General
-
Target
505337287dea213362a7634f55120c21485f425b
-
Size
1.9MB
-
Sample
241110-tjdhvazhla
-
MD5
72b4806a451235e858b56cabbbb64532
-
SHA1
505337287dea213362a7634f55120c21485f425b
-
SHA256
e632a6469a39fac016c283b2efdd43d406bee10209f240d6fd22816cef8da457
-
SHA512
a5bd597a92b07ce6838de5b86b2d949b1dcb54519e7a6da5b0f57a06ef3b4a103cd4b7dd625825bc2d31fecad0ca92f7c058c9274fab5bbccf115743fddc611a
-
SSDEEP
49152:LgFJZ0lvGFVCyP7uohkW4bRanRrwstCl9NIgHW:sFJeZGFVd7uohGcRntCl9NIg2
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
setup_installer.exe
Resource
win7-20241010-en
Malware Config
Extracted
nullmixer
http://wxkeww.xyz/
Targets
-
-
Target
sample
-
Size
1.9MB
-
MD5
37f4e96b9d4799bfe8818b957f654229
-
SHA1
d7e7653a5fde002d157fc0463f00793444f2cec1
-
SHA256
46d3b897f34528a04f869085b798098868c84c8f6385e86776f11c5f0b4fa698
-
SHA512
afaa78eb55a51e1554664806b36f5391aae411e8303c3cacd7ae65883bd9f024804c072bb1b04d7e4568fac043a2a083751c3542ae07b9954fbd9498956e446c
-
SSDEEP
49152:EgFHZKlJGLroKP9Skhuee5zanTfw+tCXHXIg+J:JFHoLGLrd9SkhQiTTtCXHXIgy
-
Nullmixer family
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Privateloader family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
setup_installer.exe
-
Size
1.9MB
-
MD5
b2f70eb858dfaec80293b9b64e3f27e4
-
SHA1
eef1eddd4cd6f35a9af2f7b8da646bc30d7a1e5a
-
SHA256
b1914ff05df9f8bb2945b6a426ab944b9847686b50f7137f3e04d045966c05ff
-
SHA512
367068e5b12ac20014cff3defc4c62b5fad4064e133da621a68ea9d31f2baeb3c8f2c5ab0c3cd6cd6a163b09a4e8142ac28db2fdbbd8a29c5aa1dc8fbcbfd324
-
SSDEEP
49152:xcBxvy10E+QMWcLctpCOOeWAbaW44EwJ84vLRaBtIl9mTI+MAYs:xU4MWcApaeW9FvCvLUBsKITds
-
Nullmixer family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-