{
	"id": "dad802ae-694f-4c14-b5c4-716266618021",
	"created_at": "2026-04-06T00:17:25.491436Z",
	"updated_at": "2026-04-10T03:21:47.119658Z",
	"deleted_at": null,
	"sha1_hash": "5961a5d709b9ba179ff52f69d9d56923dc4d8101",
	"title": "NullMixer: oodles of Trojans in a single dropper",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1191886,
	"plain_text": "NullMixer: oodles of Trojans in a single dropper\r\nBy Haim Zigel\r\nPublished: 2022-09-26 · Archived: 2026-04-05 16:31:13 UTC\r\nExecutive Summary\r\nNullMixer is a dropper leading to an infection chain of a wide variety of malware families. NullMixer spreads via\r\nmalicious websites that can be found mainly via search engines. These websites are often related to crack, keygen\r\nand activators for downloading software illegally, and while they may pretend to be legitimate software, they\r\nactually contain a malware dropper.\r\nIt looks like these websites are using SEO to stay at the top of search engine results, making them easy to find\r\nwhen searching the internet for “cracks” and “keygens”. When users attempt to download software from one of\r\nthese sites, they are redirected multiple times, and end up on a page containing the download instructions and\r\narchived password-protected malware masquerading as the desired piece of software. When a user extracts and\r\nexecutes NullMixer, it drops a number of malware files to the compromised machine. These malware families\r\nmay include backdoors, bankers, credential stealers and so on. For example, the following families are among\r\nthose dropped by NullMixer: SmokeLoader/Smoke, LgoogLoader, Disbuk, RedLine, Fabookie, ColdStealer.\r\nTechnical Details\r\nInitial infection\r\nThe infection vector of NullMixer is based on a ‘User Execution’ (MITRE Technique: T1204) malicious link that\r\nrequires the end user to click on and download a password-protected ZIP/RAR archive with a malicious file that is\r\nextracted and executed manually.\r\nThe whole infection chain of NullMixer is as follows:\r\nThe user visits a website to download cracked software, keygens or activators. The campaign appears to\r\ntarget anyone looking to download cracked software, and uses SEO techniques to make these malicious\r\nsites more prominent at the top of search engine results.\r\nhttps://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/\r\nPage 1 of 23\n\nTop Google search engine results for “crack software” contain malicious websites delivering NullMixer\r\nThe user clicks on the download link for the desired software.\r\nThe link redirects the user to another malicious website.\r\nThe malicious website redirects the user to a third-party IP address webpage.\r\nThe webpage instructs the user to download a password-protected ZIP file from a file sharing website.\r\nhttps://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/\r\nPage 2 of 23\n\nMalware execution instructions\r\nThe user extracts the archived file with the password.\r\nThe user runs the installer and executes the malware.\r\nhttps://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/\r\nPage 3 of 23\n\nExample of NullMixer infection chain execution\r\nNullMixer description\r\nNullMixer is a dropper that includes more than just specific malware families; it drops a wide variety of malicious\r\nbinaries to infect the machine with, such as backdoors, bankers, downloaders, spyware and many others.\r\nNullMixer execution chain\r\nThe real infection occurs when the user extracts the ‘win-setup-i864.exe’ file from the downloaded password-protected archive and runs it. The ‘win-setup-i864.exe’ file is an NSIS (Nullsoft Scriptable Install System)\r\ninstallation program, which is a very popular installation instrument used by many software developers. In our\r\ncase, it dropped and launched another file, ‘setup_installer.exe’, that is in fact an SFX archive ‘7z Setup SFX’\r\nwrapped into a Windows executable. The ‘setup_installer.exe’ file dropped dozens of malicious files. But instead\r\nof launching them, it launches a single executable – setup_install.exe – which is a NullMixer starter component.