nullmixer

General

Target

72b4806a451235e858b56cabbbb64532
Size

1.9MB
Sample

241109-hs3njsyqgs
MD5

72b4806a451235e858b56cabbbb64532
SHA1

505337287dea213362a7634f55120c21485f425b
SHA256

e632a6469a39fac016c283b2efdd43d406bee10209f240d6fd22816cef8da457
SHA512

a5bd597a92b07ce6838de5b86b2d949b1dcb54519e7a6da5b0f57a06ef3b4a103cd4b7dd625825bc2d31fecad0ca92f7c058c9274fab5bbccf115743fddc611a
SSDEEP

49152:LgFJZ0lvGFVCyP7uohkW4bRanRrwstCl9NIgHW:sFJeZGFVd7uohGcRntCl9NIg2

Score

10^/10

Malware Config

Extracted

Family

nullmixer

C2

http://wxkeww.xyz/

Targets

- Target
  
  sample
- Size
  
  1.9MB
- MD5
  
  37f4e96b9d4799bfe8818b957f654229
- SHA1
  
  d7e7653a5fde002d157fc0463f00793444f2cec1
- SHA256
  
  46d3b897f34528a04f869085b798098868c84c8f6385e86776f11c5f0b4fa698
- SHA512
  
  afaa78eb55a51e1554664806b36f5391aae411e8303c3cacd7ae65883bd9f024804c072bb1b04d7e4568fac043a2a083751c3542ae07b9954fbd9498956e446c
- SSDEEP
  
  49152:EgFHZKlJGLroKP9Skhuee5zanTfw+tCXHXIg+J:JFHoLGLrd9SkhQiTTtCXHXIgy
Score

10^/10

nullmixer aspackv2 discovery dropper evasion trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Suspicious use of NtCreateUserProcessOtherParentProcess
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  setup_installer.exe
- Size
  
  1.9MB
- MD5
  
  b2f70eb858dfaec80293b9b64e3f27e4
- SHA1
  
  eef1eddd4cd6f35a9af2f7b8da646bc30d7a1e5a
- SHA256
  
  b1914ff05df9f8bb2945b6a426ab944b9847686b50f7137f3e04d045966c05ff
- SHA512
  
  367068e5b12ac20014cff3defc4c62b5fad4064e133da621a68ea9d31f2baeb3c8f2c5ab0c3cd6cd6a163b09a4e8142ac28db2fdbbd8a29c5aa1dc8fbcbfd324
- SSDEEP
  
  49152:xcBxvy10E+QMWcLctpCOOeWAbaW44EwJ84vLRaBtIl9mTI+MAYs:xU4MWcApaeW9FvCvLUBsKITds
Score

10^/10

nullmixer aspackv2 discovery dropper evasion trojan privateloader loader
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Suspicious use of NtCreateUserProcessOtherParentProcess
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral3 behavioral4