MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17075832426b085743c2ba811690b525cf8d486da127edc030f28bb3e10e0734. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


YoungLotus


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17075832426b085743c2ba811690b525cf8d486da127edc030f28bb3e10e0734
SHA3-384 hash: e09aa7db54e8f9c269dc37786ea2ec2c722b444c10f99fd27dc30ae563bfa86da2bd8115d9772769cdb08ff4b2bf2aee
SHA1 hash: 3a76eeffded18d5f6089bf59c3e343f4cc356ed7
MD5 hash: c3d1bb04a79f3e2164a0264316e9a94f
humanhash: aspen-paris-social-chicken
File name:10000000.dll
Download: download sample
Signature YoungLotus
Create hunting rule
File size:156'672 bytes
First seen:2021-05-08 13:53:42 UTC
Last seen:2021-05-09 06:45:03 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash b2eafe5d4b8c52d2ad598c3ccde39584 (2 x YoungLotus)
ssdeep 3072:QSTRXHO5lCOvc4yrDLCNlXOtXazr9tTBfoaDtZ6fD:QS93O5lCOMrDuNlXO1aFtTBQaDtQr
Threatray 2 similar samples on MalwareBazaar
TLSH FAE3AF13A74046BEE1A3533C549F5739AAFF7C300A5EE467B3889A0A1CA51DBE314B47
Reporter James_inthe_box
Tags:dll younglotus

Intelligence

File Origin
# of uploads :
2
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/153217/
Detection(s):
Win.Dropper.Gh0stRAT-7696262-0
Create hunting rule

SecuriteInfo.com.BDS.Simda.AT.169.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
bank.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/718683
Signature
Antivirus / Scanner detection for submitted sample
Checks if browser processes are running
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to determine the online IP of the system
Contains functionality to infect the boot sector
Contains functionality to inject threads in other processes
Creates an undocumented autostart registry key
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 408272 Sample: 10000000.dll Startdate: 08/05/2021 Architecture: WINDOWS Score: 96 18 Antivirus / Scanner detection for submitted sample 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Machine Learning detection for sample 2->22 7 loaddll32.exe 1 2->7         started        process3 process4 9 rundll32.exe 2 7->9         started        12 cmd.exe 1 7->12         started        14 rundll32.exe 7->14         started        signatures5 24 Creates an undocumented autostart registry key 9->24 26 Contains functionality to determine the online IP of the system 9->26 28 Contains functionality to detect virtual machines (IN, VMware) 9->28 30 6 other signatures 9->30 16 rundll32.exe 12->16         started        process6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/17075832426b085743c2ba811690b525cf8d486da127edc030f28bb3e10e0734/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-05-08 13:53:36 UTC
File Type:
PE (Dll)
AV detection:
26 of 47 (55.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c4dvqmscnmefoq6cxkarnefvexhy2sdnuet63qbq6kf3hyioa42a._file
Verdict:
suspicious
Similar samples:
b01719e59675236df1a0e1a78cdd97455c0cf18426c7ec0f52df1f3a78209f65
YoungLotus
be17d0aae808adf3e8030e73726ee59924b9b7bb72163d32cff6848a3c964520
YoungLotus
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210508-xkzs998j3x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
17075832426b085743c2ba811690b525cf8d486da127edc030f28bb3e10e0734
MD5 hash:
c3d1bb04a79f3e2164a0264316e9a94f
SHA1 hash:
3a76eeffded18d5f6089bf59c3e343f4cc356ed7
Detections:
win_younglotus_g0
Create hunting rule
Link:
https://www.unpac.me/results/5cf745fe-fba7-427d-8ec8-046850d9df92/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/17075832426b085743c2ba811690b525cf8d486da127edc030f28bb3e10e0734

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/153217/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-08 14:00:01 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.034] Anti-Behavioral Analysis::Anti-debugging Instructions
1) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
2) [B0009.025] Anti-Behavioral Analysis::Unique Hardware/Firmware Check - I/O Communication Port
3) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
4) [B0012.001] Anti-Static Analysis::Argument Obfuscation
5) [F0002.002] Collection::Polling
6) [B0030.002] Command and Control::Receive Data
7) [C0011.001] Communication Micro-objective::Resolve::DNS Communication
8) [C0002.012] Communication Micro-objective::Create Request::HTTP Communication
9) [C0002.017] Communication Micro-objective::Get Response::HTTP Communication
10) [C0002.004] Communication Micro-objective::Open URL::HTTP Communication
11) [C0001.009] Communication Micro-objective::Initialize Winsock Library::Socket Communication
12) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
13) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
14) [C0021] Cryptography Micro-objective::Generate Pseudo-random Sequence
15) [C0060] Data Micro-objective::Compression Library
16) [C0026.002] Data Micro-objective::XOR::Encode Data
19) [B0043] Discovery::Taskbar Discovery
20) [C0045] File System Micro-objective::Copy File
21) [C0046] File System Micro-objective::Create Directory
22) [C0048] File System Micro-objective::Delete Directory
23) [C0049] File System Micro-objective::Get File Attributes
24) [C0051] File System Micro-objective::Read File
25) [C0052] File System Micro-objective::Writes File
26) [B0042.001] Impact::CDROM
27) [B0042.002] Impact::Mouse
28) [C0007] Memory Micro-objective::Allocate Memory
29) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
30) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
31) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
32) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
33) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
34) [C0017] Process Micro-objective::Create Process
35) [C0038] Process Micro-objective::Create Thread
36) [C0018] Process Micro-objective::Terminate Process