My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2021-10-22

Virus description added:

Packer: absent

Compilation date: 2020-08-13

  • SHA1 hash: a8bff99e1ea76d3de660ffdbd78ad04f81a8c659


The PlugX backdoor module is written in C and is designed to decrypt the shellcode from the registry that loads the main backdoor into memory.

Operating routine

At the beginning of the work, the backdoor receives the address of the VirtualProtect() function by hash, which it uses to change access rights to PAGE_EXECUTE_READWRITE, starting from the function at 0x10001000 and ending with the entire .text section:


The function of getting the address of the function by the hash passed as a parameter:



Script to get a function by hash:

import struct
[code]ror = lambda val, r_bits, max_bits: \
    ((val & (2**max_bits-1)) >> r_bits%max_bits) | \
    (val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1))
max_bits = 32
library_path_list = [...] # absolute path dlls
def get_func_addr(hash):
    for library_path in library_path_list:
        library = library_path.split('\\')
        name_dll = library[len(library) - 1].upper() + b'\x00'
        hash_name_dll = 0
        for i in name_dll:
            hash_name_dll = ord(i) + ror(hash_name_dll, 0x0D, max_bits)
            hash_name_dll = 0 + ror(hash_name_dll, 0x0D, max_bits)
        pe = pefile.PE(library_path)
        for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
            func_name = + b'\x00'
            hash_name_func = 0
            for i in func_name:
                hash_name_func = ord(i) + ror(hash_name_func, 0x0D, max_bits)
            if (hash_name_dll + hash_name_func == hash):
                print '{}-> 0x{:08x} -> {}'.format(name_dll, hash,

Changing the permissions to PAGE_EXECUTE_READWRITE was necessary in order to decrypt the code using the XOR operation:


There is also a version of the backdoor with dynamic XOR encryption. With decryption at the beginning of the function:



And with encryption at the end of the function:



Facilitating the work of the script for IDAPython:

import idaapi
def xor_dec(address, count, key):
    for i in xrange(count):
        idaapi.patch_dword(address, idaapi.get_dword(address) ^ key)   
        key += idaapi.get_dword(address)
        address += 4

Before starting to perform malicious actions, the backdoor, as in the case of VirtualProtect(), receives the addresses of other functions it needs to work:


Received features:

Function name Hash

In addition, the backdoor checks if it is executed in a sandbox:


After receiving the function addresses and checking for execution in the sandbox, BackDoor.PlugX.93 removes the updatecfgSetup task from the task scheduler:


The key for shellcode encryption is MD5 from the following registry key values:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\InstallDate


The shellcode is stored in the following registry keys:



Before running the shellcode, it will be decrypted in 2 steps - first, using the RC4 algorithm:


And then with XOR:


Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android