plugx | e2f383123254f5b4a91cc8ea7fbe6d2a44c779368777207736a02a125d5c477b | Triage

Sharing

General

Target

plugx_2nd_stage.zip
Size

154KB
Sample

221124-qsdcnafh33
MD5

a51f331b1f97809f7ea834ac55c95f89
SHA1

5521c7e2d071e2210f1f02fefcb1f0dddc17986a
SHA256

e2f383123254f5b4a91cc8ea7fbe6d2a44c779368777207736a02a125d5c477b
SHA512

def8a36334fe9e1d0d6ef86aca02bca3c10936dadcd9a2330a1298c8ffaa3177ffae299a49eb5dfcdf87934d630b0bb3d9ee6a3165499c52b385b28ca23c6406
SSDEEP

3072:R+5tveEqSKH5bzm4TEdWP0hj8WGpwIyFLKusSfiYW:ADvhqSmbx2z3GpwrFCHYW

Score

10^/10

plugx persistence trojan

Malware Config

Extracted

Family

plugx

C2

www.systeminfor.com:80

www.systeminfor.com:53

www.systeminfor.com:25

Attributes

folder
AvastProxyETj

Targets

- Target
  
  AvastProxy.exe
- Size
  
  56KB
- MD5
  
  feac3e6946ab9b39c66a8756a4a7468f
- SHA1
  
  b490fbb91ebf327173940f3ed93f518191abb5e8
- SHA256
  
  560055994a2290b3eb3f354afbf5ebcf4b8d78820f238eae70d76ece81b97c23
- SHA512
  
  55c3089d2744412e14032e66390d0ccb25fb995994baf77aee0bd315057543c39d13ee9344dab839ab041e4ca950e09c30a320f95cc8b0f1c69174d2e6562f3b
- SSDEEP
  
  768:alArI/PzmESYUawSgUhuGasKgFADGVih3:alccPz+cwSgUERsI
Score

10^/10

plugx persistence trojan
- PlugX
  PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
  trojan plugx
- Executes dropped EXE
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  wsc.dll
- Size
  
  76KB
- MD5
  
  dc52696888f68d5b0e3d5e810c0d2a3c
- SHA1
  
  f72a97bf9ab09b3639c3c58c9c34d3675a507b87
- SHA256
  
  a1640a83373a8ce9e80734418ee0b10d48d3d0d823883a519849b50710c9f46a
- SHA512
  
  22cbe643038002e2d9dec7ffed7ba445ee1288571b445a8156c8bc533815bd330098893792b43c5592a881675a089f0b0229a230672569c62fa1032bec5ffcb2
- SSDEEP
  
  768:QVoWTrjr3eBjVgiHYSNjhCgk5NwF6fA6QzJhmlx3eBtBAmtXEty:QXTaySjCJm3mHuNtXEt
Score

1^/10
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

plugxpersistencetrojan

behavioral2

plugxpersistencetrojan

behavioral3

behavioral4