MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d1c8b7a5776992e25a7600ed72d7b0059f2531cc77da2d75483d6de9dbaf042. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


YoungLotus


Vendor detections: 16


Intelligence 16 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d1c8b7a5776992e25a7600ed72d7b0059f2531cc77da2d75483d6de9dbaf042
SHA3-384 hash: 2e32787cf6d0a05680eea2184d684958d4231d069923f4c750dab455fae021405185915b3017a8cd236fedc8620e0268
SHA1 hash: 51e6343565238df3d5cc371b8e353f8b6776d330
MD5 hash: 3a7d037c586f0c3fa546a3a2ce7f6fea
humanhash: iowa-july-comet-florida
File name:svchost.exe
Download: download sample
Signature YoungLotus
Create hunting rule
File size:3'514'368 bytes
First seen:2025-04-29 14:00:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9b201090749bae06a761156dbad9c4f1 (5 x YoungLotus, 5 x FatalRAT)
ssdeep 49152:fkRXIxVUAR8Y1ZZ2CIIdUjJoJhOvL+yttv+hfvr6fQcru4yKfjgvXmiF/H:KrYZZuIa0OqWx+hGvI+jgv2O
Threatray 47 similar samples on MalwareBazaar
TLSH T13DF5226303613145EDE68C3AC53BBE9575F5422A0EC3AC36659EEDC52C23AF5B302993
TrID 47.1% (.EXE) Win32 Executable MS Visual C++ 5.0 (60687/85)
24.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.1% (.EXE) Win64 Executable (generic) (10522/11/4)
5.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter aachum
Tags:exe FatalRAT younglotus


