plugx

General

Target

SPCapIQProOffice-1.0.22211.1.exe
Size

673KB
Sample

220927-tlg9taehhj
MD5

43a7f7024eb8795b902b4ba14b600840
SHA1

b7a192a8dc5470e1195d129bb760c971ee2ba202
SHA256

dc5cebf756baf365971ac3ff0655a40d4b57fe115a762c90d0f41897a7bfb609
SHA512

492c88910a0731045df2aa54b6bd0011055533ec437d9c762e21a1c6aaaf7d7e8c8f11f3e6e462a05684e76a58b71aa6c5934cf6e06d40492c06832c1396985a
SSDEEP

12288:/AjuakTOfDlEU4HWDblFlOTPThNp5aNUgrI7QCq8:ou/OfDlEUKWflmTP3parX8

Score

10^/10

Malware Config

Targets

- Target
  
  SPCapIQProOffice-1.0.22211.1.exe
- Size
  
  673KB
- MD5
  
  43a7f7024eb8795b902b4ba14b600840
- SHA1
  
  b7a192a8dc5470e1195d129bb760c971ee2ba202
- SHA256
  
  dc5cebf756baf365971ac3ff0655a40d4b57fe115a762c90d0f41897a7bfb609
- SHA512
  
  492c88910a0731045df2aa54b6bd0011055533ec437d9c762e21a1c6aaaf7d7e8c8f11f3e6e462a05684e76a58b71aa6c5934cf6e06d40492c06832c1396985a
- SSDEEP
  
  12288:/AjuakTOfDlEU4HWDblFlOTPThNp5aNUgrI7QCq8:ou/OfDlEUKWflmTP3parX8
Score

10^/10

plugx redline discovery infostealer persistence trojan evasion
- Detects PlugX payload
- PlugX
  PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
  trojan plugx
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Registers COM server for autorun
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1 behavioral2