u/Nimbax

Hello,
i wanted to share the findings I found on this malware (SHA256 included on the first page of the link, linking to malwarebazaar).
I started 4 months ago and this is my first "APT" analysis. Reason i'm saying this is that if you have any feedback, suggestions, or corrections regarding either the analysis or the drafting of the text, I’d be more than happy to hear them, since I’m always learning. The entire analysis was done “blind”, meaning I didn’t read any prior analyses by others. This was essentially a personal challenge for me, and also a way to study more effectively: it’s better to really bash my head with it than to just read how it works (over a month and a half...).

A quick run-down:
Tools used:
Die, Sysinternals, IDA, x32dbg.

As many of you probably know (since it widely published) the malware is a side loader. In this case it was using the media player "mpc-hc", it crashed by then calling "initcrashrpt.dll" and starting the injection followed by threads.

Sadly by technical inability I couldn't understand if data were to be exfiltrated during the initial contact with C2 (beaconing).

Only data i retrieved is the ID that it was sending. However, aside from seeing what was or wasn't stolen I think is really nice to see and understand the techniques used (e.g. Peb-Walking)

The focus of the guide was to make it as a guided walkthrough where i explain some concept that I also had to stop and open the docs to learn (not trying to sound condescending since im still a beginner, simply my english is bad)

https://github.com/Nimbax1/My-Malware-Analysis/blob/main/PlugX/Analysis.md

[Edit - typos]