MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 210990e36122e0facc7c74373569f052fa0651ab06644330fe00b685793ee0fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

YoungLotus

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	210990e36122e0facc7c74373569f052fa0651ab06644330fe00b685793ee0fd
SHA3-384 hash:	aee59a556a5fa0032ff1b20a17ecd8264e6a8badc96d283187c094f1d118a05ecea492f69c114c0ca39d41b55265b432
SHA1 hash:	7d049490eb3d4bd79de9f67a0ae55baf74c2e582
MD5 hash:	99fc53d3d4c2c31fd5b5f0f15dbdeab4
humanhash:	alanine-august-blossom-nebraska
File name:	210990e36122e0facc7c74373569f052fa0651ab06644330fe00b685793ee0fd.bin
Download:	download sample
Signature	YoungLotus Create hunting rule
File size:	719'703 bytes
First seen:	2021-06-02 13:27:58 UTC
Last seen:	2021-06-02 14:00:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	219e16fcc9bee3c339e320279e3ea7b8 (2 x YoungLotus)
ssdeep	12288:MPP4xa0NIIwpaBLOyEJN8E555pb9drqxtpKw:Rxa0dwpafEJN8Ez5pDrmtcw
Threatray	3 similar samples on MalwareBazaar
TLSH	09E4AF223283C03ED57711728AAB826D7276FE100B2996D363C47B6D5E785F27F36126
Reporter	Arkbird_SOLG
Tags:	exe Fatal RAT younglotus

Intelligence

File Origin

# of uploads :

# of downloads :

147

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

210990e36122e0facc7c74373569f052fa0651ab06644330fe00b685793ee0fd.bin

Verdict:

No threats detected

Analysis date:

2021-06-02 13:34:51 UTC

Tags:

installer

Link:

https://app.any.run/tasks/f47a054c-a320-4bac-a521-f3c94cda40d0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/164070/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Delayed reading of the file

Creating a file

Creating a file in the Windows directory

Creating a service

Launching a service

Creating a process from a recently created file

Searching for the window

Sending a custom TCP request

Sending a UDP request

Enabling autorun for a service

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

bank.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/795948

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Checks if browser processes are running

Contains functionality to access PhysicalDrive, possible boot sector overwrite

Contains functionality to automate explorer (e.g. start an application)

Contains functionality to capture and log keystrokes

Contains functionality to detect virtual machines (IN, VMware)

Contains functionality to determine the online IP of the system

Contains functionality to infect the boot sector

Contains functionality to inject threads in other processes

Creates an undocumented autostart registry key

Drops executables to the windows directory (C:\Windows) and starts them

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to delay execution (extensive OutputDebugStringW loop)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/210990e36122e0facc7c74373569f052fa0651ab06644330fe00b685793ee0fd/

Threat name:

Win32.Trojan.Antavmu

Status:

Malicious

First seen:

2021-05-20 19:16:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eeezby3belqpvtd4oq3tk2pqkl5amunlazsegmh6ac3ik6j64d6q._file

Verdict:

suspicious

YoungLotus

b01719e59675236df1a0e1a78cdd97455c0cf18426c7ec0f52df1f3a78209f65

YoungLotus

be17d0aae808adf3e8030e73726ee59924b9b7bb72163d32cff6848a3c964520

YoungLotus

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/210602-3g82z64wh2/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/210990e36122e0facc7c74373569f052fa0651ab06644330fe00b685793ee0fd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

https://twitter.com/c3rb3ru5d3d53c/status/1400075253695537155

Cape

https://www.capesandbox.com/analysis/164070/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample