MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PlugX


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967
SHA3-384 hash: 5ad8c25e004a0d9dc066d1056cb08f8829a903ff95112fb8d54e07569a92944d4941b4bd573a2ac35d6f0b58cfed0bf0
SHA1 hash: fc48ae44addc9e1d00238f5ba798f3876e69c561
MD5 hash: 048271f7f2f8d900485dd020cdea2dd9
humanhash: leopard-diet-romeo-montana
File name:80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.bin
Download: download sample
Signature PlugX
Create hunting rule
File size:436'224 bytes
First seen:2021-07-27 22:10:04 UTC
Last seen:2021-08-02 09:31:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d71092979deae75937e8d206e56f88fe (1 x PlugX)
ssdeep 6144:5bLl5/Muaf6XK5dTTX1eokmAFM88KR/DhYvnz4b7D4k:5jkfGK5dTTleAmtBBDcnz2/4k
TLSH T130948B036ADCBCE2C079137573BB87D0C72EED6599E1C40E6AD00289D9BD1937A227E5
dhash icon f0968ee8aae8e8b2 (13 x ValleyRAT, 9 x Urelas, 5 x HermeticWiper)
Reporter Arkbird_SOLG
Tags:apt exe Plugx Thor Variant

Intelligence

File Origin
# of uploads :
3
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.bin
Verdict:
Malicious activity
Analysis date:
2021-07-27 22:14:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/77f6523f-6f23-4a6c-938a-8452eca8c52c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174532/
Detection(s):
SecuriteInfo.com.Variant.Razy.588195.6457.31814.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
PlugX
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d610b105-2084-400b-8901-aaa30f98a6e9
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/822782
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 455195 Sample: mILsxf435J.bin Startdate: 28/07/2021 Architecture: WINDOWS Score: 92 47 Antivirus / Scanner detection for submitted sample 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Sigma detected: Suspicious Svchost Process 2->53 7 AROTutorial.exe 2->7         started        10 mILsxf435J.exe 4 2->10         started        13 svchost.exe 2->13         started        15 9 other processes 2->15 process3 dnsIp4 63 Writes to foreign memory regions 7->63 65 Allocates memory in foreign processes 7->65 67 Creates a thread in another existing process (thread injection) 7->67 18 svchost.exe 1 7->18         started        35 C:\Windows\Temp\setupres.dll, PE32 10->35 dropped 37 C:\Windows\Temp\aross.dll, PE32 10->37 dropped 39 C:\Windows\Temp\AROTutorial.exe, PE32 10->39 dropped 22 AROTutorial.exe 5 10->22         started        69 Changes security center settings (notifications, updates, antivirus, firewall) 13->69 25 MpCmdRun.exe 1 13->25         started        45 127.0.0.1 unknown unknown 15->45 file5 signatures6 process7 dnsIp8 41 108.61.182.34, 443, 49726, 80 AS-CHOOPAUS United States 18->41 43 192.168.2.255, 63 unknown unknown 18->43 55 System process connects to network (likely due to code injection or exploit) 18->55 57 Writes to foreign memory regions 18->57 59 Allocates memory in foreign processes 18->59 61 Creates a thread in another existing process (thread injection) 18->61 27 userinit.exe 18->27         started        31 C:\ProgramData\ARO\AROTutorial.exe, PE32 22->31 dropped 33 C:\ProgramData\ARO\aross.dll, PE32 22->33 dropped 29 conhost.exe 25->29         started        file9 signatures10 process11
Gathering data
Threat name:
Win32.Trojan.Waldek
Create hunting rule
Status:
Malicious
First seen:
2019-11-29 11:22:06 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qdpo3e42kidjnfudgxi3wku7zttqkpabk33htorgdasnbiwujftq._file
Verdict:
suspicious
Result
Malware family:
n/a
Score:
  9/10
Tags:
upx
Link:
https://tria.ge/reports/210727-kkvgchhhls/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Unpacked files
SH256 hash:
047c257cdd69313b1542168549de67321e33ab2a47bbf3cef963e72307955391
MD5 hash:
430dc9d9fad452016f2f12c313cfcca7
SHA1 hash:
6f2c58b4592dbded1cd1d6d1d648335c7470a8ac
Link:
https://www.unpac.me/results/0dc3214a-642c-461f-8dbe-d4c5c08b4daa/
SH256 hash:
55329fe94d5d8c520e5adaf0b3140ca5102c695823d69d59ea3606bc3697641a
MD5 hash:
5923878167976ec3bbcb1b01db58364b
SHA1 hash:
d87f0bdb2548f5f4b92f5681fdf52f67ea97c25b
Link:
https://www.unpac.me/results/0dc3214a-642c-461f-8dbe-d4c5c08b4daa/
SH256 hash:
80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967
MD5 hash:
048271f7f2f8d900485dd020cdea2dd9
SHA1 hash:
fc48ae44addc9e1d00238f5ba798f3876e69c561
Link:
https://www.unpac.me/results/0dc3214a-642c-461f-8dbe-d4c5c08b4daa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/174532/

Comments