nullmixer | 3675ddb9d16e43fd54dd441f57a0aa0c20ae7b6a85b81f2b867c753c3503934f | Triage

Submit
Reports

Overview

overview

Static

static

3

ef06ab5cd5...18.exe

windows7-x64

ef06ab5cd5...18.exe

windows10-2004-x64

setup_installer.exe

windows7-x64

setup_installer.exe

windows10-2004-x64

Sharing

General

Target

ef06ab5cd57598acc6b4222249dbe5b4_JaffaCakes118
Size

1.5MB
Sample

240412-d2td1sdg46
MD5

ef06ab5cd57598acc6b4222249dbe5b4
SHA1

97e4d2abceaa96a2a671a86749c61bc0a6a4aefb
SHA256

3675ddb9d16e43fd54dd441f57a0aa0c20ae7b6a85b81f2b867c753c3503934f
SHA512

ffa705ba0f0850bf1dfe76ec4a664ba3fdad6c3533c0cf15eb33f80ca7e74812a905f0a96d28bcf8785eebd0a69874c28bf12bc86b4b42904230fa4c62d1f6e1
SSDEEP

24576:Eg5N+6z3egEPDrLEF4ejyClVmoFdej0ry2tdAWem7e1FB7yYHIwAQyTlCFuxUhqR:Eg/+6zOgELMF4eVpFEiy2trqr75oHHl7

Score

10^/10

nullmixer smokeloader pub6 aspackv2 backdoor dropper evasion spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

ef06ab5cd57598acc6b4222249dbe5b4_JaffaCakes118.exe

Resource

win7-20240221-en

nullmixer smokeloader pub6 aspackv2 backdoor dropper evasion spyware stealer trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

ef06ab5cd57598acc6b4222249dbe5b4_JaffaCakes118.exe

Resource

win10v2004-20240226-en

nullmixer smokeloader pub6 aspackv2 backdoor dropper evasion spyware stealer trojan

windows10-2004-x64

17 signatures

150 seconds

Behavioral task

behavioral3

Sample

setup_installer.exe

Resource

win7-20240220-en

nullmixer smokeloader pub6 aspackv2 backdoor dropper evasion spyware stealer trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral4

Sample

setup_installer.exe

Resource

win10v2004-20240226-en

nullmixer smokeloader pub6 aspackv2 backdoor dropper evasion spyware stealer trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

nullmixer

C2

http://marisana.xyz/

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

rc4.i32

Targets

- Target
  
  ef06ab5cd57598acc6b4222249dbe5b4_JaffaCakes118
- Size
  
  1.5MB
- MD5
  
  ef06ab5cd57598acc6b4222249dbe5b4
- SHA1
  
  97e4d2abceaa96a2a671a86749c61bc0a6a4aefb
- SHA256
  
  3675ddb9d16e43fd54dd441f57a0aa0c20ae7b6a85b81f2b867c753c3503934f
- SHA512
  
  ffa705ba0f0850bf1dfe76ec4a664ba3fdad6c3533c0cf15eb33f80ca7e74812a905f0a96d28bcf8785eebd0a69874c28bf12bc86b4b42904230fa4c62d1f6e1
- SSDEEP
  
  24576:Eg5N+6z3egEPDrLEF4ejyClVmoFdej0ry2tdAWem7e1FB7yYHIwAQyTlCFuxUhqR:Eg/+6zOgELMF4eVpFEiy2trqr75oHHl7
Score

10^/10

nullmixer smokeloader pub6 aspackv2 backdoor dropper evasion spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  setup_installer.exe
- Size
  
  1.5MB
- MD5
  
  0d9f7ef9fc85315c134a06c483f0a694
- SHA1
  
  9a8f6eb079f6f1c8421a0f78bb5387b061d843b8
- SHA256
  
  5d0215d15cc28fd783808e7fe1103cff029e1a1caa1370057c6e5cf9c00d1b2a
- SHA512
  
  9f1574b81a80126e606cadb17b9556474f38929ffdb8ccf5ce330ffaa0f83e4f818c885f7c1c3b204b3011b1db4ebcff0ba3e96406878f3e873e7cdc22e703bd
- SSDEEP
  
  24576:xcVkKSGXCeomdCFDWHp/7F82Py2nNEPY/RQ5DsvLwcaBhdZIl9mTqUf+HDpFWndF:xcBNCpZgu2PyONEwJ84vLRaBtIl9mTiw
Score

10^/10

nullmixer smokeloader pub6 aspackv2 backdoor dropper evasion spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral3 behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Modify Registry

Impair Defenses

Disable or Modify Tools

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

nullmixersmokeloaderpub6aspackv2backdoordropperevasionspywarestealertrojan

behavioral2

nullmixersmokeloaderpub6aspackv2backdoordropperevasionspywarestealertrojan

behavioral3

nullmixersmokeloaderpub6aspackv2backdoordropperevasionspywarestealertrojan

behavioral4

nullmixersmokeloaderpub6aspackv2backdoordropperevasionspywarestealertrojan

© 2018-2024

Terms | Privacy