plugx

General

Target

AvastSvcZEg.zip
Size

154KB
Sample

240925-mcmplszdrj
MD5

4672c97ef72cfa9845126c6c19a0303d
SHA1

a64ca5018acb426de38f2b20ff9be956d6c35600
SHA256

47521a28f2aec3de8db28f63a88f3af567f7e40228acc5924673f23cd039199f
SHA512

7943fe72e1f16ea034f781abe92b415118987ce87c1f74ae98cf4fcccd976c1622f935d2b211ef9c9a827d18af4c8214a738a254f63aa61de44bf707e7a0a433
SSDEEP

3072:jLGN6+o/5GJB8YoaxwbybSNqnjdNArfqesO89pVBvDjvKWU7bK6GWQ:/G/2ooPHc2yesR9xDTKWU7prQ

Score

10^/10

Malware Config

Extracted

Family

plugx

C2

103.56.53.46:80

103.56.53.46:110

103.56.53.46:443

103.56.53.46:5938

Attributes

folder
AvastSvcZEg

Targets

- Target
  
  AvastSvcZEg/AvastAuth.dat
- Size
  
  160KB
- MD5
  
  53830fe278811363f93e0906d8b5ce69
- SHA1
  
  b133578af848e10500cc8b943483ed71e86a713a
- SHA256
  
  8ec409c1537e3030405bc8f8353d2605d1e88f1b245554383682f3aa8b5100ec
- SHA512
  
  c87497b49d2924be200053495074e16d82fdc875ecdcd231e185479901020c176c2a478c52eea55a9908fe3605ed3d5b2037fa4c83248d4d2bfea45f9f03dc37
- SSDEEP
  
  3072:4NZDIHsDYhxMxRpyfGZpUOJR6UfzhgAN6f8HQJCKJUn/:4NZQsskdEGvH4IzhgnUH+dU/
Score

7^/10

discovery persistence privilege_escalation
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Modifies system executable filetype association
  persistence
behavioral1
- Target
  
  AvastSvcZEg/AvastSvc.exe
- Size
  
  60KB
- MD5
  
  a72036f635cecf0dcb1e9c6f49a8fa5b
- SHA1
  
  049813b955db1dd90952657ae2bd34250153563e
- SHA256
  
  85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654
- SHA512
  
  e3582e0969361d272c2469ce139ec809b9b0ac98fbc5eb5bb287442aed4c6ba69ed8175b68970751c93730cfaf07b75c3bc5e4e24aeda8f984b24f33bb8e3da2
- SSDEEP
  
  768:Q/WQ3/TymxfsHYPry0bgYh3LKgMoCDGFh9D:Q+QvT7xUHYPDbgYVLWofD
Score

10^/10

plugx discovery persistence trojan
- PlugX
  PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
  trojan plugx
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral2
- Target
  
  AvastSvcZEg/wsc.dll
- Size
  
  52KB
- MD5
  
  831252e7fa9bd6fa174715647ebce516
- SHA1
  
  bf8c5bf141f0db53000805f2629e6e031d137ceb
- SHA256
  
  6491c646397025bf02709f1bd3025f1622abdc89b550ac38ce6fac938353b954
- SHA512
  
  0be6e898dcb75b32358bb8c2214e7b9453034ecfbe71d092df75b186a28f97ae7d5737f010b9d9e781c6b4cf3da19ee4a7cf5002604d23c527c55a3f7a0dba04
- SSDEEP
  
  768:ctRTzgT291lvLotXKUoImwKvuZ+UHo4QIkfbZoN:ctRHgTWPcpmwKf4X2oN
Score

3^/10

discovery
behavioral3