MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 642c17be83f9e9f693990f43a65be25e99e69b245d38da627a3e19e0eb87d79d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Plugx


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 642c17be83f9e9f693990f43a65be25e99e69b245d38da627a3e19e0eb87d79d
SHA3-384 hash: b967ebee61e5538b4bae44dfc074b30a9ec3d8549f106723aba3a25d58f96aa4f3d05eb3f3657cde1e75202607947214
SHA1 hash: ef5558e7759239dcb1f1130eb75805ea112d513c
MD5 hash: 54417c33d3cd1ea55cacceced80815da
humanhash: mars-april-butter-nine
File name:642c17be83f9e9f693990f43a65be25e99e69b245d38da627a3e19e0eb87d79d
Download: download sample
Signature Plugx
Create hunting rule
File size:296'888 bytes
First seen:2021-03-18 14:20:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3c98c11017e670673be70ad841ea9c37 (5 x HawkEye, 5 x NanoCore, 4 x Plugx)
ssdeep 6144:yz+92mhAMJ/cPl3ieBLVcFtRbUN5TEUlHp2AW3BBAz+HkfPImVwx:yK2mhAMJ/cPlfcFnUHHhWbAbfQ
Threatray 29 similar samples on MalwareBazaar
TLSH 505402133AC5A6BBD78200302FAE376BE678F134557DA60AEBD5160E77750438327A53
Reporter JAMESWT_WT
Tags:KorPlug Plugx

Intelligence

File Origin
# of uploads :
1
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
642c17be83f9e9f693990f43a65be25e99e69b245d38da627a3e19e0eb87d79d
Verdict:
Malicious activity
Analysis date:
2021-03-18 13:41:12 UTC
Tags:
trojan plugx
Link:
https://app.any.run/tasks/b0d1f612-e69e-4e0b-9b4c-84e067ffd19a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Plugx
Create hunting rule
Link:
https://www.capesandbox.com/analysis/125473/
Detection(s):
SecuriteInfo.com.FakeAV.AOMC.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file
Enabling the 'hidden' option for recently created files
Deleting a recently created file
Creating a service
Launching a service
Launching a process
Sending a UDP request
Creating a file in the Windows subdirectories
Adding an access-denied ACE
DNS request
Connection attempt
Enabling autorun for a service
Unauthorized injection to a system process
Deleting of the original file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
PlugX Codoso Ghost
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/644639
Signature
Allocates memory in foreign processes
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to register a low level keyboard hook
Detected PlugX malware (RAT)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Executable Used by PlugX in Uncommon Location
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Codoso Ghost
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 371283 Sample: cID9O2zjnh Startdate: 18/03/2021 Architecture: WINDOWS Score: 100 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for dropped file 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 3 other signatures 2->43 7 Mc.exe 2 2->7         started        10 cID9O2zjnh.exe 12 2->10         started        process3 file4 49 Detected PlugX malware (RAT) 7->49 51 Contains functionality to change the desktop window for a process (likely to hide graphical interactions) 7->51 53 Contains functionality to inject threads in other processes 7->53 55 4 other signatures 7->55 13 svchost.exe 1 5 7->13         started        27 C:\Users\user\AppData\Local\...\McUtil.dll, PE32 10->27 dropped 29 C:\Users\user\AppData\Local\Temp\...\Mc.exe, PE32 10->29 dropped 17 Mc.exe 9 10->17         started        signatures5 process6 dnsIp7 31 sinkhole.dynu.net 153.248.125.4, 443, 49725, 49727 OCNNTTCommunicationsCorporationJP Japan 13->31 33 www2.molnews.net 13->33 35 2 other IPs or domains 13->35 57 System process connects to network (likely due to code injection or exploit) 13->57 59 Contains functionality to change the desktop window for a process (likely to hide graphical interactions) 13->59 61 Contains functionality to inject threads in other processes 13->61 63 2 other signatures 13->63 20 msiexec.exe 13->20         started        23 C:\ProgramData\Micro\McUtil.dll, PE32 17->23 dropped 25 C:\ProgramData\Micro\Mc.exe, PE32 17->25 dropped file8 signatures9 process10 signatures11 45 Contains functionality to change the desktop window for a process (likely to hide graphical interactions) 20->45 47 Contains functionality to inject threads in other processes 20->47
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/642c17be83f9e9f693990f43a65be25e99e69b245d38da627a3e19e0eb87d79d/
Threat name:
Win32.Trojan.Korplug
Create hunting rule
Status:
Malicious
First seen:
2018-08-21 19:15:36 UTC
File Type:
PE (Exe)
Extracted files:
49
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
17a9fa26f553c56d5b03921045d684a49177b8620eb3313dfcf13d269789c4ae
Plugx
5ee970db11a1dbfeff58b1f1206045d141022d6d396d50ba571910522a2c106d
Plugx
5ff6476c5eb3587ac1d7b02a7e04ec40ec0c0696b8bd7c3a34b0d5f89d2caa67
Plugx
7fe0951030252a21e854df2b75f30e6495f076e99a183ad0fd422689352122f7
Plugx
87881f84676ff10ab3f51519748d1799468def9f10dab79588b1d655d0eddb71
Plugx
a64edb19e71549fb9248b27b58f911a4a1e8cd8b8e4adff93ecfb7e15a3cdad7
Plugx
a6bf564665f281e7226d137f8da8692436c44edb6ab7881cab31282ffd6649ad
Plugx
bf8e469a058f90d9ccbe081b0da470d3314aa4cd34f916865f0c0b4fa28eacd8
Plugx
c015de0626ba91b194a47d0c8d76594e1bddadae9d9a6891b26ff7c2bc0fade3
Plugx
e3afb8be8f04e148a4214c375eff4817f2afcfcaff0f6a0bf2f5e324d9649b1b
Plugx
+ 19 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210318-982964wqw6/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
4c5d42a0bf6cba51fd7b886d03cdf50e7be587c3621d018136ba5df7bb10e25e
MD5 hash:
64b8c5a2ec1236e147e989ebdaf0b4e8
SHA1 hash:
3af789e854802a88340d8552a41ea8c3b6eb4f17
Detections:
win_plugx_w2
Create hunting rule
win_plugx_auto
Create hunting rule
Link:
https://www.unpac.me/results/5803f265-50c8-4da1-81d4-760a405cb6ac/
SH256 hash:
cd05b543642aae339409b16577be94b0d7a9eed958f368f0cffbb79734de6bf5
MD5 hash:
e28b08dc1f1945ab352476d294832f81
SHA1 hash:
76d52d3a8e7b189417e28b5e9e8c06c336daf788
Link:
https://www.unpac.me/results/5803f265-50c8-4da1-81d4-760a405cb6ac/
SH256 hash:
7b0cd33eb5104853a26628e4af56c218afeae067672c10a1fef4d92f1c458baf
MD5 hash:
c37e6cdda2d8c6d6b2414434bec83002
SHA1 hash:
b008c7bb8fcd5a27ceaf7b7ae0f51ed17d08545e
Link:
https://www.unpac.me/results/5803f265-50c8-4da1-81d4-760a405cb6ac/
SH256 hash:
642c17be83f9e9f693990f43a65be25e99e69b245d38da627a3e19e0eb87d79d
MD5 hash:
54417c33d3cd1ea55cacceced80815da
SHA1 hash:
ef5558e7759239dcb1f1130eb75805ea112d513c
Link:
https://www.unpac.me/results/5803f265-50c8-4da1-81d4-760a405cb6ac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Plugx
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/642c17be83f9e9f693990f43a65be25e99e69b245d38da627a3e19e0eb87d79d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/125473/

Comments