Overview

overview

10

Static

static

AvastProxy.exe

windows7-x64

10

AvastProxy.exe

windows10-2004-x64

10

wsc.dll

windows7-x64

1

wsc.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    plugx_2nd_stage.zip

  • Size

    154KB

  • Sample

    221124-qsdcnafh33

  • MD5

    a51f331b1f97809f7ea834ac55c95f89

  • SHA1

    5521c7e2d071e2210f1f02fefcb1f0dddc17986a

  • SHA256

    e2f383123254f5b4a91cc8ea7fbe6d2a44c779368777207736a02a125d5c477b

  • SHA512

    def8a36334fe9e1d0d6ef86aca02bca3c10936dadcd9a2330a1298c8ffaa3177ffae299a49eb5dfcdf87934d630b0bb3d9ee6a3165499c52b385b28ca23c6406

  • SSDEEP

    3072:R+5tveEqSKH5bzm4TEdWP0hj8WGpwIyFLKusSfiYW:ADvhqSmbx2z3GpwrFCHYW

Score
10/10
plugxpersistencetrojan

Malware Config

Extracted

Family

plugx

C2

www.systeminfor.com:80

www.systeminfor.com:53

www.systeminfor.com:25
Attributes
  • folder

    AvastProxyETj

Targets

    • Target

      AvastProxy.exe

    • Size

      56KB

    • MD5

      feac3e6946ab9b39c66a8756a4a7468f

    • SHA1

      b490fbb91ebf327173940f3ed93f518191abb5e8

    • SHA256

      560055994a2290b3eb3f354afbf5ebcf4b8d78820f238eae70d76ece81b97c23

    • SHA512

      55c3089d2744412e14032e66390d0ccb25fb995994baf77aee0bd315057543c39d13ee9344dab839ab041e4ca950e09c30a320f95cc8b0f1c69174d2e6562f3b

    • SSDEEP

      768:alArI/PzmESYUawSgUhuGasKgFADGVih3:alccPz+cwSgUERsI

    Score
    10/10
    plugxpersistencetrojan

    • PlugX

      PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

      trojanplugx

    • Executes dropped EXE

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      wsc.dll

    • Size

      76KB

    • MD5

      dc52696888f68d5b0e3d5e810c0d2a3c

    • SHA1

      f72a97bf9ab09b3639c3c58c9c34d3675a507b87

    • SHA256

      a1640a83373a8ce9e80734418ee0b10d48d3d0d823883a519849b50710c9f46a

    • SHA512

      22cbe643038002e2d9dec7ffed7ba445ee1288571b445a8156c8bc533815bd330098893792b43c5592a881675a089f0b0229a230672569c62fa1032bec5ffcb2

    • SSDEEP

      768:QVoWTrjr3eBjVgiHYSNjhCgk5NwF6fA6QzJhmlx3eBtBAmtXEty:QXTaySjCJm3mHuNtXEt

    Score
    1/10
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks