General
-
Target
https://secure-web.cisco.com/1Umc06KOuz2Y7N1jB45XWrnLnqefU5Q6lURNr7bfyU8wD68K1WglfVcLvspgUxIgIhiUZBaFEWv0VzRLXiMBpba5XQPsudAR6HD9Y8HrQSSLEbgC0Q80qxJHf_9MBSOzLBqa-idrmKkQWD10lLCm7H7qfPQhNUc_Dz08BtfId1itcOeFStig4DI7z9BCWxW2NU_TFP-KHcCF5itfe_7Uzn9Kz7xgZHXQZ9G8iIAxwCUaS6RsxwbPObYYZ6yxPJ8uLrHbWFatZU-zVEmVVnvJYQtQ6uecFlI7EXQIT4s1EwvLZdWsv4DNTslm4tp4lxWsKVrqLNtV4wjEtoQTAit3GxQ/https%3A%2F%2Femail.replies.msgsndr.com%2Fc%2FeJwVjctqwzAQRb_GWorRw_J44UVxSSGB0m6zKZJGjoXl2EgKJfn6unDhwDmL638iDeOaWvF6_3D5tezf12U8wcjS5v8bftL1C5YbzmqKd3W-PHvDDj2hdZrFQYKUoIQCaIUWnKa-871UKJxCK6nRkMOeYih8Lbdyp8z9trJ5MDqg1XYiRc6agKBlGwBBGhJ9Z5ClYa51L416a-TpWOGRDgiQHbI8LHF1IacnL362Dwr5eKKt8lJtDfw38kf5A_2hQ64
-
Sample
220314-yh9xwadgdp
Malware Config
Targets
-
-
Target
https://secure-web.cisco.com/1Umc06KOuz2Y7N1jB45XWrnLnqefU5Q6lURNr7bfyU8wD68K1WglfVcLvspgUxIgIhiUZBaFEWv0VzRLXiMBpba5XQPsudAR6HD9Y8HrQSSLEbgC0Q80qxJHf_9MBSOzLBqa-idrmKkQWD10lLCm7H7qfPQhNUc_Dz08BtfId1itcOeFStig4DI7z9BCWxW2NU_TFP-KHcCF5itfe_7Uzn9Kz7xgZHXQZ9G8iIAxwCUaS6RsxwbPObYYZ6yxPJ8uLrHbWFatZU-zVEmVVnvJYQtQ6uecFlI7EXQIT4s1EwvLZdWsv4DNTslm4tp4lxWsKVrqLNtV4wjEtoQTAit3GxQ/https%3A%2F%2Femail.replies.msgsndr.com%2Fc%2FeJwVjctqwzAQRb_GWorRw_J44UVxSSGB0m6zKZJGjoXl2EgKJfn6unDhwDmL638iDeOaWvF6_3D5tezf12U8wcjS5v8bftL1C5YbzmqKd3W-PHvDDj2hdZrFQYKUoIQCaIUWnKa-871UKJxCK6nRkMOeYih8Lbdyp8z9trJ5MDqg1XYiRc6agKBlGwBBGhJ9Z5ClYa51L416a-TpWOGRDgiQHbI8LHF1IacnL362Dwr5eKKt8lJtDfw38kf5A_2hQ64
Score10/10-
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
-
PlugX Rat Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-