plugx | 0e3e47697539f1773fb53114ab53229c0304d86ed35aec05e5f5bfdf3bd35f9a | Triage

Sharing

General

Target

0e3e47697539f1773fb53114ab53229c0304d86ed35aec05e5f5bfdf3bd35f9a
Size

2.0MB
Sample

220604-x9rd6sghfr
MD5

17651fec634498b8faf986e25876a06d
SHA1

29c09892f4d93f15d1ea9e53ebca61953eea4020
SHA256

0e3e47697539f1773fb53114ab53229c0304d86ed35aec05e5f5bfdf3bd35f9a
SHA512

971b3b3ef2f448dc8edb9dbf8f0481f66974008b52ed7063aea27cb6212c5153537678ea9d1ed52ae63c907668282d656d034bc5baecef0453a363922bb8b40e

Score

10^/10

plugx persistence trojan

Malware Config

Extracted

Family

plugx

C2

www.systeminfor.com:80

www.systeminfor.com:53

www.systeminfor.com:25

Attributes

folder
AvastProxyBpC

Targets

- Target
  
  Advance version of the 2020 Report of the Secretary-General on Peacebuilding and Sustaining Peace.exe
- Size
  
  341KB
- MD5
  
  e16dd9faeca97b4c185426e5672becba
- SHA1
  
  f32087a346bcc58dedcfe1bc32f221d486a385c7
- SHA256
  
  c21bfc263890f02763f56b4e9f5cf9113656cf09d7864b53ec2fd2024bdadd60
- SHA512
  
  582180e0c7b35660114d5b1d4d5c92d75615321a74d160c2c7bc92b91a2c2b7ed758d63e2bbbdb1658992da6fe7ac546d7f4ea9a6c73a4a503989ea6e1a22d6a
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2
- Target
  
  AvastProxy.exe
- Size
  
  56KB
- MD5
  
  feac3e6946ab9b39c66a8756a4a7468f
- SHA1
  
  b490fbb91ebf327173940f3ed93f518191abb5e8
- SHA256
  
  560055994a2290b3eb3f354afbf5ebcf4b8d78820f238eae70d76ece81b97c23
- SHA512
  
  55c3089d2744412e14032e66390d0ccb25fb995994baf77aee0bd315057543c39d13ee9344dab839ab041e4ca950e09c30a320f95cc8b0f1c69174d2e6562f3b
Score

10^/10

plugx persistence trojan
- PlugX
  PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
  trojan plugx
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral3 behavioral4
- Target
  
  Report of the Secretary-General on Peacebuilding and Sustaining Peace (advance version).pdf
- Size
  
  936KB
- MD5
  
  bc5f2edf0f23957e0fbbcd845c744eb2
- SHA1
  
  b0c167333780626ca8bd6b3b2a9fc54f20a59f34
- SHA256
  
  54b491541376bda85ffb02b9bb40b9b5adba644f08b630fc1b47392625e1e60a
- SHA512
  
  84f8c65a02dfd9db2286df405d711595e62ba114c8f911b30561b90818d579879542c4af09950ca8b8c2a9f82186e1cecc25933c17fef7c41e0fbf158d5ee102
Score

1^/10
behavioral5 behavioral6
- Target
  
  acrord32.dll
- Size
  
  972KB
- MD5
  
  e0977e26e7b850e20fd94fefc79af65f
- SHA1
  
  4a3749c33d235715a84ec4964e1d69d758645a82
- SHA256
  
  eef56bfc68959c6eaa66ab6abcaaf8fb54aa5b5a7da0866d97a1effeae0952b8
- SHA512
  
  5cc59cf2fe32f325861bdc593ceb71fe7bf348c3a4726418cda1b6a61b2c2da8cf734525f67df7d497592810f38184d8040c3bd62605885f3c140fce254e27ec
Score

8^/10
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral7 behavioral8
- Target
  
  wsc.dll
- Size
  
  76KB
- MD5
  
  fc83d5c67de996607b0a59d70e6ff711
- SHA1
  
  c44c923ab0331d3f7cee588eb73464ce93cf4ce4
- SHA256
  
  5a795c4b2a1a9c76791a516822ae0c9ec9d02780c41d2f6a6960a4ea15d68e34
- SHA512
  
  11cd6230ec8906dd91a2719bccb82f59bcbc027ba94959a7aae5614c4e8f9669d736abdaade1cc0d1183bb7db3a7391fc7be14c6e5685e312e5f48a625c83f81
Score

1^/10
behavioral9 behavioral10

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

plugxpersistencetrojan

behavioral4

plugxpersistencetrojan

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10