nullmixer

General

Target

x86_x64_setup.exe
Size

2.8MB
Sample

250513-vwxypaywdw
MD5

bda41ecaa52e302ffb309a6dac116897
SHA1

09c005f0e8ebdb6f3d2564570d404415e2564a8b
SHA256

87a1ca2aa8e2828a854d42a7712de25d8bbf11763372257ecab9827e79865508
SHA512

d10cd536829cd3129f616102d1817debd12b063036fd0441155541ae8ca6af8ffe38d9e9100b22cabb66d43b14c45ec9d52b38f5f31ef67cb70953b6cd6a21d5
SSDEEP

49152:Ege9LNIfjmcuTBiDUQBb2VqWgX3gI7EWNn4n6uviA8YUdu9TLHK:JeFNIOTBMUQBqorDtx46g8YuV

Score

10^/10

Malware Config

Extracted

Family

nullmixer

C2

http://razino.xyz/

Extracted

Family

redline

Botnet

Cana

C2

176.111.174.254:56328

Targets

- Target
  
  x86_x64_setup.exe
- Size
  
  2.8MB
- MD5
  
  bda41ecaa52e302ffb309a6dac116897
- SHA1
  
  09c005f0e8ebdb6f3d2564570d404415e2564a8b
- SHA256
  
  87a1ca2aa8e2828a854d42a7712de25d8bbf11763372257ecab9827e79865508
- SHA512
  
  d10cd536829cd3129f616102d1817debd12b063036fd0441155541ae8ca6af8ffe38d9e9100b22cabb66d43b14c45ec9d52b38f5f31ef67cb70953b6cd6a21d5
- SSDEEP
  
  49152:Ege9LNIfjmcuTBiDUQBb2VqWgX3gI7EWNn4n6uviA8YUdu9TLHK:JeFNIOTBMUQBqorDtx46g8YuV
Score

10^/10

nullmixer privateloader redline sectoprat cana aspackv2 defense_evasion discovery dropper evasion infostealer loader rat trojan
- Modifies Windows Defender DisableAntiSpyware settings
  evasion trojan
- Modifies Windows Defender Real-time Protection settings
  defense_evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  setup_installer.exe
- Size
  
  2.7MB
- MD5
  
  256f61bc0d5b2f51ab65297237b46385
- SHA1
  
  773cdaafaed076b666576a524333e5a06b76afd4
- SHA256
  
  f927ee4fd2e0cabff535ab9704653f02b1d084a7537b923f7e87ce7cc7e12e27
- SHA512
  
  44d9710828d67ce217d03c4bed9f7c3efca854cd30348c61fa5aa58b7373ac5d55063419f5bc9fd1c8ec9c0a43a527b7ba3c91bd7419baade70498204d751d0b
- SSDEEP
  
  49152:xcBLPkZVi7iKiF8cUvFyP7OWMH/5dk3HxnwOsmiyMlLMNHEwJ84vLRaBtIl9mTgS:xPri7ixZUvFyPSPdOwOUokCvLUBsKR/
Score

10^/10

nullmixer privateloader redline sectoprat cana aspackv2 defense_evasion discovery dropper evasion infostealer loader rat trojan
- Modifies Windows Defender DisableAntiSpyware settings
  evasion trojan
- Modifies Windows Defender Real-time Protection settings
  defense_evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral3 behavioral4