\r\nNullMixer’s starter launches all the dropped executable files. To do so, it contains a list of hardcoded file names,\r\nand launches them one by one using ‘cmd.exe’.\r\nhttps://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/\r\nPage 4 of 23\n\nList of files hardcoded into NullMixer starter component\r\nNullMixer execution chain\r\nIt also tries to change Windows Defender settings using the following command line.\r\n\"cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting\r\nDisable\"\r\nhttps://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/\r\nPage 5 of 23\n\nImmediately after all the dropped files have been launched, the NullMixer starter beacons to the C\u0026C about a\r\nsuccessful installation. From this point, all the dropped and launched malicious files are left to their own devices.\r\nWith a little monitoring we can identify a wide variety of malicious binaries that are spread by the NullMixer\r\nmalware.\r\nNullMixer and malware families it drops\r\nSince the number of families turned out to be quite large, we decided to give only a brief description of each in\r\nthis report. A full technical description will be provided in subsequent reports.\r\nhttps://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/\r\nPage 6 of 23\n\nSmokeLoader\r\nSmokeLoader (aka Smoke) is a modular malware that has been known since 2011, distributed via phishing emails\r\nand drive-by downloads. It has evolved its capabilities with additional modules over the years. For example,\r\ndisabling of Windows Defender and anti-analysis techniques have been added to the malware. However, most\r\nthreat actors only use the main functionality – payload downloading and executing.\r\nIn contrast to the simplest downloaders that download malicious files using hardcoded static URLs, SmokeLoader\r\ncommunicates with the C\u0026C in order to receive and perform download tasks.\r\nRedLine Stealer\r\nRedLine Stealer has been known since early 2020 and developed through 2021. The malware is known to be sold\r\non online forums, and distributed via phishing emails.\r\nA newer method of spreading RedLine Stealer is by luring Windows 10 users to get fake Windows 11 upgrades.\r\nWhen the user downloads and executes the binary, they’re actually running the malware.\r\nRedLine’s main purpose is to steal credentials and information from browsers, in addition to stealing credit card\r\ndetails and cryptocurrency wallets from the compromised machine. Moreover, the malware also collects\r\ninformation about the system, such as: username, hardware details and installed security applications.\r\nPseudoManuscrypt\r\nPseudoManuscrypt has been known since June 2021, and used as MaaS (Malware as a Service).\r\nPseudoManuscrypt doesn’t target particular companies or industries, but it has been observed that industrial and\r\ngovernment organizations, including enterprises in the military-industrial complex and research laboratories, are\r\nthe most significant victims.\r\nThe malware is known to be distributed via other botnets such as Glupteba. The main aim of the\r\nPseudoManuscrypt threat actors is to spy on their victims by stealing cookies from Firefox, Google Chrome,\r\nMicrosoft Edge, Opera, and Yandex Browser, keylogging and stealing cryptocurrency by utilizing the ClipBanker\r\nplugin. A distinctive feature of the malware is the use of the KCP protocol to download additional plugins.\r\nColdStealer\r\nColdStealer is a relatively new malicious program that was discovered in 2022. Like many other stealers its main\r\npurpose is to steal credentials and information from web browsers, in addition to stealing cryptocurrency wallets,\r\nFTP credentials, various files and information about the system such as OS version, system language, processor\r\ntype and clipboard data. The only known method of delivering stolen information to cybercriminals is by sending\r\na ZIP archive to an embedded control center.\r\nhttps://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/\r\nPage 7 of 23\n\nColdStealer Main() function\r\nFormatLoader\r\nFormatLoader is a downloader that got its name for using hardcoded URLs as format strings, where it needs to fill\r\na single digit to get a link to download an additional binary. The available digit range is also hardcoded.\r\nhttps://signaturebusinesspark[.]com/360/fw%d.exe =\u003e https://signaturebusinesspark[.]com/360/fw3.exe\r\nhttps://signaturebusinesspark[.]com/360/fw%d.exe =\u003e https://signaturebusinesspark[.]com/360/fw4.exe\r\n…\r\nhttps://signaturebusinesspark[.]com/360/fw%d.exe =\u003e https://signaturebusinesspark[.]com/360/fw6.exe\r\nFormatLoader’s main purpose is to infect the machine with an additional malicious file by downloading the binary\r\nto the compromised machine. To do so, the malware adds digits from the hardcoded range one by one to the\r\nhardcoded format strings, and accesses the download links.\r\nIn addition, FormatLoader uses a third-party website service for tracking the compromised machine. It sends a\r\n‘GET’ request to a specific URL of an IP logger service, which collects information such as IP address and IP-based geolocation.\r\nCsdiMonetize\r\nhttps://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/\r\nPage 8 of 23\n\nCsdiMonetize is known to be an advertising platform that used to install many different PUAs (Potentially\r\nUnwanted Applications) on a Pay-Per-Install basis after infecting the user’s machine. Later on, rather than just\r\ninfecting their victim with PUAs, CsdiMoneitze began infecting their victims with actual Trojans, like the\r\nGlupteba malware.\r\nNowadays, CsdiMonetize infects its victims with additional malware family types such as: Fabookie, Disbuk,\r\nPseudoManuscrypt and more.\r\nCsdi execution chain\r\nThe infection begins with NSIS installer ’61f665303c295_Sun1059d492746c.exe’, which downloads the Csdi\r\ninstaller ‘MSEkni.exe‘. The Csdi installer requests the current configuration from the C\u0026C and a list of additional\r\nCsdi components to install. Configuration is stored in several registry keys in encrypted and base64 encoded form.\r\nThe next step is to download additional components, the most notable being publisher and updater components.\r\nThe Csdi publisher component is responsible for showing advertisements by launching the browser with URLs as\r\ncommand line parameters. The updater component is responsible for a Pay-Per-Install service. It receives the list\r\nof URLs from the C\u0026C and instructions on how to drop and execute downloaded files.\r\nDisbuk\r\nDisbuk (aka Socelar) is known to disguise itself as a legitimate application, such as PDF editor software.\r\nThis malware was found to mainly target Facebook Ads and evolved to steal Facebook session cookies from\r\nChrome and Firefox by accessing the browser’s SQLite database. After retrieving this information, the malware\r\nattempts to extract additional information like access tokens, account IDs, etc. After further evolution, Disbuk has\r\nalso started retrieving Amazon cookies.\r\nBesides stealing data, Disbuk also installs a malicious browser extension that masquerades as a Google Translate\r\nextension. To get more information about a user’s Facebook account, Disbuk queries Facebook Graph API.\r\nFabookie\r\nhttps://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/\r\nPage 9 of 23\n\nFabookie is another stealer that targets Facebook Ads. Its functionality is similar to the Disbuk malware, and\r\nincludes stealing Facebook session cookies from browsers, using Facebook Graph API Queries to receive\r\nadditional information about a user’s account, linked payment method, balance, friends, etc. Stolen credentials can\r\nlater be used to run ads from the compromised account.\r\nUnlike Disbuk, this malware does not contain built-in malicious browser extensions, but contains two embedded\r\nNirSoft utilities – ‘Chrome Cookies View’ and ‘Web Browser Password Viewer’ – that are used to extract data\r\nfrom browsers.\r\nDanaBot\r\nDanaBot is a Trojan-Banker written in Delphi that spreads via email phishing, and is known to have evolved since\r\nit was discovered in 2018.\r\nDanaBot is a modular malware that includes various additional modules; the most popular functionalities of these\r\nmodules are stealing information from compromised machines and injecting fake forms into popular ecommerce\r\nand social media sites to collect payment data. It can also provide full access to infected systems with remote\r\ndesktop, or mouse and keyboard access by utilizing a VNC plugin.\r\nRacealer\r\nRacealer (aka RaccoonStealer) is known to be a stealer-type malware that mostly extracts user credentials and\r\nexfiltrates data from compromised machines.\r\nRacoon is also known to have evolved over the years since it was discovered in 2019. For example, it now uses\r\nTelegram to retrieve C\u0026C IP addresses and malware configurations. Moreover, additional modules are now being\r\ndownloaded from the malware’s C\u0026Cs that are also used to extract credentials.\r\nGeneric.ClipBanker\r\nGeneric.ClipBanker is a clipboard hijacker malware that monitors the clipboard of the compromised machine, and\r\nspecifically searches for cryptocurrency addresses in order to replace them. When a user copies an address of a\r\ncryptocurrency wallet the malware replaces the address of the wallet with their own cryptocurrency wallet\r\naddress, so the end user sends cryptocurrencies (such as Bitcoin) to them rather than to the intended wallet\r\naddress.\r\nhttps://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/\r\nPage 10 of 23\n\nScreen with cryptocurrency addresses from Generic.ClipBanker binary\r\nSgnitLoader\r\nThe SgnitLoader is a small Trojan-Downloader written in C#. The downloader binary size is about 15 Kbytes.\r\nHowever, the original file is packed with Obsidium, which makes the binary size grow to more than 400 Kbytes.\r\nThe SgnitLoader contains a few hardcoded domains in its binary, to which it appends the path and adds a number\r\nfrom 1 to 7. Unlike the FormatLoader malware, it doesn’t use a format string, but simply adds a number to the end\r\nof the string in order to get the full URL.\r\n\"https://presstheme[.]me/\" + \"?user=\" + \"l10_\" + \"1\"   =\u003e   \"https://presstheme.me/?user=l10_1\"\r\n\"https://presstheme[.]me/\" + \"?user=\" + \"l10_\" + \"2\"   =\u003e   \"https://presstheme.me/?user=l10_2\"\r\n…\r\nhttps://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/\r\nPage 11 of 23\n\n\"https://presstheme[.]me/\" + \"?user=\" + \"l10_\" + \"7\"   =\u003e   \"https://presstheme.me/?user=l10_7\"\r\nAfter the download and execute procedures are completed, SgnitLoader pings back to the C\u0026C with a ‘GET’\r\nrequest. The original pingback URL is hidden with the ‘iplogger.org’ URL shortener service.\r\nShortLoader\r\nAnother small Trojan-Downloader written in C#. Its binary is half the size of SgnitLoader. Its main function code\r\nis fairly short and it uses the ‘IP Logger‘ URL shortener service to hide the original URL that it downloads the\r\npayload from. That’s why it’s called ShortLoader.\r\nShortLoader Main() function\r\nDownloader.INNO\r\nThe original file is an ‘Inno Setup’ installer that utilizes ‘Inno Download Plugin’ download functionality.\r\nThe setup script is programmed to download a file from the URL ‘http://onlinehueplet[.]com/77_1.exe‘ placing it\r\ninto the ‘%TEMP%‘ directory as ‘dllhostwin.exe‘ and executing it with the string ’77’ as an argument.\r\nhttps://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/\r\nPage 12 of 23\n\nPart of Inno Setup installation script\r\nThe downloaded file belongs to the Satacom Trojan-Downloader family. However, in the course of our research\r\nwe discovered that this file was replaced on the server with legitimate PuTTY software, a popular SSH client.\r\nLgoogLoader\r\nThis file is another software installer that uses the Microsoft Cabinet archive-file format. After execution, it drops\r\nthree files: a batch file, an AutoIt interpreter with a stripped executable header and an AutoIt script. Then it\r\nexecutes the batch file with ‘cmd.exe’. The task of the batch file is to restore the AutoIt interpreter executable, and\r\nlaunch it with a path to the AutoIt script as a command line argument.\r\nAutoIt script performs a few AntiVM and AntiDebug checks. If all the checks are successful, then it starts AutoIt\r\ninterpreter once again, decrypts and decompresses the embedded executable and injects it into the newly created\r\nprocess. The injected executable is LgoogLoader.\r\nLgoogLoader is a Trojan-Downloader that downloads an encrypted configuration file from a hardcoded static\r\nURL. It then decrypts the configuration, extracts additional URLs from it and downloads and executes the final\r\npayloads. It was called LgoogLoader due to its use of strings from ‘Google Privacy Policy’.\r\nhttps://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/\r\nPage 13 of 23\n\nGoogle Privacy Policy strings in LgoogLoader’s binary\r\nDownloader.Bitser\r\nThe original file is an NSIS installer that tries to install PUA: Lightening Media Player. The file is downloaded by\r\nCsdiMonetize’s updater component (MD5: 98f0556a846f223352da516af66fa1a0). However, the installation script\r\nis configured not only to set up Lightening Media Player, but also to run the built-in Windows utility ‘bitsadmin’\r\nto download additional files, which is why we call it Bitser. In our case, the utility was used inside the installation\r\nscript of the NSIS installer, and used to download a 7z password-protected archive. The password for the 7z\r\narchive and instructions for unpacking and execution are also hardcoded into the installation script.\r\nhttps://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/\r\nPage 14 of 23\n\nDownloader.Bitser’s infection chain\r\nA legitimate 7-Zip Standalone Console application is dropped by the installer under the name ‘data_load.exe‘ and\r\nlaunched with arguments to unpack files from the downloaded archive.\r\nPart of NSIS script with download and execute instructions\r\nC-Joker\r\nC-Joker is an incredibly simple Exodus wallet stealer. It uses the Telegram API to send notifications about\r\nsuccessful or failed installations. In order to steal credentials, it downloads a backdoored version of the ‘app.asar’\r\nfile and replaces the original file from the Exodus wallet.\r\nhttps://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/\r\nPage 15 of 23\n\nString in C-Joker’s binary\r\nPrivateLoader\r\nPrivateLoader is yet another example of a Pay-Per-Install malicious loader like LgoogLoader and SmokeLoader. It\r\nuses a single-byte XOR encryption key to receive URLs from the control center.\r\nSatacom\r\nSatacom is also known as LegionLoader. Discovered in 2019, Satacom uses different anti-analysis tricks that were\r\nprobably borrowed from the al-khazer stress tool. The embedded user agent varies from sample to sample, but in\r\nour case the user agent is “deus vult”.\r\nhttps://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/\r\nPage 16 of 23\n\nStrings in Satacom binary\r\nThe latest version receives the main control center address from TXT-record. Satacom sends a DNS TXT-query to\r\n‘reosio.com‘ and receives a response with a base64 encoded string.\r\nhttps://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/\r\nPage 17 of 23\n\nSatacom DNS request and response\r\nAfter decoding and decrypting with the XOR key “DARKMATTER” it gets the real C\u0026C URL ‘banhamm.com‘.\r\nSatacom C\u0026C communication\r\nGCleaner\r\nGCleaner is another Pay-Per-Install malicious loader. It was discovered at the beginning of 2019. Initially it was\r\ndistributed as a cleaning tool called Garbage Cleaner or G-Cleaner through a fake website mimicking popular\r\ncleaning tools like CCleaner. The main loader was used to download potentially unwanted applications together\r\nwith malware such as Azorult, Vidar, PredatorTheThief, miners and so on. GCleaner is now distributed by various\r\ncrack websites along with other malware. This PPI platform uses C\u0026C-based geolocation targeting, meaning it\r\ncan push different malware depending on the victim’s IP address. Although the GCleaner loader is no longer\r\nmimicking cleaning tools, there are some still remnants of this in its binary code such as encrypted strings like\r\n“Software\\GCleaner\\Started” or “\\Garbage.Cleaner”. The sample of GCleaner that we detected when analyzing\r\nthis campaign was trying to download the Vidar password stealer.\r\nVidar\r\nVidar is an info-stealer. It downloads DLL files freebl3.dll, mozglue.dll, msvcp140.dll, nss3.dll, softokn3.dll and\r\nvcruntime140.dll from its C\u0026C for use in password-grabbing routines. Vidar can also receive settings from the\r\nhttps://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/\r\nPage 18 of 23\n\nC\u0026C that tells it exactly what to do. It is able to steal autofill information from web browsers, cookies, saved\r\ncredit cards, browser history, coin wallets and Telegram databases. It also can make and send screenshots to the\r\nC\u0026C, as well as any file that matches a specified mask.\r\nVidar downloads DLL files and uploads collected data\r\nVictims\r\nSince the beginning of the year we’ve blocked attempts to infect more than 47,778 victims worldwide. Some of\r\nthe most targeted countries are Brazil, India, Russia, Italy, Germany, France, Egypt, Turkey and the United States.\r\nAttribution\r\nWe are currently unable to directly attribute NullMixer to any group.\r\nConclusions\r\nTrying to save money by using unlicensed software can be costly. A single file downloaded from an unreliable\r\nsource can lead to a large-scale infection of a computer system. As we can see, a large proportion of the malware\r\nfamilies dropped by NullMixer are classified as Trojan-Downloaders, which suggests infections will not be\r\nlimited to the malware families described in this report. Many of the other malware families mentioned here are\r\nstealers, and compromised credentials can be used for further attacks inside a local network.\r\nAppendix I – Indicators of Compromise\r\nMalicious ULRs\r\nhxxps://azilominehostz.xyz/\r\nhxxps://patchlinks.com/\r\nhxxp://137.184.159.42/\r\nhttps://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/\r\nPage 19 of 23\n\nhxxp://185.186.142.166/wallet.exe\r\nhxxps://dll1.stdcdn.com/\r\nhxxp://tg8.cllgxx.com/hp8/g1/yrpp1047.exe\r\nhxxp://eurekabike.com/pmzero/design/img/LightCleaner9252839.exe\r\nhxxps://i.xyzgamei.com/gamexyz/2201/random.exe\r\nhxxp://www.sxhxrj.com/askhelp35/askinstall35.exe\r\nhxxps://presstheme.me/\r\nhxxp://remviagra.com/pub1.exe\r\nhxxp://privacy-tools-for-you-782.com/downloads/toolspab2.exe\r\nhxxps://cdn.discordapp.com/attachments/917889480646590537/935966171835031612/Cube_WW6.exe\r\nhxxp://onlinehueplet.com/77_1.exe\r\nhxxps://cdn.discordapp.com/attachments/934006169125679147/943432754161410108/WW19.exe\r\nhxxp://privacy-tools-for-you-791.com/downloads/toolspab1.exe\r\nhxxps://cdn.discordapp.com/attachments/917889480646590537/943130993404018709/Fixtools.exe\r\nhxxp://stylesheet.faseaegasdfase.com/hp8/g1/rtst1051.exe\r\nhxxp://104.168.215.231/kde.exe\r\nhxxp://careerguide4u.online/wp-content/plugins/google-analytics-for-wordpress/BlackCleanerSetp521234.exe\r\nhxxps://i.xyzgamei.com/gamexyz/2203/random.exe\r\nhххp://zenitsu.s3.pl-waw.scw.cloud/pub-summoning/poweroff.exe\r\nhххps://tengenuzui.s3.pl-waw.scw.cloud/makio/cpm_pr_vp46up4d6j_.exe\r\nhххps://tengenuzui.s3.pl-waw.scw.cloud/makio/updto_bgn64wau5x_date.exe\r\nhххps://tengenuzui.s3.pl-waw.scw.cloud/makio/handler_wbba4vzm89rxskhs.exe\r\nhxxps://i.xyzgamei.com/gamexyz/25/random.exe\r\nhххps://v.xyzgamev.com/25.html\r\nhххps://v.xyzgamev.com/login.html\r\nhxxp://jackytpload.su/campaign6/autosubplayer.exe\r\nhxxps://gc-distribution.biz/pub.php?pub=five\r\nhxxp://www.sxhxrj.com/askhelp42/askinstall42.exe\r\nhxxps://flexnetinformatica.com.br/wp-content/plugins/elementor/assets/LightCleaner2132113.exe\r\nhxxp://stylesheet.faseaegasdfase.com\\/hp8/g1/siww1053.exe\r\nhxxps://source3.boys4dayz.com/installer.exe\r\nhxxps://signaturebusinesspark.com/360/fw3.exe\r\nhxxps://signaturebusinesspark.com/360/fw4.exe\r\nhxxps://signaturebusinesspark.com/360/fw6.exe\r\nhxxps://cdn.discordapp.com/attachments/937783814208491553/937784072967692368/SecondFile.exe\r\nhххps://v.xyzgamev.com/23.html\r\nhххps://v.xyzgamev.com/login.html\r\nMalware