Overview

overview

10

Static

static

FBDDC2BF72...51.exe

windows7_x64

10

FBDDC2BF72...51.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    FBDDC2BF724AF868D8AA5F0D08700151.exe

  • Size

    5.3MB

  • Sample

    210608-xhlmq8s85n

  • MD5

    fbddc2bf724af868d8aa5f0d08700151

  • SHA1

    2cab05f7d25f9503ab5a5ea133cefcc356908a2d

  • SHA256

    3acec6ce8556a3f24033df05f6e71ab604577eb541b437acd3ebfdb6644c4931

  • SHA512

    63b26cf28460eaf96a0f8cfbc2598c5bbf80b0e1345470d32df2b5cbc43116efbd8eb77a8f49a7b8f2e1430ae20772d48b6403e8bcff91d32619a126d5bcc449

Score
10/10
plugxdiscoveryevasionpersistencetrojanupxvmprotect

Malware Config

Targets

    • Target

      FBDDC2BF724AF868D8AA5F0D08700151.exe

    • Size

      5.3MB

    • MD5

      fbddc2bf724af868d8aa5f0d08700151

    • SHA1

      2cab05f7d25f9503ab5a5ea133cefcc356908a2d

    • SHA256

      3acec6ce8556a3f24033df05f6e71ab604577eb541b437acd3ebfdb6644c4931

    • SHA512

      63b26cf28460eaf96a0f8cfbc2598c5bbf80b0e1345470d32df2b5cbc43116efbd8eb77a8f49a7b8f2e1430ae20772d48b6403e8bcff91d32619a126d5bcc449

    Score
    10/10
    plugxdiscoveryevasionpersistencetrojanupxvmprotect

    • PlugX

      PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

      trojanplugx

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

      evasion

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks