Overview

overview

10

Static

static

7

kdump64.dll

windows7-x64

7

kdump64.dll

windows10-2004-x64

7

wps.exe

windows7-x64

10

wps.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e893dbe6b911e8faea85dad69061e2755ef52db23bc5163f7c5dfd4138f29d6e.rar

  • Size

    364KB

  • Sample

    241117-rfz7bs1gmf

  • MD5

    4e8ddbbb780ed54690dc219a3120edb4

  • SHA1

    9fbecaf37a0679b668bc31d4c4ae1a331d46be39

  • SHA256

    e893dbe6b911e8faea85dad69061e2755ef52db23bc5163f7c5dfd4138f29d6e

  • SHA512

    8344f13282047055647b2419226c02810f51baa0c1041b51baf1cdedefcdec0418e38b4b999a806470a64efa8f3dbffc823eb029b987df25e82a58bb17e2b17e

  • SSDEEP

    6144:yVIIuZIIqV7bCJvcsYrHiWdXjwDA++nO2VSD2EdHUhb9uwPn/Dxd:yVI9Ij5mCskHlUDA+iOL1HUhb9xxd

Score
10/10
plugxtrojanvmprotect

Malware Config

Targets

    • Target

      kdump64.dll

    • Size

      148KB

    • MD5

      d5dcfc5ac42bcba55a1170756f3493f4

    • SHA1

      1bcefa919e0c9c1d114ed6384e4aff8f316482de

    • SHA256

      8ba00843b9aba2cff6f2234a7daf040aadfebce4c05b13061da63b48f63bfa4f

    • SHA512

      dbaf78188b53629d667bdcb4fcdc0c35045e77330bbe209739c86fbe2d7c2ba04b3adeedc6576186e1af20f8eb373a9788ed3b0050f80f61485475dcf23b0a24

    • SSDEEP

      3072:+hNbJ07kFlBFBTmIw61ReXqiZmh1rx3o1v6Al7JyvITb/:+nbOcB76IJPevmh46Al3

    Score
    7/10
    vmprotect

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect
    behavioral1behavioral2

    • Target

      wps.exe

    • Size

      177KB

    • MD5

      f44992d14033a2b5b1064104658a29e1

    • SHA1

      62673aa6e8bde17f218524cbe3bf50cb5b949f3b

    • SHA256

      331f64d6d6bf7883ed8a3c29ab8ce3bf947aaecf49748a7a2b5113ced68607a4

    • SHA512

      9a57d5765e9dcff8caccf8b51449bfd8d35f9c346c9a09a5c64a7229136490bc1cb5a3f07c8d9c75aaf48e16e01700c3d6674fc1b8d170ce927913c4130bc31b

    • SSDEEP

      3072:65nSsRkXPsSadfviPNPVY5bYm1wkUBL/1cAR+oOb5vENb/fZOKeb0WhmNNdnLeny:65SsRkXPYGPG5cm6Bd3oEt/fZOaBi/fi

    Score
    10/10
    plugxtrojanvmprotect

    • Detects PlugX payload

    • PlugX

      PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

      trojanplugx

    • Plugx family

      plugx

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Deletes itself

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks