MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8df2949d77aff0ef84af7c2a892602e05d3518d85b87fa5ed56493199efd2143. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PlugX


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8df2949d77aff0ef84af7c2a892602e05d3518d85b87fa5ed56493199efd2143
SHA3-384 hash: af4b92222c1e9bceed66e16ce7dc50ff12ea1815eb9f53d377416d51be068e1630c7094e9ae176109bb3c74ddcb585f9
SHA1 hash: e7268a6982c3d17aaf472b331b67fbdbc4000dec
MD5 hash: ec3a003082a19fd6a00f84df315d18a2
humanhash: pluto-december-spaghetti-edward
File name:8df2949d77aff0ef84af7c2a892602e05d3518d85b87fa5ed56493199efd2143
Download: download sample
Signature PlugX
Create hunting rule
File size:273'638 bytes
First seen:2022-02-22 08:32:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3c98c11017e670673be70ad841ea9c37 (5 x HawkEye, 5 x NanoCore, 4 x Plugx)
ssdeep 6144:yz+92mhAMJ/cPl3ieBLVcFtRbUN5T+ZjOEGdjP/Z17jsjnvlmVr:yK2mhAMJ/cPlfcFnU6kdZUnvYF
Threatray 75 similar samples on MalwareBazaar
TLSH T11A44020677C561BFCB4201302FAF3B4AE2B9A53964BDA609FF94065E7A70543421BE73
dhash icon e4c89cdcccccc4e4 (3 x PlugX)
Reporter JAMESWT_WT
Tags:exe KorPlug Plugx

Intelligence

File Origin
# of uploads :
1
# of downloads :
254
Origin country :
n/a
Vendor Threat Intelligence
Detection:
PlugX
Create hunting rule
Link:
https://www.capesandbox.com/analysis/243205/
Detection(s):
SecuriteInfo.com.FakeAV.AOMC.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file
Enabling the 'hidden' option for recently created files
Creating a service
Launching a service
Launching a process
Adding an access-denied ACE
Sending a UDP request
Enabling autorun for a service
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6972/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll update.exe
Link:
https://www.filescan.io/uploads/62149fcaa2660f3bb9236d99/reports/b04e9ce4-5e78-4d6b-8b80-119577f291ab/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c0d3820e-0400-4075-bf16-9ce10a18d29b
Result
Threat name:
Codoso Ghost
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/943744
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Deletes itself after installation
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Executable Used by PlugX in Uncommon Location
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Writes to foreign memory regions
Yara detected Codoso Ghost
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 576221 Sample: 2qcQeuDlCL Startdate: 22/02/2022 Architecture: WINDOWS Score: 100 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for dropped file 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 5 other signatures 2->55 7 Mc.exe 2->7         started        10 2qcQeuDlCL.exe 12 2->10         started        13 svchost.exe 2->13         started        15 8 other processes 2->15 process3 dnsIp4 63 Writes to foreign memory regions 7->63 65 Allocates memory in foreign processes 7->65 18 svchost.exe 1 7->18         started        37 C:\Users\user\AppData\Local\...\McUtil.dll, PE32 10->37 dropped 39 C:\Users\user\AppData\Local\Temp\...\Mc.exe, PE32 10->39 dropped 41 C:\Users\user\AppData\...\McUtil.dll.url, data 10->41 dropped 22 Mc.exe 5 10->22         started        67 Changes security center settings (notifications, updates, antivirus, firewall) 13->67 25 MpCmdRun.exe 1 13->25         started        47 127.0.0.1 unknown unknown 15->47 file5 signatures6 process7 dnsIp8 43 192.168.2.1 unknown unknown 18->43 45 192.168.2.5, 443, 49676, 49679 unknown unknown 18->45 57 Deletes itself after installation 18->57 59 Writes to foreign memory regions 18->59 61 Allocates memory in foreign processes 18->61 27 msiexec.exe 18->27         started        31 C:\ProgramData\MC\McUtil.dll, PE32 22->31 dropped 33 C:\ProgramData\MC\Mc.exe, PE32 22->33 dropped 35 C:\ProgramData\MC\McUtil.dll.url, data 22->35 dropped 29 conhost.exe 25->29         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8df2949d77aff0ef84af7c2a892602e05d3518d85b87fa5ed56493199efd2143/
Threat name:
Win32.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2021-06-28 03:06:46 UTC
File Type:
PE (Exe)
Extracted files:
49
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
17a9fa26f553c56d5b03921045d684a49177b8620eb3313dfcf13d269789c4ae
PlugX
642c17be83f9e9f693990f43a65be25e99e69b245d38da627a3e19e0eb87d79d
PlugX
6d1480cd5b10739af130850f9d9bfa7ebe50024c5db68dd231bc7e4bd560ffa6
PlugX
6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92
PlugX
77ceacf80289217a84f8087f070a6955a4be5a93f4c79fc95ff142533f02d403
PlugX
7cfe6b3d43caf0e6d990caf7b778d9c68e8e95f9ea6a44f9fefb46be5476c083
PlugX
a018379d343600dab5b728e46d2ee4e12d3853837fcf129d6831a57787d9d00c
PlugX
a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3
PlugX
b29002b5cb94ca36d9c34383737e2dbdb1db96289be81a378b5a5d4d8af06d58
PlugX
bf8e469a058f90d9ccbe081b0da470d3314aa4cd34f916865f0c0b4fa28eacd8
PlugX
+ 65 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220222-kfyj6sfggm/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Checks computer location settings
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
a14cd5036eaba06d053a0a2deb2ea70b9e390bed4cb1f23e0e661583debddd3f
MD5 hash:
9cd5500ceb60679b7323e86ad9db8c4e
SHA1 hash:
8d80699463da8611dbab7f3b1ee4e2cf0fb0a848
Detections:
win_plugx_w2
Create hunting rule
win_plugx_auto
Create hunting rule
Link:
https://www.unpac.me/results/bbf833ad-3779-475c-9dcc-eea752a632ca/
Parent samples :
6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92
8df2949d77aff0ef84af7c2a892602e05d3518d85b87fa5ed56493199efd2143
a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3
SH256 hash:
dc8efac59a4a7f48f647eff38c6f33f28bf1923a856725561e192fd9f5ba1027
MD5 hash:
66c525de353c0040a86dbd01b2bc0d15
SHA1 hash:
14440fc91e7085928fa072d65b0937c604f7e2d2
Link:
https://www.unpac.me/results/bbf833ad-3779-475c-9dcc-eea752a632ca/
SH256 hash:
7b0cd33eb5104853a26628e4af56c218afeae067672c10a1fef4d92f1c458baf
MD5 hash:
c37e6cdda2d8c6d6b2414434bec83002
SHA1 hash:
b008c7bb8fcd5a27ceaf7b7ae0f51ed17d08545e
Link:
https://www.unpac.me/results/bbf833ad-3779-475c-9dcc-eea752a632ca/
SH256 hash:
8df2949d77aff0ef84af7c2a892602e05d3518d85b87fa5ed56493199efd2143
MD5 hash:
ec3a003082a19fd6a00f84df315d18a2
SHA1 hash:
e7268a6982c3d17aaf472b331b67fbdbc4000dec
Link:
https://www.unpac.me/results/bbf833ad-3779-475c-9dcc-eea752a632ca/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8df2949d77aff0ef84af7c2a892602e05d3518d85b87fa5ed56493199efd2143

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/243205/

Comments