostealer loader rat stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  setup_installer.exe
- Size
  
  2.6MB
- MD5
  
  8ecbad7f6f7bcdd0efee75004a57f6fb
- SHA1
  
  1035dd1026611d85f512a23409059af7984e8d2f
- SHA256
  
  1e9aef78c5ffd33473c354c4373c7b2b4383cfe0a25287dd92aae8fcb5c7fd4b
- SHA512
  
  5a8c23198fe6f4dfb46c8277b0ef6a319af34df2ee772a9259072797832d77fd1a013cb556a9b4edbcd362c9f093cf14b45624eb135a080a2a565cc74dda1c08
- SSDEEP
  
  49152:xcBVPkZVi7iKiF8cUvFyPMC6j8k/G+gzSVMoKEnvGHRVfJZUEwJ84vLRaBtIl9mN:xxri7ixZUvFyP967GdgXKcGHRVJZDCvC
Score

10^/10

nullmixer redline sectoprat vidar cana aspackv2 discovery dropper evasion infostealer rat stealer trojan privateloader loader
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  FD3E3 (10).exe
- Size
  
  2.7MB
- MD5
  
  fd3e375cbd09c6e1260ce52d3fe91b9c
- SHA1
  
  59eac2602d5955b8d846fb337665bfc43934c87e
- SHA256
  
  036d1b5b7a9bc9526fb0825cebe7b937ef0a8e00428a4ffc15eeb41858efc854
- SHA512
  
  f9ee4e85f1f7ea23c7c51b72fa43c87bb06168856c4dfead982c64dcba3c11a5129a045c510c15fad213e808f476e7d56848d249d639bed1dd4353749e337810
- SSDEEP
  
  49152:EgxoWgP85EYFbZvPl+JxNfWp0+hByCXmiwDrlkp2HIKxw7QGvpPQumyjVU3ndWwG:JxU85EqNMJxNfq0UwCXmNdHIsEnQHyj3
Score

10^/10

nullmixer redline sectoprat vidar cana aspackv2 discovery dropper evasion infostealer rat stealer trojan privateloader loader
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  setup_installer.exe
- Size
  
  2.6MB
- MD5
  
  8ecbad7f6f7bcdd0efee75004a57f6fb
- SHA1
  
  1035dd1026611d85f512a23409059af7984e8d2f
- SHA256
  
  1e9aef78c5ffd33473c354c4373c7b2b4383cfe0a25287dd92aae8fcb5c7fd4b
- SHA512
  
  5a8c23198fe6f4dfb46c8277b0ef6a319af34df2ee772a9259072797832d77fd1a013cb556a9b4edbcd362c9f093cf14b45624eb135a080a2a565cc74dda1c08
- SSDEEP
  
  49152:xcBVPkZVi7iKiF8cUvFyPMC6j8k/G+gzSVMoKEnvGHRVfJZUEwJ84vLRaBtIl9mN:xxri7ixZUvFyP967GdgXKcGHRVJZDCvC
Score

10^/10

nullmixer redline sectoprat vidar cana aspackv2 discovery dropper evasion infostealer rat stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  FD3E3 (11).exe
- Size
  
  2.7MB
- MD5
  
  fd3e375cbd09c6e1260ce52d3fe91b9c
- SHA1
  
  59eac2602d5955b8d846fb337665bfc43934c87e
- SHA256
  
  036d1b5b7a9bc9526fb0825cebe7b937ef0a8e00428a4ffc15eeb41858efc854
- SHA512
  
  f9ee4e85f1f7ea23c7c51b72fa43c87bb06168856c4dfead982c64dcba3c11a5129a045c510c15fad213e808f476e7d56848d249d639bed1dd4353749e337810
- SSDEEP
  
  49152:EgxoWgP85EYFbZvPl+JxNfWp0+hByCXmiwDrlkp2HIKxw7QGvpPQumyjVU3ndWwG:JxU85EqNMJxNfq0UwCXmNdHIsEnQHyj3
Score

10^/10

nullmixer privateloader redline sectoprat cana aspackv2 discovery dropper evasion infostealer loader rat trojan vidar stealer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  setup_installer.exe
- Size
  
