MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


YoungLotus


Vendor detections: 8


Intelligence 8 File information Yara 1 Comments
Add tag Delete this sample Report a False Positive

SHA256 hash: c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f
SHA3-384 hash: eec8bb8cf5ad18234b5a74358f6f7fb0e57120db2d6462621928e6c60af43291ae0a15971a47e1ad7dafa25ef407e0a0
SHA1 hash: 842bbfb81f4a65112bc2d8e4aff8b976e5db9a55
MD5 hash: ff7d3b6003c9058e40ae38a6a7efe40c
humanhash: lion-washington-vermont-tango
File name:ff7d3b6003c9058e40ae38a6a7efe40c.exe
Download: download sample
Signature YoungLotus
Create hunting rule
File size:409'600 bytes
First seen:2021-02-22 19:19:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 19d4e66d725c89ba6712b82bebc8196d
ssdeep 6144:2SuxNOug5MI3KBau3EO8iZrEXA2czL6mWzdoZtAznpGuGEwJvfJ0s+VC:3ux9g5F6U2WOWczLygAzN6fJX
Threatray 27 similar samples on MalwareBazaar
TLSH 299412A23BC70655C34CB6B1CCA48B28039DD3E41E6D900FBE306959FD652ED993AE46
Reporter @abuse_ch
Tags:exe younglotus

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118406/
Detection(s):
Win.Keylogger.Deepscan-7603977-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process with a hidden window
Creating a file in the drivers directory
Loading a system driver
Creating a window
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Sending a custom TCP request
Running batch commands
Launching a process
Sending a UDP request
Creating a process from a recently created file
Searching for the window
Enabling autorun for a service
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/614535
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2021-02-22 19:20:18 UTC
AV detection:
24 of 29 (82.76%)
Threat level
  5/5
Detection(s):
Malicious file
Link:
https://www.spamhaus.org/query/hash/ymye5rjjnb4tvzyjz56hzkwwvsxaxxwybchqntx35zk33yfjejhq._file
Verdict:
unknown
Similar samples:
02965941d39eef787b6d2483095f7c5c6eec84a2a97ce4e85eee9e0e610506e2
YoungLotus
0367ec4f514399dfae2b74ed8b9303f1f47e527d5bc7bd7cb900710937add0a4
YoungLotus
4bb4435958fa48762b34905fc5ac50c78878eccb33252f72cb037d664cb60fc9
YoungLotus
70bdecf71010c5daefda7581c8126f12340bdc82c1705711bc8fb3c33031d668
YoungLotus
8eb11e49eff426eba9d7fa1172c03744a35eb18a806660ec3f1eb3b107a26905
YoungLotus
a4053c9427fa00b62f65abf8ad7760e39df7f7ea0c72ed89375e2076f7cb79a3
YoungLotus
a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d
YoungLotus
ad8bb6a26ffb2234855a89f214ac91cc98c8e53910a181f7cf9828062a734c03
YoungLotus
c96fb748304f35220cae69a622318ee3e425802dea7387549af4add7ba449b7e
YoungLotus
d19b02a35003c637360cc342d5fcdae87dc7336fc7925f07f5c0636eae22ba37
YoungLotus
+ 17 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210222-2gtrnk7r6x/
Behaviour
Checks processor information in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Enumerates connected drives
Deletes itself
Loads dropped DLL
Drops file in Drivers directory
Executes dropped EXE
Sets service image path in registry
Unpacked files
SH256 hash:
b02ecd10942f04770c4649d8b690c8dc5c6c5fa49404b2dfa387c6fac49498ec
MD5 hash:
c07785cb94c8dd84e10e5c4c2b78cdfc
SHA1 hash:
be5c9247801051e8d687a85035b9a64af88742b4
Link:
https://www.unpac.me/results/de72cf4c-6ef2-472d-98d7-2167ba47babf/
SH256 hash:
c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f
MD5 hash:
ff7d3b6003c9058e40ae38a6a7efe40c
SHA1 hash:
842bbfb81f4a65112bc2d8e4aff8b976e5db9a55
Link:
https://www.unpac.me/results/de72cf4c-6ef2-472d-98d7-2167ba47babf/
AV coverage:
73.24%
AV detections:
52 / 71
Link:
https://www.virustotal.com/gui/file/c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f/detection/f-c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f-1614021716
Threat name:
Farfli
Score:
1.00

Yara Signatures

Rule name:win_younglotus_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

YoungLotus

Executable exe c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/118406/
  
URLhaus
https://urlhaus.abuse.ch/url/1024489/
  
Delivery method
Distributed via web download

Comments