ploutus | c342dae78334189e381bbd4ad2ca0800cd4ad5e58036cf97210b37edab08514b

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
13-11-2023 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lxautold.exe
Size

765KB
MD5

f7c83410bdf578a6316d1ce543456dfa
SHA1

2814ed6a65dec94029a1c1e97b1a69c49b116e34
SHA256

145d6db252fa4247ad08d85d651bdd6e6ff9068305ce4af3b9dca684f1a1aa5b
SHA512

fa9c00697cc121421f7fc682b9ce9c78cf9efcec00c6bdc8a8df002462b97319f0bac20c2fa717ceb5985da20b4088232b7f5408192e5031adb0e60047bb5a80
SSDEEP

12288:7h1Lk70TnvjcRydunMK6PdWmpDCLtdLQF6mghdjxjgEg+gCSrjrDQLXoF0MfF16f:Hk70TrcRxMrdWmpDYOFspxjbg+arQL6S

Score

10^/10

ploutus atm backdoor

Malware Config

Signatures

Detected Ploutus loader 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2508-4-0x0000000004870000-0x0000000004960000-memory.dmp	family_ploutus
behavioral1/memory/2508-5-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-6-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-8-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-10-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-12-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-14-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-16-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-20-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-18-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-22-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-24-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-26-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-28-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-30-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-32-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-34-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-38-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-36-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-42-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-40-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-44-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-48-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-46-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-50-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-52-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-54-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-56-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-62-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-60-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-58-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-64-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-66-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus
behavioral1/memory/2508-68-0x0000000004870000-0x000000000495A000-memory.dmp	family_ploutus

Ploutus
Ploutus is an ATM malware written in C#.
backdoor atm ploutus
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

lxautold.exe

description pid process

Token: SeDebugPrivilege 2508 lxautold.exe

description	pid	process
Token: SeDebugPrivilege	2508	lxautold.exe

C:\Users\Admin\AppData\Local\Temp\lxautold.exe
"C:\Users\Admin\AppData\Local\Temp\lxautold.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2508-0-0x00000000746B0000-0x0000000074D9E000-memory.dmp

Filesize
6.9MB

Download
memory/2508-1-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/2508-2-0x00000000049C0000-0x0000000004AB0000-memory.dmp

Filesize
960KB

Download
memory/2508-3-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/2508-4-0x0000000004870000-0x0000000004960000-memory.dmp

Filesize
960KB

Download
memory/2508-5-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-6-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-8-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-10-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-12-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-14-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-16-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-20-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-18-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-22-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-24-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-26-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-28-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-30-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-32-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-34-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-38-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-36-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-42-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-40-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-44-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-48-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-46-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-50-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-52-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-54-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-56-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-62-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-60-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-58-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-64-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-66-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-68-0x0000000004870000-0x000000000495A000-memory.dmp

Filesize
936KB

Download
memory/2508-1115-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/2508-1116-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/2508-1117-0x00000000746B0000-0x0000000074D9E000-memory.dmp

Filesize
6.9MB

Download