plugx

General

Target

e893dbe6b911e8faea85dad69061e2755ef52db23bc5163f7c5dfd4138f29d6e
Size

364KB
Sample

241223-wbnpyswncy
MD5

4e8ddbbb780ed54690dc219a3120edb4
SHA1

9fbecaf37a0679b668bc31d4c4ae1a331d46be39
SHA256

e893dbe6b911e8faea85dad69061e2755ef52db23bc5163f7c5dfd4138f29d6e
SHA512

8344f13282047055647b2419226c02810f51baa0c1041b51baf1cdedefcdec0418e38b4b999a806470a64efa8f3dbffc823eb029b987df25e82a58bb17e2b17e
SSDEEP

6144:yVIIuZIIqV7bCJvcsYrHiWdXjwDA++nO2VSD2EdHUhb9uwPn/Dxd:yVI9Ij5mCskHlUDA+iOL1HUhb9xxd

Score

10^/10

Malware Config

Targets

- Target
  
  kdump64.dll
- Size
  
  148KB
- MD5
  
  d5dcfc5ac42bcba55a1170756f3493f4
- SHA1
  
  1bcefa919e0c9c1d114ed6384e4aff8f316482de
- SHA256
  
  8ba00843b9aba2cff6f2234a7daf040aadfebce4c05b13061da63b48f63bfa4f
- SHA512
  
  dbaf78188b53629d667bdcb4fcdc0c35045e77330bbe209739c86fbe2d7c2ba04b3adeedc6576186e1af20f8eb373a9788ed3b0050f80f61485475dcf23b0a24
- SSDEEP
  
  3072:+hNbJ07kFlBFBTmIw61ReXqiZmh1rx3o1v6Al7JyvITb/:+nbOcB76IJPevmh46Al3
Score

7^/10

vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
behavioral1 behavioral2
- Target
  
  wps.dat
- Size
  
  152KB
- MD5
  
  a1ed676cf36394b6b4fb449309b91b5b
- SHA1
  
  4cf7a01b132e4855581e39f5d0da204301fdae98
- SHA256
  
  8da2085b60e44aa5fa46c8613757e1582df098e27373b2c8916d2725f28b46de
- SHA512
  
  ce224d2376a7d78777691f9eceb8a48755787b390b73e309d48337b8d097a9370e66780237e2884294c76205f93f27e82744804781abe8eaee255c9e2f0f3f11
- SSDEEP
  
  3072:QJcpYbyI0brQQUiT6J6zInBqF5Pr6veTotEELhhezCATlX:QJFy1b8f+InQ5D6WTkEELhAuATl
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  wps.exe
- Size
  
  177KB
- MD5
  
  f44992d14033a2b5b1064104658a29e1
- SHA1
  
  62673aa6e8bde17f218524cbe3bf50cb5b949f3b
- SHA256
  
  331f64d6d6bf7883ed8a3c29ab8ce3bf947aaecf49748a7a2b5113ced68607a4
- SHA512
  
  9a57d5765e9dcff8caccf8b51449bfd8d35f9c346c9a09a5c64a7229136490bc1cb5a3f07c8d9c75aaf48e16e01700c3d6674fc1b8d170ce927913c4130bc31b
- SSDEEP
  
  3072:65nSsRkXPsSadfviPNPVY5bYm1wkUBL/1cAR+oOb5vENb/fZOKeb0WhmNNdnLeny:65SsRkXPYGPG5cm6Bd3oEt/fZOaBi/fi
Score

10^/10

plugx trojan vmprotect
- Detects PlugX payload
- PlugX
  PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
  trojan plugx
- Plugx family
  plugx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Deletes itself
behavioral5 behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

VMProtect packed file

Detects PlugX payload

Plugx family

Unexpected DNS network traffic destination

VMProtect packed file

Deletes itself

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6