MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32ed59ce4299490ce95d293f6304b1932873091fc0a3ec4db3052a89214245a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

YoungLotus

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	32ed59ce4299490ce95d293f6304b1932873091fc0a3ec4db3052a89214245a7
SHA3-384 hash:	884a571583dfb601389bf0a8b8d4ded22f676ba40e3cc90fb6c97827d5977526b2fc5252e28b6d82f090d2cbf6dcc85e
SHA1 hash:	2a6e134d34a25d1c7c7cf340068fb996817e0c40
MD5 hash:	7fa81506e2397640ac4571ed3eee9c1e
humanhash:	summer-uniform-mobile-mountain
File name:	点击此处安装简体中文语言翻译汉化包690.exe
Download:	download sample
Signature	YoungLotus Create hunting rule
File size:	2'736'220 bytes
First seen:	2022-06-10 08:29:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e7a44f92ec960fd78c1f2a98d67fb7a4 (1 x YoungLotus)
ssdeep	49152:lUC3y045e6n7oBEjztDYWGEY91psnZYKWSrh:lUC3y0mrn8BFmY91psnZYKWi
TLSH	T108C54B11E106801FDAB715BA4EBF721D661CBF500311A2C7A2CC7E1D5FBA9E2793A44E
TrID	49.9% (.OCX) Windows ActiveX control (116521/4/18) 18.4% (.EXE) InstallShield setup (43053/19/16) 13.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 7.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 4.5% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):
dhash icon	71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter	obfusor
Tags:	exe younglotus

Intelligence

File Origin

# of uploads :

# of downloads :

298

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

pcrat

ID:

File name:

点击此处安装简体中文语言翻译汉化包690.exe

Verdict:

Malicious activity

Analysis date:

2022-06-10 09:14:35 UTC

Tags:

installer trojan rat pcrat gh0st

Link:

https://app.any.run/tasks/3e30c1fc-88d0-45b7-ad17-ae5ed94425ad

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/278603/

Detection(s):

Win.Malware.Gh0stRAT-7459730-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

DNS request

Creating a file in the %AppData% subdirectories

Creating a window

Changing a file

Searching for synchronization primitives

Launching a service

Sending a custom TCP request

Sending an HTTP POST request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware keylogger overlay wacatac

Link:

https://www.filescan.io/uploads/62a30148c6d7350cc01241b9/reports/febe7d43-7d54-4727-97cc-0e2bde18ccb8/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ff738579-cedd-453e-9e38-111c76061539

Result

Threat name:

Young Lotus

Detection:

malicious

Classification:

troj.evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1010675

Signature

Found evasive API chain (may stop execution after checking mutex)

Multi AV Scanner detection for submitted file

Yara detected Young Lotus

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/32ed59ce4299490ce95d293f6304b1932873091fc0a3ec4db3052a89214245a7/

Threat name:

Win32.Backdoor.Zegost

Status:

Malicious

First seen:

2022-06-10 08:30:14 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=glwvttsctfeqz2k5fe7wgbfrsmuhgci7ycr6ytntauvisikciwtq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220610-kd5wgadeh8/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Unpacked files

SH256 hash:

a26653c405eeec49150dc41fedce09a34cb96b4ff550a84968dafa37572bc8be

MD5 hash:

41e99a5cb7c9b401773cabafe2d54c80

SHA1 hash:

c82b20b24ef0c0746af0357a217463b751d5ae51

Detections:

win_younglotus_g0

Link:

https://www.unpac.me/results/dcfae031-d68a-4f60-9d8d-9175cd44bb6e/

Parent samples :

5e5f8efd6ced3f58cc5212b0f68a8badb9419b87a99fa1683ecc2f49e5103c1d
2addf0687e15d5da150548c7dd1d27bd3138b8ed464e0fe8cc6d091e34842ed3
bda9ac7c976d4077921a53b7b178aa402254d9e1e81a3eb7a5cc462982df9f0e
1876e6fe34192e24fcb2245199c99a6735a6424151044564506b14bd670e1f91
695dbd8c8d80719168bb3987b62fa5348f480ce00f4afbe54efae3a647fc2552
97a6d37991a271facf6254ac7e4f4072bb3718cdc01c2fc8d92e3953a3f8b453
1ae94a167f7ef76891fda0551c8306cb5834e9e89bca30c8a72921d376e0d3e1
04a7caa6cb7a45a1251f28f4ad9479e78f0fed395851c97729d30cc0490062e3
0e4c2040ee56cf81df3334e99fb2e419e9ed81a3c9d47bd8f57bb8a95a927baa
38590535738c42247dc06b18dc9bf011859942183a2de27e2f0fa2400bfa38d8
5fc335f79202263e7e68942ffc5f14d705db9caf44c09255ba142f5489a28155
3b2d63085e9da6b031fac137cc960379d46c895a0af0c75b7934c5057ed638cd
ac003329806ad003d7db1b36782431b0dce1aeca52cd9234983e8e1f78971164
252283a77c47a726452e660a27e434048a2020b8b7ff473164546d2f0d42d6db
e6c357c2c7c70b4630dbdcd86df2d98ed28cbd47a9efcbf727fe0fdbc5d5fefa
7e2d96a16f1c04dd0906f90ba3a827b55e35dc616ea21a6dfbd3c596f47b22c3
0a7efe1575204e7d7060acaf97370d560c72c30e5c3c57523d53fe35e2730e9e
7c02890decef71660dfe21a565fb508d7428092390976a964617cd50d672003b
32ed59ce4299490ce95d293f6304b1932873091fc0a3ec4db3052a89214245a7
37110e2a1293cd0ca22acee8dc6f21fc3de998ecf7f184b24c100428cffbb8ed
dacf404f18ed74e385ac6e44d264222ce138a16de81e6c1e9a45c3016c63588b

SH256 hash:

32ed59ce4299490ce95d293f6304b1932873091fc0a3ec4db3052a89214245a7

MD5 hash:

7fa81506e2397640ac4571ed3eee9c1e

SHA1 hash:

2a6e134d34a25d1c7c7cf340068fb996817e0c40

Link:

https://www.unpac.me/results/dcfae031-d68a-4f60-9d8d-9175cd44bb6e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.05

Link:

https://yomi.yoroi.company/submissions/32ed59ce4299490ce95d293f6304b1932873091fc0a3ec4db3052a89214245a7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/278603/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample