SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nullmixer (Back to overview)

Nullmixer


Nullmixer is a dropper/loader for additional malware. It is known to drop a vast amount of different malware, such as info stealers, rats and additional loaders. Samples observed contained up to 8 additional payloads.

References
2023-03-26Luca Mella
@online{mella:20230326:updates:deb3c61, author = {Luca Mella}, title = {{Updates from the MaaS: new threats delivered through NullMixer}}, date = {2023-03-26}, url = {https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1}, language = {English}, urldate = {2023-03-29} } Updates from the MaaS: new threats delivered through NullMixer
Fabookie Nullmixer PseudoManuscrypt Raccoon RedLine Stealer
2023-02-04Youtube (Dr Josh Stroschein)Josh Stroschein
@online{stroschein:20230204:investigating:3798dbd, author = {Josh Stroschein}, title = {{Investigating NullMixer Network Traffic: Utilizing Suricata and Evebox (Part 3)}}, date = {2023-02-04}, organization = {Youtube (Dr Josh Stroschein)}, url = {https://www.youtube.com/watch?v=v_K_zoPGpdk}, language = {English}, urldate = {2023-02-06} } Investigating NullMixer Network Traffic: Utilizing Suricata and Evebox (Part 3)
Nullmixer
2023-02-03Youtube (Dr Josh Stroschein)Josh Stroschein
@online{stroschein:20230203:unpacking:a6b8603, author = {Josh Stroschein}, title = {{Unpacking NullMixer - Identifying and Unraveling ASPack (Part 2)}}, date = {2023-02-03}, organization = {Youtube (Dr Josh Stroschein)}, url = {https://www.youtube.com/watch?v=yLQfDk3dVmA}, language = {English}, urldate = {2023-02-06} } Unpacking NullMixer - Identifying and Unraveling ASPack (Part 2)
Nullmixer
2023-01-31Josh Stroschein
@online{stroschein:20230131:investigating:1c660cf, author = {Josh Stroschein}, title = {{Investigating NullMixer - Identifying Initial Packing Techniques (Part 1)}}, date = {2023-01-31}, url = {https://www.youtube.com/watch?v=92jKJ_G_6ho}, language = {English}, urldate = {2023-02-06} } Investigating NullMixer - Identifying Initial Packing Techniques (Part 1)
Nullmixer
2022-09-26KasperskyHaim Zigel, Oleg Kupreev, Artem Ushkov
@online{zigel:20220926:nullmixer:c623b01, author = {Haim Zigel and Oleg Kupreev and Artem Ushkov}, title = {{NullMixer: oodles of Trojans in a single dropper}}, date = {2022-09-26}, organization = {Kaspersky}, url = {https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/}, language = {English}, urldate = {2023-02-06} } NullMixer: oodles of Trojans in a single dropper
ColdStealer DanaBot GCleaner Nullmixer PrivateLoader PseudoManuscrypt RedLine Stealer SmokeLoader Vidar
Yara Rules
[TLP:WHITE] win_nullmixer_auto (20230715 | Detects win.nullmixer.)
rule win_nullmixer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.nullmixer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nullmixer"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83ec30 8b742440 f6412c08 0f84fc000000 80794600 89cb 7569 }
            // n = 7, score = 100
            //   83ec30               | sub                 esp, 0x30
            //   8b742440             | mov                 esi, dword ptr [esp + 0x40]
            //   f6412c08             | test                byte ptr [ecx + 0x2c], 8
            //   0f84fc000000         | je                  0x102
            //   80794600             | cmp                 byte ptr [ecx + 0x46], 0
            //   89cb                 | mov                 ebx, ecx
            //   7569                 | jne                 0x6b

        $sequence_1 = { 385a25 0f8461010000 8b45c0 3a5824 0f8407feffff 8b45ac 0fbedb }
            // n = 7, score = 100
            //   385a25               | cmp                 byte ptr [edx + 0x25], bl
            //   0f8461010000         | je                  0x167
            //   8b45c0               | mov                 eax, dword ptr [ebp - 0x40]
            //   3a5824               | cmp                 bl, byte ptr [eax + 0x24]
            //   0f8407feffff         | je                  0xfffffe0d
            //   8b45ac               | mov                 eax, dword ptr [ebp - 0x54]
            //   0fbedb               | movsx               ebx, bl

