SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nullmixer (Back to overview)

Nullmixer

Nullmixer is a dropper/loader for additional malware. It is known to drop a vast amount of different malware, such as info stealers, rats and additional loaders. Samples observed contained up to 8 additional payloads.

References
2023-03-26Luca Mella
@online{mella:20230326:updates:deb3c61, author = {Luca Mella}, title = {{Updates from the MaaS: new threats delivered through NullMixer}}, date = {2023-03-26}, url = {https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1}, language = {English}, urldate = {2023-03-29} } Updates from the MaaS: new threats delivered through NullMixer
Fabookie Nullmixer PseudoManuscrypt Raccoon RedLine Stealer
2023-02-04Youtube (Dr Josh Stroschein)Josh Stroschein
@online{stroschein:20230204:investigating:3798dbd, author = {Josh Stroschein}, title = {{Investigating NullMixer Network Traffic: Utilizing Suricata and Evebox (Part 3)}}, date = {2023-02-04}, organization = {Youtube (Dr Josh Stroschein)}, url = {https://www.youtube.com/watch?v=v_K_zoPGpdk}, language = {English}, urldate = {2023-02-06} } Investigating NullMixer Network Traffic: Utilizing Suricata and Evebox (Part 3)
Nullmixer
2023-02-03Youtube (Dr Josh Stroschein)Josh Stroschein
@online{stroschein:20230203:unpacking:a6b8603, author = {Josh Stroschein}, title = {{Unpacking NullMixer - Identifying and Unraveling ASPack (Part 2)}}, date = {2023-02-03}, organization = {Youtube (Dr Josh Stroschein)}, url = {https://www.youtube.com/watch?v=yLQfDk3dVmA}, language = {English}, urldate = {2023-02-06} } Unpacking NullMixer - Identifying and Unraveling ASPack (Part 2)
Nullmixer
2023-01-31Josh Stroschein
@online{stroschein:20230131:investigating:1c660cf, author = {Josh Stroschein}, title = {{Investigating NullMixer - Identifying Initial Packing Techniques (Part 1)}}, date = {2023-01-31}, url = {https://www.youtube.com/watch?v=92jKJ_G_6ho}, language = {English}, urldate = {2023-02-06} } Investigating NullMixer - Identifying Initial Packing Techniques (Part 1)
Nullmixer
2022-09-26KasperskyHaim Zigel, Oleg Kupreev, Artem Ushkov
@online{zigel:20220926:nullmixer:c623b01, author = {Haim Zigel and Oleg Kupreev and Artem Ushkov}, title = {{NullMixer: oodles of Trojans in a single dropper}}, date = {2022-09-26}, organization = {Kaspersky}, url = {https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/}, language = {English}, urldate = {2023-02-06} } NullMixer: oodles of Trojans in a single dropper
ColdStealer DanaBot GCleaner Nullmixer PrivateLoader PseudoManuscrypt RedLine Stealer SmokeLoader Vidar
Yara Rules
[TLP:WHITE] win_nullmixer_auto (20230407 | Detects win.nullmixer.)
rule win_nullmixer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.nullmixer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nullmixer"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 84c0 0f848a010000 837dc810 c745c016000000 7406 8b45c8 }
            // n = 6, score = 100
            //   84c0                 | test                al, al
            //   0f848a010000         | je                  0x190
            //   837dc810             | cmp                 dword ptr [ebp - 0x38], 0x10
            //   c745c016000000       | mov                 dword ptr [ebp - 0x40], 0x16
            //   7406                 | je                  8
            //   8b45c8               | mov                 eax, dword ptr [ebp - 0x38]

        $sequence_1 = { 89c7 807e0100 0f85e2010000 6690 31f6 83c42c 89f0 }
            // n = 7, score = 100
            //   89c7                 | mov                 edi, eax
            //   807e0100             | cmp                 byte ptr [esi + 1], 0
            //   0f85e2010000         | jne                 0x1e8
            //   6690                 | nop                 
            //   31f6                 | xor                 esi, esi
            //   83c42c               | add                 esp, 0x2c
            //   89f0                 | mov                 eax, esi

        $sequence_2 = { 8d4301 8907 0fbe4b01 8d51d0 80fa09 770e 89c3 }
            // n = 7, score = 100
            //   8d4301               | lea                 eax, [ebx + 1]
            //   8907                 | mov                 dword ptr [edi], eax
            //   0fbe4b01             | movsx               ecx, byte ptr [ebx + 1]
            //   8d51d0               | lea                 edx, [ecx - 0x30]
            //   80fa09               | cmp                 dl, 9
            //   770e                 | ja                  0x10
            //   89c3                 | mov                 ebx, eax

        $sequence_3 = { 89d8 8bb328010000 e8???????? 8b7d04 3bb328010000 8b442434 }
            // n = 6, score = 100
            //   89d8                 | mov                 eax, ebx
            //   8bb328010000         | mov                 esi, dword ptr [ebx + 0x128]
            //   e8????????           |                     
            //   8b7d04               | mov                 edi, dword ptr [ebp + 4]
            //   3bb328010000         | cmp                 esi, dword ptr [ebx + 0x128]
            //   8b442434             | mov                 eax, dword ptr [esp + 0x34]

        $sequence_4 = { 894d9c 8d4dbc 39ca 746d 8b4dbc 894d98 8b4db8 }
            // n = 7, score = 100
            //   894d9c               | mov                 dword ptr [ebp - 0x64], ecx
            //   8d4dbc               | lea                 ecx, [ebp - 0x44]
            //   39ca                 | cmp                 edx, ecx
            //   746d                 | je                  0x6f
            //   8b4dbc               | mov                 ecx, dword ptr [ebp - 0x44]
            //   894d98               | mov                 dword ptr [ebp - 0x68], ecx
            //   8b4db8               | mov                 ecx, dword ptr [ebp - 0x48]

        $sequence_5 = { e9???????? 8b4dd4 29c1 89cf d1ff e9???????? 0fb702 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b4dd4               | mov                 ecx, dword ptr [ebp - 0x2c]
            //   29c1                 | sub                 ecx, eax
            //   89cf                 | mov                 edi, ecx
            //   d1ff                 | sar                 edi, 1
            //   e9????????           |                     
            //   0fb702               | movzx               eax, word ptr [edx]

        $sequence_6 = { 89d8 e9???????? 2b542418 89d1 d1fa 83fa01 745f }
            // n = 7, score = 100
            //   89d8                 | mov                 eax, ebx
            //   e9????????           |                     
            //   2b542418             | sub                 edx, dword ptr [esp + 0x18]
            //   89d1                 | mov                 ecx, edx
            //   d1fa                 | sar                 edx, 1
            //   83fa01               | cmp                 edx, 1
            //   745f                 | je                  0x61

        $sequence_7 = { 0f854effffff 8b4808 894dd8 8b480c 894ddc 8b4810 }
            // n = 6, score = 100
            //   0f854effffff         | jne                 0xffffff54
            //   8b4808               | mov                 ecx, dword ptr [eax + 8]
            //   894dd8               | mov                 dword ptr [ebp - 0x28], ecx
            //   8b480c               | mov                 ecx, dword ptr [eax + 0xc]
            //   894ddc               | mov                 dword ptr [ebp - 0x24], ecx
            //   8b4810               | mov                 ecx, dword ptr [eax + 0x10]

        $sequence_8 = { 6683f8ff bb00000000 0f44fb e9???????? 8b4c2440 8854245c 8b01 }
            // n = 7, score = 100
            //   6683f8ff             | cmp                 ax, -1
            //   bb00000000           | mov                 ebx, 0
            //   0f44fb               | cmove               edi, ebx
            //   e9????????           |                     
            //   8b4c2440             | mov                 ecx, dword ptr [esp + 0x40]
            //   8854245c             | mov                 byte ptr [esp + 0x5c], dl
            //   8b01                 | mov                 eax, dword ptr [ecx]

        $sequence_9 = { e8???????? 8b7304 83ec08 8b03 8d7e01 3945e4 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8b7304               | mov                 esi, dword ptr [ebx + 4]
            //   83ec08               | sub                 esp, 8
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   8d7e01               | lea                 edi, [esi + 1]
            //   3945e4               | cmp                 dword ptr [ebp - 0x1c], eax

    condition:
        7 of them and filesize < 2351104
}
Download all Yara Rules