Avatar
iamaachum
FatalRAT C2: a20.nbdsnb2.top

Intelligence

File Origin
# of uploads :
1
# of downloads :
418
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
fatalrat
Create hunting rule
ID:
1
File name:
1d1c8b7a5776992e25a7600ed72d7b0059f2531cc77da2d75483d6de9dbaf042
Verdict:
Malicious activity
Analysis date:
2025-03-19 20:55:18 UTC
Tags:
fatalrat rat
Link:
https://app.any.run/tasks/684da072-0e0a-485e-98dc-5efc43d7f6d3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
FatalRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/5016/
Detection(s):
Win.Malware.Beforhkb-10038469-0
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6810e0dec8b2e86d0ac477f3
Tags:
phishing emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Connection attempt to an infection source
Sending a TCP request to an infection source
Query of malicious DNS domain
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd entropy explorer farfli ghostrat krypt lolbin obfuscated packed packed packer_detected virtual vmprotect
Link:
https://www.filescan.io/uploads/6810db72218c4a98ade76aa2/reports/b26f0f71-019d-4006-bbe6-79d6938c82ae/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/1d1c8b7a5776992e25a7600ed72d7b0059f2531cc77da2d75483d6de9dbaf042
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8de55d95-aae0-484a-af0d-5bd5cd581f80
Result
Threat name:
FatalRAT, GhostRat, Nitol
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1677376
Signature
Antivirus / Scanner detection for submitted sample
Checks if browser processes are running
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to determine the online IP of the system
Contains functionality to infect the boot sector
Contains functionality to inject threads in other processes
Creates an undocumented autostart registry key
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected FatalRAT
Yara detected GhostRat
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1d1c8b7a5776992e25a7600ed72d7b0059f2531cc77da2d75483d6de9dbaf042
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d1c8b7a5776992e25a7600ed72d7b0059f2531cc77da2d75483d6de9dbaf042/
Threat name:
Win32.Downloader.GhostRAT
Create hunting rule
Status:
Malicious
First seen:
2025-03-19 13:06:00 UTC
File Type:
PE (Exe)
AV detection:
28 of 38 (73.68%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=duoiw6sxo2ms4jnhmahnoll3abm7euy4y562fv2uqpln5hn26bba._file
Verdict:
malicious
Label(s):
fatalrat
Create hunting rule
privateloader
Create hunting rule
Similar samples:
033f23eac17d2a06675459abe2ded52b42f29cfa720c2ccfb507bac2d38988f0
YoungLotus
0a1c860bd4e521605f256224accd99781d8ef4c06bbf8d5c60fd94c360c36930
YoungLotus
32cf48d0ef7ac450c80fcc9fb9ec28af88370298c36547d2a94ff882b12500ae
YoungLotus
8493010c4ae899dcc634bd726ecc4c96d469e2a0ba1d37ba8323d3c12f42a419
YoungLotus
a58b7bd1380f220770408e33f43bdac4ab0bfe336e101484100915bf0518e794
YoungLotus
a70fe514acbae5c180dbd53901ac1b9cfeab7d9c20b8c096eeb0fe124d3f28ca
YoungLotus
+ 37 additional samples on MalwareBazaar
Result
Malware family:
fatalrat
Create hunting rule
Score:
  10/10
Tags:
family:fatalrat discovery infostealer rat stealer trojan
Link:
https://tria.ge/reports/250429-ra4bssy1hy/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
Fatal Rat payload
FatalRat
Fatalrat family
Malware Config
C2 Extraction:
a20.nbdsnb2.top
Verdict:
Malicious
Tags:
Win.Malware.Beforhkb-10038469-0 fatalrat
YARA:
n/a
Link:
https://app.threat.zone/submission/c29ec979-a8de-4517-9732-3fe6064b06ae
Unpacked files
SH256 hash:
1d1c8b7a5776992e25a7600ed72d7b0059f2531cc77da2d75483d6de9dbaf042
MD5 hash:
3a7d037c586f0c3fa546a3a2ce7f6fea
SHA1 hash:
51e6343565238df3d5cc371b8e353f8b6776d330
Link:
https://www.unpac.me/results/c35992c9-6706-420d-a0af-0a1ba8d4a92f/
SH256 hash:
148865b33886c7aa103b77f438885b0bbfa1c69731e4d6af45cbab3073daca7e
MD5 hash:
3121cc0370a33d0bd186f2c5cf8d73d0
SHA1 hash:
7ea2dac0f90dabe2666252efc103390f9b7a2ddc
Detections:
win_fatal_rat_w0
Create hunting rule
win_younglotus_g0
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
MALWARE_Win_FatalRAT
Create hunting rule
Link:
https://www.unpac.me/results/c35992c9-6706-420d-a0af-0a1ba8d4a92f/
SH256 hash:
bcdc410d9d18f8e89c3756889e68c271673a98590335c41d2b72275cfdf93cc3
MD5 hash:
013d4284e6ac84410b64cb9d42580a2b
SHA1 hash:
f3f289e2e7bea166b1dab0bf6cd4af14d52cfab2
Detections:
win_younglotus_g0
Create hunting rule
win_fatal_rat_w0
Create hunting rule
win_fatal_rat_auto
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
MALWARE_Win_FatalRAT
Create hunting rule
Link:
https://www.unpac.me/results/c35992c9-6706-420d-a0af-0a1ba8d4a92f/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Armadillov1xxv2xx
Create hunting rule
Author:malware-lu
Rule name:Check_DriveSize
Create hunting rule
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
Author:ditekSHen
Description:Detects executables calling ClearMyTracksByProcess
Rule name:MALWARE_Win_FatalRAT
Create hunting rule
Author:ditekSHen
Description:Detects FatalRAT
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win32_younglotus
Create hunting rule
Author:Reedus0
Description:Rule for detecting YoungLotus malware
Rule name:Windows_Generic_Threat_7693d7fd
Create hunting rule
Author:Elastic Security
Rule name:win_fatal_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.fatal_rat.
Rule name:win_fatal_rat_w0
Create hunting rule
Author:AT&T Alien Labs
Description:Detects FatalRAT, unpacked malware.
Reference:https://cybersecurity.att.com/blogs/labs-research/new-sophisticated-rat-in-town-fatalrat-analysis

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

YoungLotus

Executable exe 30f1434c85fcbfb70b8c294460ee2f7368f4ff1aebfb85e06aac5ed3d5046c47

YoungLotus

Executable exe 1d1c8b7a5776992e25a7600ed72d7b0059f2531cc77da2d75483d6de9dbaf042

(this sample)

  
Link
https://tria.ge/250429-q37dgsslz5/behavioral1
  
Dropped by
SHA256 30f1434c85fcbfb70b8c294460ee2f7368f4ff1aebfb85e06aac5ed3d5046c47
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/5016/
  
Dropped by
MD5 312774722b2a953142e3d39c464fa9df

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA

Comments