  2.6MB
- MD5
  
  8ecbad7f6f7bcdd0efee75004a57f6fb
- SHA1
  
  1035dd1026611d85f512a23409059af7984e8d2f
- SHA256
  
  1e9aef78c5ffd33473c354c4373c7b2b4383cfe0a25287dd92aae8fcb5c7fd4b
- SHA512
  
  5a8c23198fe6f4dfb46c8277b0ef6a319af34df2ee772a9259072797832d77fd1a013cb556a9b4edbcd362c9f093cf14b45624eb135a080a2a565cc74dda1c08
- SSDEEP
  
  49152:xcBVPkZVi7iKiF8cUvFyPMC6j8k/G+gzSVMoKEnvGHRVfJZUEwJ84vLRaBtIl9mN:xxri7ixZUvFyP967GdgXKcGHRVJZDCvC
Score

10^/10

nullmixer redline sectoprat vidar cana aspackv2 discovery dropper evasion infostealer rat stealer trojan privateloader loader
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  FD3E3 (12).exe
- Size
  
  2.7MB
- MD5
  
  fd3e375cbd09c6e1260ce52d3fe91b9c
- SHA1
  
  59eac2602d5955b8d846fb337665bfc43934c87e
- SHA256
  
  036d1b5b7a9bc9526fb0825cebe7b937ef0a8e00428a4ffc15eeb41858efc854
- SHA512
  
  f9ee4e85f1f7ea23c7c51b72fa43c87bb06168856c4dfead982c64dcba3c11a5129a045c510c15fad213e808f476e7d56848d249d639bed1dd4353749e337810
- SSDEEP
  
  49152:EgxoWgP85EYFbZvPl+JxNfWp0+hByCXmiwDrlkp2HIKxw7QGvpPQumyjVU3ndWwG:JxU85EqNMJxNfq0UwCXmNdHIsEnQHyj3
Score

10^/10

nullmixer redline sectoprat vidar cana aspackv2 discovery dropper evasion infostealer rat stealer trojan privateloader loader
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  setup_installer.exe
- Size
  
  2.6MB
- MD5
  
  8ecbad7f6f7bcdd0efee75004a57f6fb
- SHA1
  
  1035dd1026611d85f512a23409059af7984e8d2f
- SHA256
  
  1e9aef78c5ffd33473c354c4373c7b2b4383cfe0a25287dd92aae8fcb5c7fd4b
- SHA512
  
  5a8c23198fe6f4dfb46c8277b0ef6a319af34df2ee772a9259072797832d77fd1a013cb556a9b4edbcd362c9f093cf14b45624eb135a080a2a565cc74dda1c08
- SSDEEP
  
  49152:xcBVPkZVi7iKiF8cUvFyPMC6j8k/G+gzSVMoKEnvGHRVfJZUEwJ84vLRaBtIl9mN:xxri7ixZUvFyP967GdgXKcGHRVJZDCvC
Score

10^/10

nullmixer privateloader redline sectoprat vidar cana aspackv2 discovery dropper evasion infostealer loader rat stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral15 behavioral16
- Target
  
  FD3E3 (13).exe
- Size
  
  2.7MB
- MD5
  
  fd3e375cbd09c6e1260ce52d3fe91b9c
- SHA1
  
  59eac2602d5955b8d846fb337665bfc43934c87e
- SHA256
  
  036d1b5b7a9bc9526fb0825cebe7b937ef0a8e00428a4ffc15eeb41858efc854
- SHA512
  
  f9ee4e85f1f7ea23c7c51b72fa43c87bb06168856c4dfead982c64dcba3c11a5129a045c510c15fad213e808f476e7d56848d249d639bed1dd4353749e337810
- SSDEEP
  
  49152:EgxoWgP85EYFbZvPl+JxNfWp0+hByCXmiwDrlkp2HIKxw7QGvpPQumyjVU3ndWwG:JxU85EqNMJxNfq0UwCXmNdHIsEnQHyj3
Score

10^/10

nullmixer privateloader redline sectoprat vidar cana aspackv2 discovery dropper evasion infostealer loader rat stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral17 behavioral18
- Target
  
  setup_installer.exe
- Size
  
  2.6MB
- MD5
  
  8ecbad7f6f7bcdd0efee75004a57f6fb
- SHA1
  
  1035dd1026611d85f512a23409059af7984e8d2f
- SHA256
  
  1e9aef78c5ffd33473c354c4373c7b2b4383cfe0a25287dd92aae8fcb5c7fd4b
- SHA512
  
  5a8c23198fe6f4dfb46c8277b0ef6a319af34df2ee772a9259072797832d77fd1a013cb556a9b4edbcd362c9f093cf14b45624eb135a080a2a565cc74dda1c08
- SSDEEP
  
  49152:xcBVPkZVi7iKiF8cUvFyPMC6j8k/G+gzSVMoKEnvGHRVfJZUEwJ84vLRaBtIl9mN:xxri7ixZUvFyP967GdgXKcGHRVJZDCvC
Score

10^/10

nullmixer redline sectoprat vidar cana aspackv2 discovery dropper evasion infostealer rat stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral19 behavioral20
- Target
  
  FD3E3 (14).exe
- Size
  
  2.7MB
- MD5
  
  fd3e375cbd09c6e1260ce52d3fe91b9c
- SHA1
  
  59eac2602d5955b8d846fb337665bfc43934c87e
- SHA256
  
  036d1b5b7a9bc9526fb0825cebe7b937ef0a8e00428a4ffc15eeb41858efc854
- SHA512
  
  f9ee4e85f1f7ea23c7c51b72fa43c87bb06168856c4dfead982c64dcba3c11a5129a045c510c15fad213e808f476e7d56848d249d639bed1dd4353749e337810
- SSDEEP
  
  49152:EgxoWgP85EYFbZvPl+JxNfWp0+hByCXmiwDrlkp2HIKxw7QGvpPQumyjVU3ndWwG:JxU85EqNMJxNfq0UwCXmNdHIsEnQHyj3
Score

10^/10

nullmixer privateloader redline sectoprat vidar cana aspackv2 discovery dropper evasion infostealer loader rat stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral21 behavioral22
- Target
  
  setup_installer.exe
- Size
  
  2.6MB
- MD5
  
  8ecbad7f6f7bcdd0efee75004a57f6fb
- SHA1
  
  1035dd1026611d85f512a23409059af7984e8d2f
- SHA256
  
  1e9aef78c5ffd33473c354c4373c7b2b4383cfe0a25287dd92aae8fcb5c7fd4b
- SHA512
  
  5a8c23198fe6f4dfb46c8277b0ef6a319af34df2ee772a9259072797832d77fd1a013cb556a9b4edbcd362c9f093cf14b45624eb135a080a2a565cc74dda1c08
- SSDEEP
  
  49152:xcBVPkZVi7iKiF8cUvFyPMC6j8k/G+gzSVMoKEnvGHRVfJZUEwJ84vLRaBtIl9mN:xxri7ixZUvFyP967GdgXKcGHRVJZDCvC
Score

10^/10

nullmixer privateloader redline sectoprat vidar cana aspackv2 discovery dropper evasion infostealer loader rat stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral23 behavioral24
- Target
  
  FD3E3 (15).exe
- Size
  
  2.7MB
- MD5
  
  fd3e375cbd09c6e1260ce52d3fe91b9c
- SHA1
  
  59eac2602d5955b8d846fb337665bfc43934c87e
- SHA256
  
  036d1b5b7a9bc9526fb0825cebe7b937ef0a8e00428a4ffc15eeb41858efc854
- SHA512
  
  f9ee4e85f1f7ea23c7c51b72fa43c87bb06168856c4dfead982c64dcba3c11a5129a045c510c15fad213e808f476e7d56848d249d639bed1dd4353749e337810
- SSDEEP
  
  49152:EgxoWgP85EYFbZvPl+JxNfWp0+hByCXmiwDrlkp2HIKxw7QGvpPQumyjVU3ndWwG:JxU85EqNMJxNfq0UwCXmNdHIsEnQHyj3
Score

