MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c889f5fdffe7b6145b59232c1da5966bdeb57b6d21f38eebe12015903d456f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PlugX


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c889f5fdffe7b6145b59232c1da5966bdeb57b6d21f38eebe12015903d456f6
SHA3-384 hash: 2c34f8fa5010aaff1e2af2409e0163d1b6b94de682f48fe6c1d2775b3e6bb6aa44c160cd6ee42b5d849cb340bd02213c
SHA1 hash: 499cceeeb6485b34233b85fdbd5e26397423f0a7
MD5 hash: ef81a01e614a3a7c7a06171e8ec463b6
humanhash: enemy-lactose-paris-march
File name:4c889f5fdffe7b6145b59232c1da5966bdeb57b6d21f38eebe12015903d456f6.dll
Download: download sample
Signature PlugX
Create hunting rule
File size:138'752 bytes
First seen:2021-08-06 12:18:07 UTC
Last seen:2021-08-06 13:44:59 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 75c054ac1bbae1f166a73824a11d5efa (2 x PlugX)
ssdeep 1536:fS0nQkNkx7AeJRhNUoCthFYJmw44uh9nVJUWlDYnyrCo5CqydiEz1t4PpZnM+zgV:zNelNEvKWZYKika1t4PpZ/bVn7Ch
Threatray 10 similar samples on MalwareBazaar
TLSH T13AD32915E140D3B2E8BE40FD4BBC6E0E267EAE65471405DF36C8942A75E1DE26F38E12
Reporter Anonymous
Tags:decrypted dll Plugx

Intelligence

File Origin
# of uploads :
2
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176982/
Detection(s):
SecuriteInfo.com.BackDoor.PlugX.89.25230.29591.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
PlugX
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0ba2cd2c-256b-48be-bc18-aa88732d9256
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/828259
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 460690 Sample: kFlvTuaVdy.dll Startdate: 06/08/2021 Architecture: WINDOWS Score: 52 27 Antivirus / Scanner detection for submitted sample 2->27 29 Machine Learning detection for sample 2->29 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        14 rundll32.exe 8->14         started        process5 16 rundll32.exe 10->16         started        18 WerFault.exe 6 9 12->18         started        21 WerFault.exe 9 14->21         started        dnsIp6 23 WerFault.exe 19 9 16->23         started        25 192.168.2.1 unknown unknown 18->25 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c889f5fdffe7b6145b59232c1da5966bdeb57b6d21f38eebe12015903d456f6/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2021-08-06 12:18:13 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
21 of 47 (44.68%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
24fc6e7c22402cb67de02d3cffb6f9659db3a7c25e74c87c90f87dfaa6d140e0
PlugX
2f58a869711d2b28e6ecaac25cc2166daa46f7adfb719b7dd334e01c1474ca9b
PlugX
80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967
PlugX
86df93f906086a656f1b5e26bfa134996206769968dca47442b1141e5e112816
PlugX
b82752e798eec15d7e5ff9bbef1e9eabb2ee862ea904b327f4322fa55a18cc3f
PlugX
c09d86efdc1486de2dd00fdc8900ee9efc307017369b3900ce7b35e708dfcc50
PlugX
d1d3cf433e871d3aa6836ddb87578cbf494603f6f4a8918f36aea5816c6ce5e0
PlugX
dce920f5db90efecc7fb7a6b6399c80fc83e3f1251f160cd1295b6a4b67125d4
PlugX
f631e8f0c723cccbc5b26387f4100351de2e158b6770e962733734be6ca119d5
PlugX
Result
Malware family:
plugx
Create hunting rule
Score:
  10/10
Tags:
family:plugx
Link:
https://tria.ge/reports/210806-y6ggceas9e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Malware Config
C2 Extraction:
www.manager2013.com:80
www.manager2013.com:443
www.manager2013.com:53
Unpacked files
SH256 hash:
4c889f5fdffe7b6145b59232c1da5966bdeb57b6d21f38eebe12015903d456f6
MD5 hash:
ef81a01e614a3a7c7a06171e8ec463b6
SHA1 hash:
499cceeeb6485b34233b85fdbd5e26397423f0a7
Detections:
win_plugx_auto
Create hunting rule
Link:
https://www.unpac.me/results/fcf69f09-c127-450f-ae4d-db053b92c6e3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c889f5fdffe7b6145b59232c1da5966bdeb57b6d21f38eebe12015903d456f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_plugx_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.plugx.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/176982/

Comments