{
	"id": "523efc10-c331-464a-aa76-dd8e92ef3716",
	"created_at": "2026-04-06T00:10:23.833861Z",
	"updated_at": "2026-04-10T03:20:06.096241Z",
	"deleted_at": null,
	"sha1_hash": "a10fdbb00164a28f7e97989a6ad86edb5f89751d",
	"title": "A “GULP” of PlugX",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1443345,
	"plain_text": "A “GULP” of PlugX\r\nPublished: 2022-01-06 · Archived: 2026-04-05 23:02:43 UTC\r\nOften attributed to Chinese-speaking threat actors, PlugX a remote access trojan(RAT), was identified by security\r\nresearchers in 2012. With several variants of the RAT identified by vendors over the year, many techniques used to\r\ncompromise systems have remained the same.\r\nWhile perusing public malware sandboxes for interesting new samples, I stumbled upon a Windows executable\r\nthat at the time, had a VirusTotal score of 9 out of 68 anti-virus vendors.\r\nAs this sample was found via a sandbox, the delivery method is unknown, and will not be covered in this post.\r\nDropper\r\nFigure 1\r\nSHA256: d88731851cc739ee72daf53700b0008db59ebb467e2394f9b3fc2162cd3a062f\r\nThis sample was identified by VT user PerMorten as a dropper for the reflective loading of PlugX. Looking a little\r\ncloser at the supposed dropper file, three additional files within the PE are identified:\r\nWinHelp32.exe\r\nrscom.dll\r\nrscom.dll.dat\r\nhttps://cyberandramen.net/2022/01/06/a-gulp-of-plugx/\r\nPage 1 of 10\n\nFigure 2\r\nWinHelp32.exe is a legitimate software application that will be described further below. For PlugX aficionados,\r\nthe above trio of documents likely looks familiar. A well-known technique of PlugX is to utilize a dropper or self-extracting RAR PE file to extract files on the victim system for execution.\r\nThe Legitimate App\r\nhttps://cyberandramen.net/2022/01/06/a-gulp-of-plugx/\r\nPage 2 of 10\n\nFigure 3\r\nSHA256: ec200f75e4884933a56e82531f3f52e64e73a3347ad4a3b9e6318df82cdca92a\r\nWinhelp32.exe is a legitimate application from the Beijing Rising IT company, a Chinese software company that\r\ndevelops Rising Antivirus among other computer security software.\r\nAs the network infrastructure utilized with this malware was only recently registered as of November 2021, the\r\nreasoning for using an outdated application is unknown. The threat actor, in this case, may have purposefully\r\nutilized a Rising Antivirus executable in the targeting of the intended victim or picked a random executable for\r\ntheir malware.\r\nThe rscom.dll file does not contain much to write about other than its main purpose is to load the .dat file, which is\r\nthe compressed/encoded PlugX payload.\r\nAs the payload is what everyone is here for, let’s dive a bit deeper into the data file.\r\nThe well-known magic “GULP” is visible in the .dat file through a hex editor. Additionally, within the file, MZ\r\nand PE headers are also visible.\r\nhttps://cyberandramen.net/2022/01/06/a-gulp-of-plugx/\r\nPage 3 of 10\n\nFigure 4\r\nThe .dat file is likely padded/compressed to evade antivirus engines. Upon execution, the file is decompressed via\r\na call to the Windows API, RtlDecompressBuffer, and run in memory.\r\nFigure 5\r\nIdentified in a number of reports on network intrusions involving PlugX, a familiar decryption routine (Figure 6)\r\nis also seen in rscom.dll.dat. The decryption routine contains multiple keys and shift operations, identified by the\r\nshr and shl calls below.\r\nhttps://cyberandramen.net/2022/01/06/a-gulp-of-plugx/\r\nPage 4 of 10\n\nFigure 6\r\nMalware Flow\r\nThe unnamed dropper places the three files into “C:\\\\ProgramData\\Log'” in addition to a file named NvSmart.hlp\r\n(Figure 7). Upon running WinHelp32, the application deletes itself which is another interesting choice by the\r\nthreat actor, as this would likely raise suspicions by the victim running the antivirus software.\r\nhttps://cyberandramen.net/2022/01/06/a-gulp-of-plugx/\r\nPage 5 of 10\n\nFigure 7\r\nWatching the execution flow in your favorite Windows process monitoring software, old-school PlugX is in full\r\neffect. WinHelp32.exe injects itself into svchost.exe, with the usual second injected process, msiexec.exe not\r\nbeing seen in this case.\r\nIn most cases, if services.exe is not the process launching svchost.exe, this would be an easy win for defenders to\r\ndetect. It is likely the threat actor is relying on the behavior of antivirus software injecting itself into a process that\r\nwould not raise alarms.\r\nTaking a look at the injected process read, write, executable (RWX) properties, we once again see that the MZ and\r\nPE headers have been replaced with GULP, or PLUG backward.\r\nFigure 8\r\nA number of hardcoded values including command and control (C2) information are located within the decoded\r\nconfiguration:\r\nhttps://cyberandramen.net/2022/01/06/a-gulp-of-plugx/\r\nPage 6 of 10\n\nFigure 9\r\nUpon further research, an additional network indicator is located that appears to be a proxy for the C2.\r\nFigure 10\r\nSo far we know the following about the network capabilities of this malware sample:\r\nA C2 domain of xiguamomomo[.]com\r\nUtilizes HTTP\r\nCommunicates with a proxy server of 43.129.208[.]226\r\nhttps://cyberandramen.net/2022/01/06/a-gulp-of-plugx/\r\nPage 7 of 10\n\nReferences to localhost, 127.0.0.1 can be seen in Figure 9, but the malware also seems to utilize the address for\r\ndebug or anti-analysis purposes. This technique could possibly be utilized to slow researchers who may not be\r\nrunning the malware as needed for proper execution (running only the DLL file for example).\r\nFigure 11\r\nIn addition to the possible debug strings seen in Figure 11, some 28 .cpp files indicating additional capabilities of\r\nthe RAT were also found:\r\nXJoin.cpp\r\nXThreadManager.cpp\r\nXSoUdp.cpp\r\nXSoTcpHttp.cpp\r\nXSoTcp.cpp\r\nXSoPipe.cpp\r\nXSniffer.cpp\r\nXSetting.cpp\r\nXSessionImpersonate.cpp\r\nXPlugTelnet.cpp\r\nXPlugSQL.cpp\r\nXPlugShell.cpp\r\nXPlugService.cpp\r\nXPlugScreen.cpp\r\nXPlugRegEdit.cpp\r\nXPlugProcess.cpp\r\nXPlugPortMap.cpp\r\nXPlugOption.cpp\r\nXPlugNetstat.cpp\r\nXPlugNetHood.cpp\r\nXPlugKeyLogger.cpp\r\nXPlugDisk.cpp\r\nXPlugLoader.cpp\r\nXPacket.cpp\r\nXOnline.cpp\r\nXInstall.cpp\r\nXDList.cpp\r\nXBuffer.cpp\r\nThe following interesting PDB paths were also found:\r\nhttps://cyberandramen.net/2022/01/06/a-gulp-of-plugx/\r\nPage 8 of 10\n\nFigure 12\r\nNetwork Indicators\r\nAccording to PassiveDNS information, the domain xiguamomomo[.]com resolves to 111.73.46[.]103, located in\r\nChina, first seen 2021-10-12.\r\nWHOIS information reveals the domain was registered through GoDaddy, with the registrant country listed as\r\nCambodia, and the registrant identified as “ewrwer.”\r\nIn what could certainly be a coincidence, both xigua, and momo are popular apps originating from China. Xigua,\r\nan online video-sharing app with users across the world, boasts some 160 million users. Momo, currently only\r\navailable in Chinese, is a social networking app with a large following.\r\nIt should be noted that not only are the delivery method of the RAT unknown, but also the targeting. The above\r\nshould be taken as low confidence at best, but certainly interesting nonetheless.\r\nAn additional IP address of 111.73.46[.]30 (open ports: 3389, 8000, 5985, 5987, and 24681) was also identified\r\nthrough packet captures.\r\nThe ports 3389 (RDP), and 5985 are largely seen among many other suspected PlugX C2 infrastructure. This IP\r\naddress belongs to the Chinanet-Backbone ASN.\r\nThe possible proxy address 43.129.208[.]226 (open ports: 22, 3306, and 8443) is located in Hong Kong and\r\nbelongs to the TENCENT-NET-AP-CN ASN.\r\nMultiple User-Agent values were also found within the decoded configuration data as seen in Figure 13.\r\nFigure 13\r\n**Featured image: Photo by Markus Spiske on Unsplash\r\nConclusion\r\nAs there is quite a bit of information missing with this variant of PlugX, the fresh command and control\r\ninfrastructure and domain naming indicate that even dated versions of this RAT still get the job done.\r\nPlease keep an eye out for updates to this post as I look deeper into the network infrastructure to possibly tie\r\nadditional domains/malware to the above findings.\r\nIndicators\r\nhttps://cyberandramen.net/2022/01/06/a-gulp-of-plugx/\r\nPage 9 of 10\n\nFiles:\r\nDropper file: d88731851cc739ee72daf53700b0008db59ebb467e2394f9b3fc2162cd3a062f\r\nWinHelp32.exe (legitimate application):\r\nec200f75e4884933a56e82531f3f52e64e73a3347ad4a3b9e6318df82cdca92a\r\nRscom.dll (loader) : 7af30d3c192f3fb85e1cadbf5c01f049f11eb036ca8107abb3451ffa0cc218b7\r\nRscom.dll.dat (PlugX payload):\r\nec46e04df901d7ec76ff1ad9ad6ceb54f8c2ad5e3597173365e094c5602e0049\r\nNetwork:\r\nxiguamomomo[.]com \u003e\u003e 111.73.46[.]103\r\n111.73.46[.]30\r\n43.129.208[.]226 (proxy)\r\n“/update?id=” (Callback URI in config)\r\nMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\nMozilla/4.0 (compatible; MSIE 8.0; Win32)\r\nMozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)\r\nMozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.16\r\nSafari/537.36\r\nMozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)\r\nMozilla/5.0 (Windows NT 6.2; rv:12.0) Gecko/20100101 Firefox/12.0\r\nMozilla/5.0 (Windows NT 6.2) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52\r\nSafari/536.5\r\nMozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch)\r\nMozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)\r\nMozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; Xbox)\r\nMozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)\r\nMozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)\r\nMozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0)\r\nMozilla/5.0 (iPad; CPU OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1\r\nMobile/9A334 Safari/7534.48.3\r\nSource: https://cyberandramen.net/2022/01/06/a-gulp-of-plugx/\r\nhttps://cyberandramen.net/2022/01/06/a-gulp-of-plugx/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cyberandramen.net/2022/01/06/a-gulp-of-plugx/"
	],
	"report_names": [
		"a-gulp-of-plugx"
	],
	"threat_actors": [],
	"ts_created_at": 1775434223,
	"ts_updated_at": 1775791206,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a10fdbb00164a28f7e97989a6ad86edb5f89751d.pdf",
		"text": "https://archive.orkl.eu/a10fdbb00164a28f7e97989a6ad86edb5f89751d.txt",
		"img": "https://archive.orkl.eu/a10fdbb00164a28f7e97989a6ad86edb5f89751d.jpg"
	}
}