10^/10

nullmixer privateloader redline sectoprat vidar cana aspackv2 discovery dropper evasion infostealer loader rat stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral25 behavioral26
- Target
  
  setup_installer.exe
- Size
  
  2.6MB
- MD5
  
  8ecbad7f6f7bcdd0efee75004a57f6fb
- SHA1
  
  1035dd1026611d85f512a23409059af7984e8d2f
- SHA256
  
  1e9aef78c5ffd33473c354c4373c7b2b4383cfe0a25287dd92aae8fcb5c7fd4b
- SHA512
  
  5a8c23198fe6f4dfb46c8277b0ef6a319af34df2ee772a9259072797832d77fd1a013cb556a9b4edbcd362c9f093cf14b45624eb135a080a2a565cc74dda1c08
- SSDEEP
  
  49152:xcBVPkZVi7iKiF8cUvFyPMC6j8k/G+gzSVMoKEnvGHRVfJZUEwJ84vLRaBtIl9mN:xxri7ixZUvFyP967GdgXKcGHRVJZDCvC
Score

10^/10

nullmixer privateloader redline sectoprat vidar cana aspackv2 discovery dropper evasion infostealer loader rat stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral27 behavioral28
- Target
  
  FD3E3 (16).exe
- Size
  
  2.7MB
- MD5
  
  fd3e375cbd09c6e1260ce52d3fe91b9c
- SHA1
  
  59eac2602d5955b8d846fb337665bfc43934c87e
- SHA256
  
  036d1b5b7a9bc9526fb0825cebe7b937ef0a8e00428a4ffc15eeb41858efc854
- SHA512
  
  f9ee4e85f1f7ea23c7c51b72fa43c87bb06168856c4dfead982c64dcba3c11a5129a045c510c15fad213e808f476e7d56848d249d639bed1dd4353749e337810
- SSDEEP
  
  49152:EgxoWgP85EYFbZvPl+JxNfWp0+hByCXmiwDrlkp2HIKxw7QGvpPQumyjVU3ndWwG:JxU85EqNMJxNfq0UwCXmNdHIsEnQHyj3
Score

10^/10

nullmixer redline sectoprat vidar cana aspackv2 discovery dropper evasion infostealer rat stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral29 behavioral30
- Target
  
  setup_installer.exe
- Size
  
  2.6MB
- MD5
  
  8ecbad7f6f7bcdd0efee75004a57f6fb
- SHA1
  
  1035dd1026611d85f512a23409059af7984e8d2f
- SHA256
  
  1e9aef78c5ffd33473c354c4373c7b2b4383cfe0a25287dd92aae8fcb5c7fd4b
- SHA512
  
  5a8c23198fe6f4dfb46c8277b0ef6a319af34df2ee772a9259072797832d77fd1a013cb556a9b4edbcd362c9f093cf14b45624eb135a080a2a565cc74dda1c08
- SSDEEP
  
  49152:xcBVPkZVi7iKiF8cUvFyPMC6j8k/G+gzSVMoKEnvGHRVfJZUEwJ84vLRaBtIl9mN:xxri7ixZUvFyP967GdgXKcGHRVJZDCvC
Score

10^/10

nullmixer redline sectoprat vidar cana aspackv2 discovery dropper evasion infostealer rat stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Modifies Windows Defender Real-time Protection settings

Nullmixer family

PrivateLoader

Privateloader family

Process spawned unexpected child process

RedLine

RedLine payload

Redline family

SectopRAT

SectopRAT payload

Sectoprat family

Suspicious use of NtCreateUserProcessOtherParentProcess

Vidar

Vidar family

Vidar Stealer

ASPack v2.12-2.42

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

Modifies Windows Defender Real-time Protection settings

NullMixer

Nullmixer family

PrivateLoader

Privateloader family

Process spawned unexpected child process

RedLine

RedLine payload

Redline family

SectopRAT

SectopRAT payload

Sectoprat family

Suspicious use of NtCreateUserProcessOtherParentProcess

Vidar

Vidar family

Vidar Stealer

ASPack v2.12-2.42

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

Modifies Windows Defender Real-time Protection settings

NullMixer

Nullmixer family

PrivateLoader

Privateloader family

Process spawned unexpected child process

RedLine

RedLine payload

Redline family

SectopRAT

SectopRAT payload

Sectoprat family

Suspicious use of NtCreateUserProcessOtherParentProcess

Vidar

Vidar family

Vidar Stealer

ASPack v2.12-2.42

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

Modifies Windows Defender Real-time Protection settings

NullMixer