C\u0026Cs\r\n178.62.113[.]205/runtermo\r\n185.163.204[.]22/runtermo\r\n185.163.45[.]70/runtermo\r\n185.186.142[.]166\r\nhttps://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/\r\nPage 20 of 23\n\n185.215.113[.]10\r\n185.38.142[.]132\r\n212.193.30[.]21/base/api/\r\n212.193.30[.]45/proxies.txt\r\n5.9.224[.]217\r\n92.255.57[.]115\r\nads-memory[.]biz\r\nall-mobile-pa1ments.com[.]mx\r\nall-smart-green[.]com\r\nam1420wbec[.]com/upload/\r\nappwebstat[.]biz\r\nbanhamm[.]com\r\nbuy-fantasy-fo0tball.com[.]sg\r\nbuy-fantasy-gmes.com[.]sg\r\nconnectini[.]net\r\ndll1.stdcdn[.]com\r\ndollybuster[.]at/upload/\r\negsagl[.]com/upload/\r\nenter-me[.]xyz\r\nfennsports[.]com/upload/\r\nfile-coin-host-12[.]com\r\nginta[.]link\r\nhhiuew33[.]com/check/safe\r\nhost-data-coin-11[.]com\r\nislamic-city[.]com/upload/\r\nmordo[.]ru/upload/\r\nnahbleiben[.]at/upload/\r\nnoblecreativeaz[.]com/upload/\r\none-wedding-film[.]com\r\npiratia-life[.]ru/upload/\r\npresstheme[.]me\r\nreal-enter-solutions[.]xyz\r\nrecmaster[.]ru/upload/\r\nremik-franchise[.]ru/upload/\r\nreoseio[.]com\r\nsignaturebusinesspark[.]com\r\nsovels[.]ru/upload/\r\nspaldingcompanies[.]com/upload/\r\ntoa.mygametoa[.]com\r\ntopexpertshop[.]com\r\ntopniemannpicksh0p[.]cc\r\nhttps://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/\r\nPage 21 of 23\n\ntvqaq[.]cn/upload/\r\nwhsddzs[.]com/Home/Index/djksye\r\nColdStealer hashes\r\n06B31367D65A411B1F2A7B3091FB31D4\r\n584B186152A16161E502816BF990747C\r\nC41A85123AF144790520F502FE190110\r\nCsdiMonetize hashes\r\n5B14369C347439BECACAA0883C07F17B\r\n7E58613DDB2FDD10EED17BBCE5B3E0A9\r\n883403C940B477CEE083EFEEA8C252C6\r\n98F0556A846F223352DA516AF66FA1A0\r\nCEADA3798FD16FAC13F053D0C6F4D198\r\nDanaBot hashes\r\nD91325640F392D33409B8F1B2315B97C\r\nDisbuk hashes\r\n3739256794EBF9BA8C6597A4687C8799\r\nFBD3940D1AD28166D8539EAE23D44D5B\r\nDownloader.Bitser hashes\r\nAAEFF1F8E7BD3A81C69C472BCD211A7B\r\nDownloader.INNO hashes\r\nE65BF2D56FCAA18C1A8D0D481072DC62\r\nFabookie hashes\r\n33F7383C2EB9B20E11E6A149AA62DEA4\r\n79400B1FD740D9CB7EC7C2C2E9A7D618\r\nFormatLoader hashes\r\nB8ECEC542A07067A193637269973C2E8\r\nGCleaner hashes\r\n42100BAF34C4B1B0E89F1C2EF94CF8F8\r\nGeneric.ClipBanker hashes\r\n4D75DEA49F6BD60F725FAE9C28CD0960\r\nLgoogLoader hashes\r\nCC722FD0BD387CF472350DC2DD7DDD1E\r\n4008D7F17A08EFD3FBD18E4E1BA29E00\r\nB2A2F85B4201446B23A250F68051B4DC\r\nhttps://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/\r\nPage 22 of 23\n\nNullMixer hashes\r\n4EC312D77817D8FB90403FF87B88D5E3\r\n12DBC75B071077042C097AFD59B2137F\r\nF94BF1734F34665A65A835CC04A4AD95\r\nPrivateLoader hashes\r\n362592241E15293C68D0F24468723BBB\r\n7875AAB3E23F885DF12FF62D9EF5DB50\r\nPseudoManuscrypt hashes\r\nB0448525C5A00135BB5B658CC6745574\r\nD5C1C44D19D8D6E8C0F739CAB439E45E\r\nRacealer hashes\r\n4FEBA8683DAA18545E9F9408E4CD07BD\r\nRedLine hashes\r\n446119332738133D3ECD2D00EBE5D0EC\r\n5994DE41D8B4ED3BBB4F870A33CB839A\r\n9F8800BF866E944EFB2034EC56ED574E\r\nAC458CABFED224353545707DF966A2BA\r\nAF817AAD791628143019FFDE530D0EF7\r\nSatacom hashes\r\n2086E25FB651F0A8D713024DE2168B9B\r\nSgnitLoader hashes\r\nB2620FFE40493FDF9E771BFF3BDCBC44\r\n4DD3F638D4C370ABEB3EBF59CAD8ED2F\r\nShortLoader hashes\r\nCE54B9287C3E4B5733035D0BE085D989\r\nSmokeLoader hashes\r\n9F1EAA0FF990913F7D4DFD31841DE47A\r\nVidar hashes\r\n639DE55E338BFCEA8DAAE727141AF3D1\r\nSource: https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/\r\nhttps://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/"
	],
	"report_names": [
		"107498"
	],
	"threat_actors": [],
	"ts_created_at": 1775434645,
	"ts_updated_at": 1775791307,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5961a5d709b9ba179ff52f69d9d56923dc4d8101.pdf",
		"text": "https://archive.orkl.eu/5961a5d709b9ba179ff52f69d9d56923dc4d8101.txt",
		"img": "https://archive.orkl.eu/5961a5d709b9ba179ff52f69d9d56923dc4d8101.jpg"
	}
}