MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



YoungLotus


Vendor detections: 8


Intelligence 8 File information Yara 1 Comments

SHA256 hash: c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f
SHA3-384 hash: eec8bb8cf5ad18234b5a74358f6f7fb0e57120db2d6462621928e6c60af43291ae0a15971a47e1ad7dafa25ef407e0a0
SHA1 hash: 842bbfb81f4a65112bc2d8e4aff8b976e5db9a55
MD5 hash: ff7d3b6003c9058e40ae38a6a7efe40c
humanhash: lion-washington-vermont-tango
File name:ff7d3b6003c9058e40ae38a6a7efe40c.exe
Download: download sample
Signature YoungLotus
File size:409'600 bytes
First seen:2021-02-22 19:19:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 19d4e66d725c89ba6712b82bebc8196d
ssdeep 6144:2SuxNOug5MI3KBau3EO8iZrEXA2czL6mWzdoZtAznpGuGEwJvfJ0s+VC:3ux9g5F6U2WOWczLygAzN6fJX
Threatray 27 similar samples on MalwareBazaar
TLSH 299412A23BC70655C34CB6B1CCA48B28039DD3E41E6D900FBE306959FD652ED993AE46
Reporter @abuse_ch
Tags:exe younglotus

Intelligence


File Origin
# of uploads :
1
# of downloads :
106
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process with a hidden window
Creating a file in the drivers directory
Loading a system driver
Creating a window
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Sending a custom TCP request
Running batch commands
Launching a process
Sending a UDP request
Creating a process from a recently created file
Searching for the window
Enabling autorun for a service
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Mimikatz
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Mimikatz
Behaviour
Behavior Graph:
Threat name:
Win32.Backdoor.Farfli
Status:
Malicious
First seen:
2021-02-22 19:20:18 UTC
AV detection:
24 of 29 (82.76%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Behaviour
Checks processor information in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Enumerates connected drives
Deletes itself
Loads dropped DLL
Drops file in Drivers directory
Executes dropped EXE
Sets service image path in registry
Unpacked files
SH256 hash:
b02ecd10942f04770c4649d8b690c8dc5c6c5fa49404b2dfa387c6fac49498ec
MD5 hash:
c07785cb94c8dd84e10e5c4c2b78cdfc
SHA1 hash:
be5c9247801051e8d687a85035b9a64af88742b4
SH256 hash:
c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f
MD5 hash:
ff7d3b6003c9058e40ae38a6a7efe40c
SHA1 hash:
842bbfb81f4a65112bc2d8e4aff8b976e5db9a55
Threat name:
Farfli
Score:
1.00

Yara Signatures


Rule name:win_younglotus_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

YoungLotus

Executable exe c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f

(this sample)

  
Delivery method
Distributed via web download

Comments