{
	"id": "cccc8e87-f293-4218-b3a8-ac917a67366f",
	"created_at": "2026-04-06T00:11:44.483999Z",
	"updated_at": "2026-04-10T13:12:54.151144Z",
	"deleted_at": null,
	"sha1_hash": "3d7721eeaf864f9e6c49847c78630685ba49e78e",
	"title": "Fresh PlugX October 2019",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 272884,
	"plain_text": "Fresh PlugX October 2019\r\nBy SC\r\nPublished: 2019-11-17 · Archived: 2026-04-05 23:04:15 UTC\r\nOn 15 November 2019, I received a VirusTotal notification for a copy of PlugX that had been uploaded ( Yara -\r\n PlugXBootLDRCode from https://github.com/citizenlab/malware-signatures/blob/master/malware-families/plugx.yara ).\r\nMD5          : ce67994a4ee7cf90645e93aec084230d\r\nSHA1         : b42c84f851b8b7d2d2ddfbc9ac94e001204faf45\r\nSHA256       : 6b46e36245b5b9ed13c0fbfae730b49c04aba43b98deb75e388e03695ff5cbd1\r\nType         : Win32 DLL\r\nFirst seen   : 2019-11-15 08:04:32 UTC\r\nLast seen    : 2019-11-15 08:04:32 UTC\u0026nbsp\r\nFirst name   : plugx.dll \r\nWhat stood out from the notification (outside of the file being named plugx.dll) was a compilation time of Fri Oct\r\n4 08:34:45 2019 UTC (a little more then a month before the writing of this post).\r\nInitial Validation\r\nThis specific rule matches on operations for assembling a set of API calls - shown below\r\n$ yara -s All.yara sample\r\nPlugXBootLDRCode [PlugX,Family]\r\n6b46e36245b5b9ed13c0fbfae730b49c04aba43b98deb75e388e03695ff5cbd1\r\n0x7708:$GetProcAdd: 80 38 47 75 36 80 78 01 65 75 30 80 78 02 74 75 2A 80 78 03 50\r\n0x7786:$L4_LoadLibraryA: C7 85 5C FF FF FF 4C 6F 61 64 C7 85 60 FF FF FF 4C 69 62\r\n0x7859:$L4_ExitThread: C7 85 FC FE FF FF 45 78 69 74 C7 85 00 FF FF FF 54 68 72 65\r\nhttps://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html\r\nPage 1 of 4\n\nScreenshot of match condition in IDA\r\nAs a general note, the -s flag in Yara is used for outputting the matched strings and is extremely useful for\r\ndebugging rules and evaluating why a file matched.\r\nFrom a quick comparison of the strings, a quick Google search found previous reporting confirming this file was\r\nPlugX (ref: http://takahiroharuyama.github.io/blog/2014/03/27/id-slash-idapython-scripts-extracting-plugx-configs/)\r\nDEMO...\r\nTHIS IS A DEMO VERSION!!!\r\n\\\\.\\PIPE\\RUN_AS_USER(%d)\r\n%WINDIR%\\SYSTEM32\\SERVICES.EXE\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run\r\nSystem\\CurrentControlSet\\Services\r\ndebug.hlp\r\nC:\\Windows\\System32\\rundll32.exe \"%s\" BypassUAC %s\r\nPI[%8.8X]\r\n%s\\%d.plg\r\nmytilus3.hlp\r\n%04d-%02d-%02d %02d:%02d:%02d\r\nOverlaps with versions\r\nhttps://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html\r\nPage 2 of 4\n\nA outstanding point of reference evaluating PlugX is the Sophos report (https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf).  On Page 7, Gabor Szappanos has a table\r\ncovering the supported commands.  In this copy, sub_10008DE acts as a command handler for evaluating operator\r\ncommands and can be used to evaluate this copy against that from 2014:\r\nIn the above screenshot, many of the commands from the 2014 version are present; some additional commands\r\nare present, however, handled withing sub-functions of sub_10008DE.\r\nWhat did appear unique was a set of commands for monitor clipboard activity:\r\nhttps://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html\r\nPage 3 of 4\n\nAn initial Google search did not show any hits for these being previously documented commands in PlugX -\r\nsuggesting it may be a new feature - however, further analysis is needed to validate this.\r\nSource: https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html\r\nhttps://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html"
	],
	"report_names": [
		"fresh-plugx-october-2019.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434304,
	"ts_updated_at": 1775826774,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3d7721eeaf864f9e6c49847c78630685ba49e78e.pdf",
		"text": "https://archive.orkl.eu/3d7721eeaf864f9e6c49847c78630685ba49e78e.txt",
		"img": "https://archive.orkl.eu/3d7721eeaf864f9e6c49847c78630685ba49e78e.jpg"
	}
}