Overview

overview

10

Static

static

331317B4CA...C6.exe

windows7_x64

8

331317B4CA...C6.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    331317B4CAE70B90441E0A2C8FB2E6C6.exe

  • Size

    380KB

  • Sample

    210523-x8w7y262e2

  • MD5

    331317b4cae70b90441e0a2c8fb2e6c6

  • SHA1

    a69df46202eb2497bad5c4ddc39e0e83efb8482a

  • SHA256

    13282c40dd66c53e866c60202f428781cf9562bb0f02e30027ebb7fb41efb5b8

  • SHA512

    b4f890eadc675d74500e0b4ffd4964f1b73702995ab6ec685a64282b535415d8193d5e7e4535f223f3446e29b16e65447d9c6a1b2ce9f342c062a02cc9236342

Score
10/10
plugxredlinediscoveryevasioninfostealerpersistencetrojanvmprotect

Malware Config

Targets

    • Target

      331317B4CAE70B90441E0A2C8FB2E6C6.exe

    • Size

      380KB

    • MD5

      331317b4cae70b90441e0a2c8fb2e6c6

    • SHA1

      a69df46202eb2497bad5c4ddc39e0e83efb8482a

    • SHA256

      13282c40dd66c53e866c60202f428781cf9562bb0f02e30027ebb7fb41efb5b8

    • SHA512

      b4f890eadc675d74500e0b4ffd4964f1b73702995ab6ec685a64282b535415d8193d5e7e4535f223f3446e29b16e65447d9c6a1b2ce9f342c062a02cc9236342

    Score
    10/10
    plugxredlinediscoveryevasioninfostealerpersistencetrojanvmprotect

    • PlugX

      PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

      trojanplugx

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

      evasion

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks