THE NEXT-GEN PLUGX/SHADOWPAD? A DIVE INTO THE EMERGING CHINA-NEXUS MODULAR TROJAN, PANGOLIN8RAT
Common Information
| Type | Value |
|---|---|
| UUID | c5e38f81-4c75-4ffe-b54f-c60fea5730cd |
| Fingerprint | 99f98530aa456cb6723d9c85c07d791c956ea933f2004c06829a90b09d9467b1 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | May 9, 2022, 10:02 a.m. |
| Added to db | March 11, 2024, 7:11 p.m. |
| Last updated | Aug. 31, 2024, 5:48 a.m. |
| Headline | THE NEXT-GEN PLUGX/SHADOWPAD? A DIVE INTO THE EMERGING CHINA-NEXUS MODULAR TROJAN, PANGOLIN8RAT |
| Title | THE NEXT-GEN PLUGX/SHADOWPAD? A DIVE INTO THE EMERGING CHINA-NEXUS MODULAR TROJAN, PANGOLIN8RAT |
| Detected Hints/Tags/Attributes | 133/4/114 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 11 | cve-2019-16098 |
|
| Details | CVE | 7 | cve-2022-24934 |
|
| Details | Domain | 4127 | github.com |
|
| Details | Domain | 219 | gist.github.com |
|
| Details | Domain | 15 | www.hexacorn.com |
|
| Details | Domain | 1 | abuoluowang.com |
|
| Details | Domain | 1 | static.daytodayup.com |
|
| Details | Domain | 2 | mirrors.centos.8788912.com |
|
| Details | Domain | 1 | stat.8788912.com |
|
| Details | Domain | 1 | login.good-enough-8fe4.com |
|
| Details | Domain | 1 | cdn2.twmicrosoft.com |
|
| Details | Domain | 1 | cdn.1685810.com |
|
| Details | Domain | 1 | static.1685810.com |
|
| Details | Domain | 1 | cachedownload.goldenrose88.com |
|
| Details | Domain | 1 | backup.microsupdate.com |
|
| Details | Domain | 2 | api.gpk-demo.com |
|
| Details | Domain | 1 | static.gpk-demo.com |
|
| Details | Domain | 2 | api.geming8888.com |
|
| Details | Domain | 1 | www.tiger266.com |
|
| Details | Domain | 1 | help.tiger266.com |
|
| Details | Domain | 1 | new.mkdjgame.com |
|
| Details | Domain | 1 | help.mkdjgame.com |
|
| Details | Domain | 1 | www.ffyl-bet.com |
|
| Details | Domain | 1 | help.ffyl-bet.com |
|
| Details | Domain | 2 | zk.full-subscription.com |
|
| Details | Domain | 2 | cs.full-subscription.com |
|
| Details | Domain | 2 | yd.full-subscription.com |
|
| Details | Domain | 1 | www.animal777.com |
|
| Details | Domain | 1 | time.daytimegamers.com |
|
| Details | Domain | 1 | themerecord.com |
|
| Details | Domain | 36 | decoded.avast.io |
|
| Details | Domain | 17 | vblocalhost.com |
|
| Details | Domain | 38 | blog.netlab.360.com |
|
| Details | Domain | 182 | www.mandiant.com |
|
| Details | Domain | 262 | www.welivesecurity.com |
|
| Details | Domain | 57 | www.ptsecurity.com |
|
| Details | Domain | 124 | www.sentinelone.com |
|
| Details | Domain | 604 | www.trendmicro.com |
|
| Details | Domain | 15 | media.kasperskycontenthub.com |
|
| Details | File | 2 | inst.dat |
|
| Details | File | 2 | smcache.dat |
|
| Details | File | 1 | newuac.dll |
|
| Details | File | 1 | newwhite.dll |
|
| Details | File | 1 | pkgx64.dll |
|
| Details | File | 25 | log.dll |
|
| Details | File | 1 | corex64.dll |
|
| Details | File | 1 | mainldr.dll |
|
| Details | File | 8 | bdservicehost.exe |
|
| Details | File | 2 | hostcfg.dat |
|
| Details | File | 1 | fileless-malware_attack-trend-exposed.pdf |
|
| Details | File | 55 | dwm.exe |
|
| Details | File | 4 | kwsprotect64.exe |
|
| Details | File | 1 | c:\programdata\spptools\ess4c85b739.dll |
|
| Details | File | 15 | nortonsecurity.exe |
|
| Details | File | 119 | avp.exe |
|
| Details | File | 198 | msmpeng.exe |
|
| Details | File | 1 | vb2021-12.pdf |
|
| Details | File | 2 | earth-lusca-operations.pdf |
|
| Details | File | 1 | just-a-game-130410.pdf |
|
| Details | Github username | 1 | forrest-orr |
|
| Details | Github username | 2 | jthuraisamy |
|
| Details | md5 | 1 | 8b6a63e522fd6b3f23f476a101720bf9 |
|
| Details | md5 | 1 | 4c4c751df09f83d3620013f5d370d3b9 |
|
| Details | md5 | 1 | 0879125ed34df60a70ed5bb8d58f3a19 |
|
| Details | md5 | 1 | 1962a69c204289cb8214a30c15f05609 |
|
| Details | md5 | 2 | 5778178a1b259c3127b678a49cd23e53 |
|
| Details | md5 | 1 | 0f44724d498f77a59bc542be7d17dc89 |
|
| Details | md5 | 1 | 47b3627c3900e29bdef6d36cfdf61bbf |
|
| Details | md5 | 2 | ea76ad28a3916f52a748a4f475700987 |
|
| Details | md5 | 1 | cfae9252291fdf63f0c3d485a162a444 |
|
| Details | md5 | 1 | bfa657d3eca9df2b122d0908ac23c1ed |
|
| Details | md5 | 1 | 4fb9b38e9c4b3c98b6f13c153bbe6f6a |
|
| Details | md5 | 1 | bf421d42174edb2f31007cbede9cf5b9 |
|
| Details | md5 | 1 | ea2e29b351d4e07460e5955b8e1b4d5d |
|
| Details | md5 | 1 | 641d23463a53bcb29673d179379e1a8f |
|
| Details | md5 | 1 | 81d9be954a09774887eb75b5a23db9b4 |
|
| Details | md5 | 1 | 9c4df895509a8906a09be0b19bf5c05a |
|
| Details | md5 | 1 | 3e08c0e69fc1bbd36b2bb09086fd30ad |
|
| Details | md5 | 1 | c4e31051dc80d87927d15d0fbed704d0 |
|
| Details | md5 | 1 | 544a7746c87698665744520820551750 |
|
| Details | IPv4 | 1 | 23.106.122.171 |
|
| Details | IPv4 | 1 | 23.106.123.134 |
|
| Details | IPv4 | 2 | 23.106.124.156 |
|
| Details | IPv4 | 2 | 23.106.125.132 |
|
| Details | IPv4 | 2 | 45.153.242.41 |
|
| Details | IPv4 | 1 | 74.119.193.139 |
|
| Details | Pdb | 1 | z:\disk\pangolin_reload\release\core\ldr\mfcldrx64.pdb |
|
| Details | Pdb | 1 | d:\pangolinrev\release\core\litecorex64.pdb |
|
| Details | Pdb | 1 | d:\pangolinrev\release\core\corex64.pdb |
|
| Details | Pdb | 1 | d:\pe2shellcode\x64\release\native_loader.pdb |
|
| Details | Pdb | 1 | e:\fud2\ketugya\bin\x64\test_msg.pdb |
|
| Details | Threat Actor Identifier - APT | 522 | APT41 |
|
| Details | Threat Actor Identifier - APT | 297 | APT27 |
|
| Details | Threat Actor Identifier by Recorded Future | 18 | TAG-22 |
|
| Details | Url | 1 | https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies |
|
| Details | Url | 1 | https://github.com/forrest-orr/phantom-dll-hollower-poc |
|
| Details | Url | 1 | https://gist.github.com/jthuraisamy/4c4c751df09f83d3620013f5d370d3b9 |
|
| Details | Url | 1 | https://www.morphisec.com/hubfs/wp-content/uploads/2017/11/fileless-malware_attack-trend-exposed.pdf |
|
| Details | Url | 1 | https://www.hexacorn.com/blog/2017/01/27/beyond-good-ol-run-key-part-57 |
|
| Details | Url | 1 | https://elastic.github.io/security-research/whitepapers/2022/02/02.sandboxing |
|
| Details | Url | 1 | https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting- |
|
| Details | Url | 1 | https://vblocalhost.com/uploads/2021/09/vb2021-12.pdf |
|
| Details | Url | 1 | https://blog.netlab.360.com/ghost-in-action-the-specter-botnet |
|
| Details | Url | 2 | https://www.mandiant.com/resources/apt41-us-state-governments |
|
| Details | Url | 1 | https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk |
|
| Details | Url | 3 | https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41- |
|
| Details | Url | 2 | https://www.sentinelone.com/labs/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese- |
|
| Details | Url | 1 | https://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware- |
|
| Details | Url | 1 | https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/earth-baku-returns |
|
| Details | Url | 2 | https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs- |
|
| Details | Url | 1 | https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits |
|
| Details | Url | 1 | https://www.mandiant.com/resources/lowkey-hunting-missing-volume-serial-id |
|
| Details | Url | 1 | https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than- |
|
| Details | Windows Registry Key | 1 | HKLM\Software\Microsoft\Cryptography\Offload\ExpoOffload |