General
-
Target
lufdgThK9EuYSwgOb6xdwvcF.bin.zip
-
Size
5.9MB
-
Sample
210224-vaaheq6f3j
-
MD5
d9931d87184cc551a753025d3323570a
-
SHA1
ed2c83a3dfd36070a9c278d89f2d14fc927c0af7
-
SHA256
da3955c8a84533b421a22f286e8f362179fa37ac60348d1312516a94b08e5d8b
-
SHA512
8608dc8e4dfddbac73175ae4f7844238ea62c50d8f8124ee7b2eaeb04e785506fca0b5028c9f49b4a06dc879f684d476bf7994b008921644bed7072c45413883
Malware Config
Targets
-
-
Target
lufdgThK9EuYSwgOb6xdwvcF.bin
-
Size
6.0MB
-
MD5
f5cca3aa7de2478569d38c765654267d
-
SHA1
7dfd05dd62788dd43289e2032f00006789e71311
-
SHA256
280aa9de9a1db7e8c380b811e80f30a12b592222fe304b578ea1efcb2ac340e5
-
SHA512
0a78ae90699d7b8834946368c9d2d8e87d9a6c610d9cc2d26fe9c2e1e80173331d55beeb28c40f17831daf29132fb40c9fe670334b9626e349eeeb0a28acb57d
Score10/10-
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
-
Nirsoft
-
Executes dropped EXE
-
Suspicious Office macro
Office document equipped with 4.0 macros.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-