MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23b041b14e29dbb8dff3467e1578fd3a6094dda197e53f2229fbf9e868161279. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

YoungLotus

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	23b041b14e29dbb8dff3467e1578fd3a6094dda197e53f2229fbf9e868161279
SHA3-384 hash:	26bf098883208d859ed42bcdb6ec37689f35e79fda17505dfcf63a67a09486244b16cd46bd152c15a6a635e2dea06bab
SHA1 hash:	852ff9983d7e70da8cd7fe66286f91fb315c78ae
MD5 hash:	a97cf4b3f6ed46e0b84d64954d18d3ae
humanhash:	island-sad-uniform-summer
File name:	Microsoft基础类应用程序.exe
Download:	download sample
Signature	YoungLotus Create hunting rule
File size:	311'296 bytes
First seen:	2022-05-26 13:25:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9499369674e86e5a731c3adfadd95717 (1 x YoungLotus)
ssdeep	6144:DMo2bAb2IlGeDb0dA9K7wmvXPl3doLX+k11wNimD94PnlWJ:oo2bAb2gGeDb0dAY5XhOr+k13L
Threatray	42 similar samples on MalwareBazaar
TLSH	T1CA647C22F2A1C873C646417D0FD18BBAEDF5EE704AE24E83338C5B1C5D717A2962E255
TrID	31.5% (.EXE) InstallShield setup (43053/19/16) 22.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 12.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 9.5% (.SCR) Windows screen saver (13101/52/3) 7.7% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):
dhash icon	8981cc9eba9e8cb3 (1 x YoungLotus)
Reporter	obfusor
Tags:	exe younglotus

Intelligence

File Origin

# of uploads :

# of downloads :

309

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

pcrat

ID:

File name:

Microsoft基础类应用程序.exe

Verdict:

Malicious activity

Analysis date:

2022-05-26 13:32:12 UTC

Tags:

installer trojan rat pcrat gh0st

Link:

https://app.any.run/tasks/e5426d13-05ac-4cd3-abec-0fd837ba9670

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/274759/

Detection(s):

SecuriteInfo.com.Variant.Graftor.753453.25134.2455.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware keylogger shell32.dll

Link:

https://www.filescan.io/uploads/628f802c0be8a16da4ec0a6d/reports/c8ca02b1-6b81-40a3-b933-3b336947bd40/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Lotok

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7a34a880-985c-4585-a631-5c0105372006

Result

Threat name:

GhostRat, Nitol

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1002139

Signature

Antivirus / Scanner detection for submitted sample

Found stalling execution ending in API Sleep call

Machine Learning detection for sample

Snort IDS alert for network traffic

Yara detected GhostRat

Yara detected Nitol

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/23b041b14e29dbb8dff3467e1578fd3a6094dda197e53f2229fbf9e868161279/

Threat name:

Win32.Trojan.GhostRatCrypt

Status:

Malicious

First seen:

2022-05-26 13:26:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 40 (40.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eoyedmkofhn3rx7tiz7bk6h5hjqjjxnbs7st6irj7p46q2awcj4q._file

Verdict:

malicious

YoungLotus

13465c0a54d49d9b334aa6be566338b760c422ef9ead8b489d9204c92f134314

YoungLotus

6cacc5674cb1aa3353e2fab15b96d128dff448ed20f54f5ea2c39726da8191d4

YoungLotus

8eda6efd0d979c443c712a8668441f878a6d682cbdef2a5a19cf02d03111fe58

YoungLotus

b2b8f8bf2bdfd037a41ef3ec63d1db9e781d4199b856e16ac5f8d209e0ea5fb7

YoungLotus

d92478bf4f61a59ff541b229dc65df8c2c5d90732b5f60f54145e8c2106d32d9

YoungLotus

e6c357c2c7c70b4630dbdcd86df2d98ed28cbd47a9efcbf727fe0fdbc5d5fefa

YoungLotus

fd608404cc41c05f54d14a04b9a03b3446a932bf2602ca01b52760b7ea8f3199

YoungLotus

+ 32 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220526-qphszaffej/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Unpacked files

SH256 hash:

2b3d373deaa18a6d9e5b44dba11453278d61633559367f35d05c581829120670

MD5 hash:

9e087e598a2486952fa71d7357e0c790

SHA1 hash:

480663040162aa0ff13a4fa74225d013241ed90f

Detections:

win_younglotus_g0

Link:

https://www.unpac.me/results/94916245-2a75-41d0-b9d8-ed259d4f4754/

Parent samples :

23b041b14e29dbb8dff3467e1578fd3a6094dda197e53f2229fbf9e868161279
dc237f4cc7345a95adf4ed179b9270612fff48236e10dba129892186966d4056
64a4ae0b63cc68ddc4a8586d6f2da627915a11729fc3d26db05e4e57f2489b95
fefd90702483f8f97e56f4239ca1484c6f00a270812df7289eac6f9bb9092e9a
78b57ef2bfb7cdee6ac945eaebeb7d4d72223b7b76dc35bb1bff76790a2480e0
f67a41e2609e49ffcd1922c9a892c44c3e9af7c68539c1c3ee6b6fdbedc3d437
c5bbffaaa02f6289977ee6ba6f2684953114cebc79f3e3e6aca7ca301a87a117
6ceb50da4275db929de139517ee96a5617ca2a8dead8db120d4f43a467f2fbf5
7fcde90bf1f4e6ec55e94000936f6264264990f16511c5fae5a2faaefd8400f7
167a12055852953ff43bda213ecc524fd8af28f6613ffa9225a6c3259e079357

SH256 hash:

23b041b14e29dbb8dff3467e1578fd3a6094dda197e53f2229fbf9e868161279

MD5 hash:

a97cf4b3f6ed46e0b84d64954d18d3ae

SHA1 hash:

852ff9983d7e70da8cd7fe66286f91fb315c78ae

Link:

https://www.unpac.me/results/94916245-2a75-41d0-b9d8-ed259d4f4754/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.18

Link:

https://yomi.yoroi.company/submissions/23b041b14e29dbb8dff3467e1578fd3a6094dda197e53f2229fbf9e868161279

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/274759/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample