MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b82752e798eec15d7e5ff9bbef1e9eabb2ee862ea904b327f4322fa55a18cc3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PlugX

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	b82752e798eec15d7e5ff9bbef1e9eabb2ee862ea904b327f4322fa55a18cc3f
SHA3-384 hash:	61bbab387987a53da6f60d0de14438da440a19b47bb4790b926d3f846235eeddb5e71f72c5d83872de520d17e5e92e41
SHA1 hash:	707a8d09a7a2e0b7430bd0bdc596112709366d02
MD5 hash:	8f42a57b7547554fb685f15e4a724582
humanhash:	saturn-oregon-sodium-yellow
File name:	b82752e798eec15d7e5ff9bbef1e9eabb2ee862ea904b327f4322fa55a18cc3f.dll
Download:	download sample
Signature	PlugX Create hunting rule
File size:	164'352 bytes
First seen:	2021-08-06 12:18:54 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	397051b6d9c5c8b855041d0a2769af43 (2 x PlugX)
ssdeep	3072:SXZC1fhEIosP/HMP7kUj6IXE6i1xRqLCJVQyyR:uC1fWIpP/H67kU+I06i1D6
Threatray	9 similar samples on MalwareBazaar
TLSH	T145F31800E040D3B6E4BA40F94BBDAE5B257DA962071515DF37C29C3E79D2DE16B38E22
Reporter	Anonymous
Tags:	decrypted dll Plugx

Intelligence

File Origin

# of uploads :

1

# of downloads :

214

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/176986/

Detection(s):

Win.Malware.Korplug-9848851-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

PlugX

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/abfbd298-efde-4a64-8c90-a64d2638fb2a

Result

Threat name:

Unknown

Detection:

clean

Classification:

n/a

Score:

7 / 100

Link:

https://www.joesandbox.com/analysis/828264

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b82752e798eec15d7e5ff9bbef1e9eabb2ee862ea904b327f4322fa55a18cc3f/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2021-08-06 12:19:13 UTC

File Type:

PE (Dll)

Extracted files:

1

AV detection:

23 of 46 (50.00%)

Threat level:

5/5

Verdict:

malicious

Similar samples:

24fc6e7c22402cb67de02d3cffb6f9659db3a7c25e74c87c90f87dfaa6d140e0

2f58a869711d2b28e6ecaac25cc2166daa46f7adfb719b7dd334e01c1474ca9b

4c889f5fdffe7b6145b59232c1da5966bdeb57b6d21f38eebe12015903d456f6

80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967

c09d86efdc1486de2dd00fdc8900ee9efc307017369b3900ce7b35e708dfcc50

d1d3cf433e871d3aa6836ddb87578cbf494603f6f4a8918f36aea5816c6ce5e0

dce920f5db90efecc7fb7a6b6399c80fc83e3f1251f160cd1295b6a4b67125d4

f631e8f0c723cccbc5b26387f4100351de2e158b6770e962733734be6ca119d5

Result

Malware family:

plugx

Score:

10/10

Tags:

family:plugx

Link:

https://tria.ge/reports/210806-c2zzzadf4x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Malware Config

C2 Extraction:

103.56.53.106:80
103.56.53.106:110
103.56.53.106:443
103.56.53.106:5938

Unpacked files

SH256 hash:

b82752e798eec15d7e5ff9bbef1e9eabb2ee862ea904b327f4322fa55a18cc3f

MD5 hash:

8f42a57b7547554fb685f15e4a724582

SHA1 hash:

707a8d09a7a2e0b7430bd0bdc596112709366d02

Link:

https://www.unpac.me/results/33cf39fc-bb41-4d22-823c-c5912d8db39c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b82752e798eec15d7e5ff9bbef1e9eabb2ee862ea904b327f4322fa55a18cc3f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/176986/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample