Overview

overview

10

Static

static

AAM Update...in.exe

windows7_x64

10

AAM Update...in.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    AAM UpdatesHtA.bin.zip

  • Size

    360KB

  • Sample

    210304-gnzekqkcxe

  • MD5

    a59f98855dc9f8479d310b1b883301ee

  • SHA1

    28be9423af865ed73ef8aac887f4bdbe0db9c81a

  • SHA256

    d531c8a488aea1f8bb428526fc913801441b01c0742213e7d7fbed3b9163d354

  • SHA512

    37614ccfb1fda2ac22b7a6acb5cd944ced71e003608842ffc50f9fbd376d12599dd9083d45829eba4cf01d4ff25b2d968567743cf29c2f130e5de523ddee90e9

Score
10/10
plugxpersistencetrojan

Malware Config

Extracted

Family

plugx

C2

45.251.240.55:443

45.251.240.55:8080

45.251.240.55:8000
Mutex

EDysZYTmoiuUydWatmWb

Attributes
  • folder

    AAM UpdatesHtA

Targets

    • Target

      AAM UpdatesHtA.bin

    • Size

      485KB

    • MD5

      eb941fbca579d3c0966de86b904fc298

    • SHA1

      d2aa567fa30befa6e082376b11587aa0f3b0d5b7

    • SHA256

      d64afd9799d8de3f39a4ce99584fa67a615a667945532cfa3f702adbe27724c4

    • SHA512

      168e5fbbd86950cf409ac2f50d5b0b81c295d8c291077d974d1adad11313c3a4ccb9e5d623a5769136cce3eba33b35acb4f39f6fd1c9323ea0ceb46eb85991f5

    Score
    10/10
    plugxpersistencetrojan

    • PlugX

      PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

      trojanplugx

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks