ploutus | 16e72e7cc4d3ad9995799c2037a7ea0f97c1f1791ea604e123a1c8fbf41d75c5

Analysis

max time kernel
146s
max time network
141s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
01-03-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Matthew_MultiPinger.exe
Size

1.8MB
MD5

1afef074f02aa5e7ac9fae28a67c173a
SHA1

9eb580f61b51ea5b30a9d7e741b8b41aa58c086f
SHA256

16e72e7cc4d3ad9995799c2037a7ea0f97c1f1791ea604e123a1c8fbf41d75c5
SHA512

be6186b8e59122608842e077826aec9231c060100be3012b53445a70d09072cc3fe6a9da3ded0e3b22426e1c0ff5af57378b941b514a0d85e52d98b734e81ede
SSDEEP

49152:Mo+9eQjxgvQOZF+Q40vnlob2xfXqtWjs194:z+jgvQOZ4+oS5C9

Score

10^/10

ploutus atm backdoor upx

Malware Config

Signatures

Detected Ploutus loader 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3D95.tmp\LANC_Remastered.exe	family_ploutus

Ploutus
Ploutus is an ATM malware written in C#.
backdoor atm ploutus
Executes dropped EXE 4 IoCs

Processes:

LANC_Remastered.exepaping.exepaping.exePuTTY.exe

pid process

2228 LANC_Remastered.exe
3488 paping.exe
1504 paping.exe
3588 PuTTY.exe
Loads dropped DLL 5 IoCs

Processes:

LANC_Remastered.exe

pid process

2228 LANC_Remastered.exe
2228 LANC_Remastered.exe
2228 LANC_Remastered.exe
2228 LANC_Remastered.exe
2228 LANC_Remastered.exe

pid	process
2228	LANC_Remastered.exe
3488	paping.exe
1504	paping.exe
3588	PuTTY.exe

pid	process
2228	LANC_Remastered.exe
2228	LANC_Remastered.exe
2228	LANC_Remastered.exe
2228	LANC_Remastered.exe
2228	LANC_Remastered.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3940-0-0x0000000140000000-0x00000001404F1000-memory.dmp	upx
behavioral1/memory/3940-60-0x0000000140000000-0x00000001404F1000-memory.dmp	upx

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3292 2228 WerFault.exe LANC_Remastered.exe
Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

2180 PING.EXE
4976 PING.EXE
572 PING.EXE
3280 PING.EXE
1084 PING.EXE
4624 PING.EXE
4964 PING.EXE
2116 PING.EXE
3720 PING.EXE
4152 PING.EXE

pid	pid_target	process	target process
3292	2228	WerFault.exe	LANC_Remastered.exe

pid	process
2180	PING.EXE
4976	PING.EXE
572	PING.EXE
3280	PING.EXE
1084	PING.EXE
4624	PING.EXE
4964	PING.EXE
2116	PING.EXE
3720	PING.EXE
4152	PING.EXE

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

Matthew_MultiPinger.execmd.execmd.exe

description	pid	process	target process
PID 3940 wrote to memory of 4040	3940	Matthew_MultiPinger.exe	cmd.exe
PID 3940 wrote to memory of 4040	3940	Matthew_MultiPinger.exe	cmd.exe
PID 4040 wrote to memory of 2512	4040	cmd.exe	mode.com
PID 4040 wrote to memory of 2512	4040	cmd.exe	mode.com
PID 4040 wrote to memory of 2228	4040	cmd.exe	LANC_Remastered.exe
PID 4040 wrote to memory of 2228	4040	cmd.exe	LANC_Remastered.exe
PID 4040 wrote to memory of 2228	4040	cmd.exe	LANC_Remastered.exe
PID 4040 wrote to memory of 3488	4040	cmd.exe	paping.exe
PID 4040 wrote to memory of 3488	4040	cmd.exe	paping.exe
PID 4040 wrote to memory of 3488	4040	cmd.exe	paping.exe
PID 4040 wrote to memory of 1504	4040	cmd.exe	paping.exe
PID 4040 wrote to memory of 1504	4040	cmd.exe	paping.exe
PID 4040 wrote to memory of 1504	4040	cmd.exe	paping.exe
PID 4040 wrote to memory of 1204	4040	cmd.exe	cmd.exe
PID 4040 wrote to memory of 1204	4040	cmd.exe	cmd.exe
PID 1204 wrote to memory of 3456	1204	cmd.exe	mode.com
PID 1204 wrote to memory of 3456	1204	cmd.exe	mode.com
PID 1204 wrote to memory of 3280	1204	cmd.exe	PING.EXE
PID 1204 wrote to memory of 3280	1204	cmd.exe	PING.EXE
PID 1204 wrote to memory of 3992	1204	cmd.exe	find.exe
PID 1204 wrote to memory of 3992	1204	cmd.exe	find.exe
PID 1204 wrote to memory of 1084	1204	cmd.exe	PING.EXE
PID 1204 wrote to memory of 1084	1204	cmd.exe	PING.EXE
PID 1204 wrote to memory of 1100	1204	cmd.exe	find.exe
PID 1204 wrote to memory of 1100	1204	cmd.exe	find.exe
PID 1204 wrote to memory of 4624	1204	cmd.exe	PING.EXE
PID 1204 wrote to memory of 4624	1204	cmd.exe	PING.EXE
PID 1204 wrote to memory of 4052	1204	cmd.exe	find.exe
PID 1204 wrote to memory of 4052	1204	cmd.exe	find.exe
PID 1204 wrote to memory of 4964	1204	cmd.exe	PING.EXE
PID 1204 wrote to memory of 4964	1204	cmd.exe	PING.EXE
PID 1204 wrote to memory of 3648	1204	cmd.exe	find.exe
PID 1204 wrote to memory of 3648	1204	cmd.exe	find.exe
PID 1204 wrote to memory of 2180	1204	cmd.exe	PING.EXE
PID 1204 wrote to memory of 2180	1204	cmd.exe	PING.EXE
PID 1204 wrote to memory of 2104	1204	cmd.exe	find.exe
PID 1204 wrote to memory of 2104	1204	cmd.exe	find.exe
PID 1204 wrote to memory of 2116	1204	cmd.exe	PING.EXE
PID 1204 wrote to memory of 2116	1204	cmd.exe	PING.EXE
PID 1204 wrote to memory of 2436	1204	cmd.exe	find.exe
PID 1204 wrote to memory of 2436	1204	cmd.exe	find.exe
PID 1204 wrote to memory of 4976	1204	cmd.exe	PING.EXE
PID 1204 wrote to memory of 4976	1204	cmd.exe	PING.EXE
PID 1204 wrote to memory of 3212	1204	cmd.exe	find.exe
PID 1204 wrote to memory of 3212	1204	cmd.exe	find.exe
PID 1204 wrote to memory of 572	1204	cmd.exe	PING.EXE
PID 1204 wrote to memory of 572	1204	cmd.exe	PING.EXE
PID 1204 wrote to memory of 1784	1204	cmd.exe	find.exe
PID 1204 wrote to memory of 1784	1204	cmd.exe	find.exe
PID 1204 wrote to memory of 3720	1204	cmd.exe	PING.EXE
PID 1204 wrote to memory of 3720	1204	cmd.exe	PING.EXE
PID 1204 wrote to memory of 1056	1204	cmd.exe	find.exe
PID 1204 wrote to memory of 1056	1204	cmd.exe	find.exe
PID 1204 wrote to memory of 4152	1204	cmd.exe	PING.EXE
PID 1204 wrote to memory of 4152	1204	cmd.exe	PING.EXE
PID 1204 wrote to memory of 4604	1204	cmd.exe	find.exe
PID 1204 wrote to memory of 4604	1204	cmd.exe	find.exe
PID 4040 wrote to memory of 3588	4040	cmd.exe	PuTTY.exe
PID 4040 wrote to memory of 3588	4040	cmd.exe	PuTTY.exe

C:\Users\Admin\AppData\Local\Temp\Matthew_MultiPinger.exe
"C:\Users\Admin\AppData\Local\Temp\Matthew_MultiPinger.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3D95.tmp\1K.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\system32\mode.com
mode 86,14
3⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\3D95.tmp\LANC_Remastered.exe
LANC_Remastered.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 1328
4⤵
- Program crash
PID:3292

C:\Users\Admin\AppData\Local\Temp\3D95.tmp\paping.exe
paping.exe 192.111.52.219 -p 8080
3⤵
- Executes dropped EXE
PID:3488

C:\Users\Admin\AppData\Local\Temp\3D95.tmp\paping.exe
paping.exe 192.111.52.219 -p 80
3⤵
- Executes dropped EXE
PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Devil.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\system32\mode.com
mode 76,20
4⤵
PID:3456

C:\Windows\system32\PING.EXE
PING -n 1 192.111.52.219
4⤵
- Runs ping.exe
PID:3280

C:\Windows\system32\find.exe
FIND "TTL="
4⤵
PID:3992

C:\Windows\system32\PING.EXE
PING -n 1 192.111.52.219
4⤵
- Runs ping.exe
PID:1084

C:\Windows\system32\find.exe
FIND "TTL="
4⤵
PID:1100

C:\Windows\system32\PING.EXE
PING -n 1 192.111.52.219
4⤵
- Runs ping.exe
PID:4624

C:\Windows\system32\find.exe
FIND "TTL="
4⤵
PID:4052

C:\Windows\system32\PING.EXE
PING -n 1 192.111.52.219
4⤵
- Runs ping.exe
PID:4964

C:\Windows\system32\find.exe
FIND "TTL="
4⤵
PID:3648

C:\Windows\system32\PING.EXE
PING -n 1 192.111.52.219
4⤵
- Runs ping.exe
PID:2180

C:\Windows\system32\find.exe
FIND "TTL="
4⤵
PID:2104

C:\Windows\system32\PING.EXE
PING -n 1 192.111.52.219
4⤵
- Runs ping.exe
PID:2116

C:\Windows\system32\find.exe
FIND "TTL="
4⤵
PID:2436

C:\Windows\system32\PING.EXE
PING -n 1 192.111.52.219
4⤵
- Runs ping.exe
PID:4976

C:\Windows\system32\find.exe
FIND "TTL="
4⤵
PID:3212

C:\Windows\system32\PING.EXE
PING -n 1 192.111.52.219
4⤵
- Runs ping.exe
PID:572

C:\Windows\system32\find.exe
FIND "TTL="
4⤵
PID:1784

C:\Windows\system32\PING.EXE
PING -n 1 192.111.52.219
4⤵
- Runs ping.exe
PID:3720

C:\Windows\system32\find.exe
FIND "TTL="
4⤵
PID:1056

C:\Windows\system32\PING.EXE
PING -n 1 192.111.52.219
4⤵
- Runs ping.exe
PID:4152

C:\Windows\system32\find.exe
FIND "TTL="
4⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\3D95.tmp\PuTTY.exe
PuTTY.exe
3⤵
- Executes dropped EXE
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2228 -ip 2228
1⤵
PID:4296

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3D95.tmp\1K.bat
Filesize
975B

MD5
bd9fc931de36192dd54e174af4a77e62

SHA1
42246b44b0ff123e91185a4ec230363ba2412b86

SHA256
6c9d4ed18a14105678985ecc374c7f698a8a30f39e7f80a97b99591d910d56e4

SHA512
470c60706e352675d713569b94efa564977e06133482e3a924dec986a4b65ac158ba97c4b0db4ac35f3cfdd378ae086adb81e08d4b3cefce0bd8328ab39876f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3D95.tmp\Devil.bat
Filesize
464B

MD5
01b8c20b4dab98966efcd73df87e84bf

SHA1
8c25dc65f0ec0f2c6a140de824c13b8c31765a35

SHA256
a866a10aae143376d2e249f86397ee78b3d3b14de0eadbe50bb8065de157a70e

SHA512
fea30e3c78e60d17b54353edfe43267b89f1a57f77135e9ba561e92f8380ac6cf68029d91e33e6a7559f8df884583a185c0c95ccaf2a035144f9a5c740157a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3D95.tmp\LANC_Remastered.exe
Filesize
1.7MB

MD5
4d5049ded6b78dd9d0eb4b8cbc7fc48d

SHA1
ffd12090c0923fee03a4162728caebcfa9ccc1df

SHA256
68ec4627b643ca6f66a23f77b3e4922b5b1d3f54216728df7c2fd1dc824294e0

SHA512
51cd6feafa698235d288369863e6e24d1cfd3ef848c760802bbf7bb432a4d3313c1920d214ce32fdbcb4ebee191085abb7d7078fd5636bed9b30259358b3dac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3D95.tmp\Logo.py
Filesize
1KB

MD5
1c7ad236e30326aaea7999d287e0e168

SHA1
3d3d909b504e11eb739f3bb33d43a5353287c046

SHA256
3fdda265f1d0bd4d53f8240ff5b44a0d6158f758e6f576abdf34830b0cc88338

SHA512
eb99b3282be9fbdd9a7e954e9d6cf04721a14c7964001f3aae975a5c22fcc644b6bbcbf6104df710e5ba74206431fa12c0d328927c4cde60ab04234b4ac137ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\3D95.tmp\PcapDotNet.Core.dll
Filesize
69KB

MD5
45fa4315c7631b828e2871db89b3df27

SHA1
f34f3a5344abbb67a21348be9eaeba7831c7333e

SHA256
e580ca9c0382a8663d6bdff6e53802bd73fa8a71689d7f38521ca02269775a58

SHA512
1dd74a83b0435674d61e0e752e3d671334970fd7d235203faf1791c67965eee2324a7dd18e03be575138d3c3639d106534a084c3f9a78d37ff4ff77ead4cfd96

Download Submit
C:\Users\Admin\AppData\Local\Temp\3D95.tmp\PsychoCoding Theme.dll
Filesize
96KB

MD5
bdfd2b195bb55f1054251cb52abb5dad

SHA1
6f93f734f75d7e01852744c68312d8532e60dfe3

SHA256
070583767d41d7913df3c7c791800216edf1329a64917b028d1f24e3a977e498

SHA512
22f1d63fc19a961c994a63eaccb257c5fabdc95f3a7d13c74283b71fd10fd8000718254b8ef163640aecbbc3934d703f72a9d2bd1eb418414678adfc8f6332ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\3D95.tmp\PuTTY.exe
Filesize
862KB

MD5
239c6a38de34b2cc26afbc41adf3a11d

SHA1
ff5d4e320e599666a629e1d76638111221ca8ba1

SHA256
b73d6f26808b85c67cc0714d0bd1ead6c0dde47b21ddcf1f76962725d8e3311d

SHA512
bb25a7e88afc1bcb1226442d436f45d1ed88eac64008f1eafcdfd9c32b749507fbf019186262ce84c8d29274b961d835e87853698562bde79b00245cf3f4d04d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3D95.tmp\paping.exe
Filesize
576KB

MD5
aa32a25fa1fa895f7ab709b88349c933

SHA1
262c93b6178067b75e51df304c612b9034a9eef4

SHA256
a54eaa578af16919b4a582c687da350038db018a9748f9a0ee3c4a5c01af9bd2

SHA512
bf719b1b61faa6ec937069d67b111b8eff317f40e2617bac08240da8355614ef38d26b4651a700ce49a6780ce37a21dd253809e040ce63de25d177260822d19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3D95.tmp\teste.py
Filesize
1KB

MD5
ab050729a53372d98b4626f42e785763

SHA1
acba0f17ab6c40d0c999e111f203d96f6975c66a

SHA256
ec19855a30417dde92441c6d6d7e878ec49c960583a0f06b96a0f6f2f6aff279

SHA512
c41672c7cc186bcfb8056bfdfd6f0f6c7e9c0ea2ae77956abe325ae36ec4bddf7b3157979103706f18bdd3d951d88717d97cd9a181915cca226e9d6fb240a7c9

Download Submit
memory/1504-74-0x0000000000250000-0x000000000031B000-memory.dmp

Filesize
812KB

Download
memory/2228-44-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/2228-45-0x0000000005830000-0x0000000005DD6000-memory.dmp

Filesize
5.6MB

Download
memory/2228-52-0x00000000054C0000-0x00000000054DE000-memory.dmp

Filesize
120KB

Download
memory/2228-53-0x0000000008690000-0x000000000872C000-memory.dmp

Filesize
624KB

Download
memory/2228-47-0x00000000052F0000-0x00000000052FA000-memory.dmp

Filesize
40KB

Download
memory/2228-57-0x0000000008660000-0x0000000008675000-memory.dmp

Filesize
84KB

Download
memory/2228-59-0x0000000074BA0000-0x0000000075351000-memory.dmp

Filesize
7.7MB

Download
memory/2228-43-0x0000000074BA0000-0x0000000075351000-memory.dmp

Filesize
7.7MB

Download
memory/2228-46-0x0000000005320000-0x00000000053B2000-memory.dmp

Filesize
584KB

Download
memory/2228-42-0x00000000003F0000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/2228-48-0x0000000005DE0000-0x0000000005F86000-memory.dmp

Filesize
1.6MB

Download
memory/3488-69-0x0000000000250000-0x000000000031B000-memory.dmp

Filesize
812KB

Download
memory/3488-67-0x0000000000250000-0x000000000031B000-memory.dmp

Filesize
812KB

Download
memory/3940-0-0x0000000140000000-0x00000001404F1000-memory.dmp

Filesize
4.9MB

Download
memory/3940-60-0x0000000140000000-0x00000001404F1000-memory.dmp

Filesize
4.9MB

Download