        $sequence_2 = { e8???????? 84c0 0f841b040000 807dbf00 750c 8b45b8 0b45d4 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   0f841b040000         | je                  0x421
            //   807dbf00             | cmp                 byte ptr [ebp - 0x41], 0
            //   750c                 | jne                 0xe
            //   8b45b8               | mov                 eax, dword ptr [ebp - 0x48]
            //   0b45d4               | or                  eax, dword ptr [ebp - 0x2c]

        $sequence_3 = { 8b8b34010000 894c2420 85c9 7e34 8b4c241c 3b31 0f840c090000 }
            // n = 7, score = 100
            //   8b8b34010000         | mov                 ecx, dword ptr [ebx + 0x134]
            //   894c2420             | mov                 dword ptr [esp + 0x20], ecx
            //   85c9                 | test                ecx, ecx
            //   7e34                 | jle                 0x36
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]
            //   3b31                 | cmp                 esi, dword ptr [ecx]
            //   0f840c090000         | je                  0x912

        $sequence_4 = { 8b400c 803800 0f84b0000000 8d5001 89570c 80780100 0fb630 }
            // n = 7, score = 100
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]
            //   803800               | cmp                 byte ptr [eax], 0
            //   0f84b0000000         | je                  0xb6
            //   8d5001               | lea                 edx, [eax + 1]
            //   89570c               | mov                 dword ptr [edi + 0xc], edx
            //   80780100             | cmp                 byte ptr [eax + 1], 0
            //   0fb630               | movzx               esi, byte ptr [eax]

        $sequence_5 = { 90 8d742600 8b5f18 8b4714 39c3 7447 29c3 }
            // n = 7, score = 100
            //   90                   | nop                 
            //   8d742600             | lea                 esi, [esi]
            //   8b5f18               | mov                 ebx, dword ptr [edi + 0x18]
            //   8b4714               | mov                 eax, dword ptr [edi + 0x14]
            //   39c3                 | cmp                 ebx, eax
            //   7447                 | je                  0x49
            //   29c3                 | sub                 ebx, eax

        $sequence_6 = { 89c1 e8???????? 8d859cfdffff 89c1 e8???????? 8d85b4fdffff 89c1 }
            // n = 7, score = 100
            //   89c1                 | mov                 ecx, eax
            //   e8????????           |                     
            //   8d859cfdffff         | lea                 eax, [ebp - 0x264]
            //   89c1                 | mov                 ecx, eax
            //   e8????????           |                     
            //   8d85b4fdffff         | lea                 eax, [ebp - 0x24c]
            //   89c1                 | mov                 ecx, eax

        $sequence_7 = { 85c9 0f8565ffffff 8b4a78 8b7d10 8b01 897c2404 8b7d0c }
            // n = 7, score = 100
            //   85c9                 | test                ecx, ecx
            //   0f8565ffffff         | jne                 0xffffff6b
            //   8b4a78               | mov                 ecx, dword ptr [edx + 0x78]
            //   8b7d10               | mov                 edi, dword ptr [ebp + 0x10]
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   897c2404             | mov                 dword ptr [esp + 4], edi
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]

        $sequence_8 = { 0f841b040000 807dbf00 750c 8b45b8 0b45d4 0f84b6fdffff }
            // n = 6, score = 100
            //   0f841b040000         | je                  0x421
            //   807dbf00             | cmp                 byte ptr [ebp - 0x41], 0
            //   750c                 | jne                 0xe
            //   8b45b8               | mov                 eax, dword ptr [ebp - 0x48]
            //   0b45d4               | or                  eax, dword ptr [ebp - 0x2c]
            //   0f84b6fdffff         | je                  0xfffffdbc

        $sequence_9 = { 57 56 89ce 53 83ec3c 8b09 8b4510 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   56                   | push                esi
            //   89ce                 | mov                 esi, ecx
            //   53                   | push                ebx
            //   83ec3c               | sub                 esp, 0x3c
            //   8b09                 | mov                 ecx, dword ptr [ecx]
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]

    condition:
        7 of them and filesize < 2351104
}
Download all Yara Rules