Malware Analysis Report

2024-10-19 02:31

Sample ID 220329-kex71sghem
Target 6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953
SHA256 6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953
Tags
plugx discovery persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953

Threat Level: Known bad

The file 6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953 was found to be: Known bad.

Malicious Activity Summary

plugx discovery persistence trojan

PlugX Rat Payload

PlugX

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-29 08:31

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-29 08:31

Reported

2022-03-29 08:34

Platform

win10v2004-en-20220113

Max time kernel

35s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exe"

Signatures

PlugX

trojan plugx

PlugX Rat Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Routes = "C:\\Users\\Admin\\AppData\\Roaming\\Routes\\Routes.exe --oVWJq23b" C:\Users\Admin\AppData\Local\Temp\6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exe

"C:\Users\Admin\AppData\Local\Temp\6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exe"

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe

"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" "--oVWJq23b"

Network

Country Destination Domain Proto
NL 142.250.179.206:80 www.google-analytics.com tcp
US 8.8.8.8:53 paybiz.herokuapp.com udp
US 54.224.34.30:443 paybiz.herokuapp.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsx6ADF.tmp\System.dll

MD5 fbe295e5a1acfbd0a6271898f885fe6a
SHA1 d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256 a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA512 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

C:\Users\Admin\AppData\Local\Temp\nsx6ADF.tmp\INetC.dll

MD5 2b342079303895c50af8040a91f30f71
SHA1 b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA256 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

C:\Users\Admin\AppData\Local\Temp\nsx6ADF.tmp\NsisCrypt.dll

MD5 a3e9024e53c55893b1e4f62a2bd93ca8
SHA1 aa289e93d68bd15bfcdec3bb00cf1ef930074a1e
SHA256 7183cf34924885dbadb7f3af7f1b788f23b337144ab69cd0d89a5134a74263ad
SHA512 a124cf63e9db33de10fda6ba0c78cbb366d9cc7ef26f90031dba03c111dfdcd4a9bd378e1075211fd12e63da2beffa973f8c3f5b283be5debb06e820aa02750b

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe

MD5 21d576908f453edf021aa530e722b326
SHA1 d88d7ff3db017b86dc0c97120718c9672e12f2da
SHA256 d7e1e0f54ba52510489aaa75b005bc80412989288075f28532229b33fdeb2980
SHA512 5ec7431b87c85d1e5c514ef0f9725fe4bb166d2dcc052f25808a95645c453b4ab3c39745ec396af66c2b84c85bd64c3ef0088aa629010e482f1d7b015951c47e

C:\Users\Admin\AppData\Local\Temp\nsx6ADF.tmp\INetC.dll

MD5 2b342079303895c50af8040a91f30f71
SHA1 b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA256 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

C:\Users\Admin\AppData\Roaming\Routes\nw_elf.dll

MD5 493a0d17daaa2f1a0c2e5723ed748e05
SHA1 316f77ac6e8aea60e76ebd4bbbe4ff5c65a59ae4
SHA256 a0f65b98cf5425335345c736fd026d5cf8984283e402dc746092c1edd7f4ebd7
SHA512 7c87e1cf803dbe785f58be5f633c19e00d0c61f3a7759e5da3a90cc5e97165d833866872c50a0a52e42b80056a98e1020d02cd6c8f81efe4e76452f20a139f84

C:\Users\Admin\AppData\Roaming\Routes\nw.dll

MD5 1f05c1781050415f90f28bc960f69a7b
SHA1 3f148269bd26e5b598cbfe4aa50139e67747b282
SHA256 39b11a34a235038b943b043de6dd8ca1d16182f934cff74cd7b2967ae8c7bb19
SHA512 64169f010c9e42c4dba068d5f2da762537cb2094483a55c6de2a304d0dbbff5462ff40afd889571227b8844256999dfb4277d4029b2292d22347641b27ff78dd

C:\Users\Admin\AppData\Roaming\Routes\nw_elf.dll

MD5 493a0d17daaa2f1a0c2e5723ed748e05
SHA1 316f77ac6e8aea60e76ebd4bbbe4ff5c65a59ae4
SHA256 a0f65b98cf5425335345c736fd026d5cf8984283e402dc746092c1edd7f4ebd7
SHA512 7c87e1cf803dbe785f58be5f633c19e00d0c61f3a7759e5da3a90cc5e97165d833866872c50a0a52e42b80056a98e1020d02cd6c8f81efe4e76452f20a139f84

memory/1852-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\nsx6ADF.tmp\INetC.dll

MD5 2b342079303895c50af8040a91f30f71
SHA1 b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA256 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

C:\Users\Admin\AppData\Roaming\Routes\ffmpeg.dll

MD5 0644850e99415a97cab58768d748882a
SHA1 cb499d7e6e63c0486cfdafa7ffe1b8a2335e1f6a
SHA256 935fcb56f2451633061a0418b8f65d966de2d2688788eac1ca8419ae5c5752c0
SHA512 88241c79023583c5baa1f931f14286c25ae583552ab2e881f4ed5c1208679ac11d98c9d4452525289db9ecae4aa663819ce7a923094d5d872bd4a0b2f79ac448

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe

MD5 21d576908f453edf021aa530e722b326
SHA1 d88d7ff3db017b86dc0c97120718c9672e12f2da
SHA256 d7e1e0f54ba52510489aaa75b005bc80412989288075f28532229b33fdeb2980
SHA512 5ec7431b87c85d1e5c514ef0f9725fe4bb166d2dcc052f25808a95645c453b4ab3c39745ec396af66c2b84c85bd64c3ef0088aa629010e482f1d7b015951c47e

C:\Users\Admin\AppData\Roaming\Routes\ffmpeg.dll

MD5 0644850e99415a97cab58768d748882a
SHA1 cb499d7e6e63c0486cfdafa7ffe1b8a2335e1f6a
SHA256 935fcb56f2451633061a0418b8f65d966de2d2688788eac1ca8419ae5c5752c0
SHA512 88241c79023583c5baa1f931f14286c25ae583552ab2e881f4ed5c1208679ac11d98c9d4452525289db9ecae4aa663819ce7a923094d5d872bd4a0b2f79ac448

C:\Users\Admin\AppData\Roaming\Routes\nw.dll

MD5 1f05c1781050415f90f28bc960f69a7b
SHA1 3f148269bd26e5b598cbfe4aa50139e67747b282
SHA256 39b11a34a235038b943b043de6dd8ca1d16182f934cff74cd7b2967ae8c7bb19
SHA512 64169f010c9e42c4dba068d5f2da762537cb2094483a55c6de2a304d0dbbff5462ff40afd889571227b8844256999dfb4277d4029b2292d22347641b27ff78dd

C:\Users\Admin\AppData\Local\Temp\nsx6ADF.tmp\INetC.dll

MD5 2b342079303895c50af8040a91f30f71
SHA1 b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA256 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47