plugx | 07bd1745baa33c6abb773c13fb4c65aa35b18b21d7e514af3bf5fd20cd97e500 | Triage

Submit
Reports

Overview

overview

Static

static

1

LDPlayer9_...ld.exe

windows7-x64

8

LDPlayer9_...ld.exe

windows10-2004-x64

Sharing

General

Target

LDPlayer9_ens_25143662_ld.exe
Size

2.9MB
Sample

230418-ynzn4adh38
MD5

79170cdc94a59fd6e174bd56d8ccadcb
SHA1

c3e8aa07bfb7625194def68231b4db42ca3d6610
SHA256

07bd1745baa33c6abb773c13fb4c65aa35b18b21d7e514af3bf5fd20cd97e500
SHA512

7eb94acbf573a7528709197c96d7edaebce05d1f9aebb5a5992b4fb8c6b88e4cd4c9a4edd1f030362832860da992282476a13dcdb1cb8ca51065df7804a8afc3
SSDEEP

49152:mi/fEwEHpp4/PrRw1SYFjAbDiY+UjwxxtG8N9Hm:mi/8wEHpW/Pa1BF8+QwxKj

Score

10^/10

plugx redline discovery evasion exploit infostealer persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

LDPlayer9_ens_25143662_ld.exe

Resource

win7-20230220-en

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

LDPlayer9_ens_25143662_ld.exe

Resource

win10v2004-20230220-en

plugx redline discovery evasion exploit infostealer persistence trojan

windows10-2004-x64

32 signatures

150 seconds

Malware Config

Targets

- Target
  
  LDPlayer9_ens_25143662_ld.exe
- Size
  
  2.9MB
- MD5
  
  79170cdc94a59fd6e174bd56d8ccadcb
- SHA1
  
  c3e8aa07bfb7625194def68231b4db42ca3d6610
- SHA256
  
  07bd1745baa33c6abb773c13fb4c65aa35b18b21d7e514af3bf5fd20cd97e500
- SHA512
  
  7eb94acbf573a7528709197c96d7edaebce05d1f9aebb5a5992b4fb8c6b88e4cd4c9a4edd1f030362832860da992282476a13dcdb1cb8ca51065df7804a8afc3
- SSDEEP
  
  49152:mi/fEwEHpp4/PrRw1SYFjAbDiY+UjwxxtG8N9Hm:mi/8wEHpW/Pa1BF8+QwxKj
Score

10^/10

plugx redline discovery evasion exploit infostealer persistence trojan
- Detects PlugX payload
- PlugX
  PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
  trojan plugx
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Possible privilege escalation attempt
  exploit
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Registers COM server for autorun
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

File and Directory Permissions Modification

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

behavioral2

plugxredlinediscoveryevasionexploitinfostealerpersistencetrojan

© 2018-2024

Terms | Privacy