MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3541aae2111f4d292afeb914a9496298752c019425000212ba6f0e8cd7719542. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

YoungLotus

Vendor detections: 8

Intelligence 8 IOCs YARA 4 File information Comments

SHA256 hash:	3541aae2111f4d292afeb914a9496298752c019425000212ba6f0e8cd7719542
SHA3-384 hash:	a34e907bc24d375bacf4afd1e5d40f66f331de8188c6f34b9035508744605c2554a97ef473599786d93959007fcefa15
SHA1 hash:	bae5e3834e332024c402414f84487052d7f5a01f
MD5 hash:	9ba0849998b51bd23d32fd2c29414ded
humanhash:	green-india-wolfram-chicken
File name:	【Grab_打车软件重新开启】_目前_Grab_Car_已经打开_、_但不接受现金支付。意味着提交订单后需要马上在线支付。账户需要提前充值.exe
Download:	download sample
Signature	YoungLotus Create hunting rule
File size:	3'756'132 bytes
First seen:	2021-03-31 20:01:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6c1091d5f54010e91186d715de5e1e30 (1 x YoungLotus)
ssdeep	24576:DdhGVWohsfk1CnWi52LFvRrvwN1bucPiGzJEzOQN42LOURJjy:DKWkCnrwFv1YqcKG+SQN4Ejy
Threatray	86 similar samples on MalwareBazaar
TLSH	AC06E101B5D1C0B5D6C5293014A6E73A9BB99E111B35CFC3A394EF1D2E327E2AD3A136
Reporter	ActorExpose
Tags:	younglotus

Intelligence

File Origin

# of uploads :

# of downloads :

103

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

httpstelegra.ph七月份最全回国航线汇总-06-22.exe

Verdict:

No threats detected

Analysis date:

2020-06-22 14:31:46 UTC

Tags:

installer

Link:

https://app.any.run/tasks/29618e78-7352-4e71-9f6a-9bdc894d05a0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/130074/

Detection(s):

PUA.Win.Packer.Mpress-7

Win.Trojan.Ulise-8027922-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file

Creating a process from a recently created file

Creating a file in the Windows directory

Creating a service

Launching a service

Moving a file to the Windows subdirectory

Sending a UDP request

DNS request

Enabling autorun for a service

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3541aae2111f4d292afeb914a9496298752c019425000212ba6f0e8cd7719542/

Threat name:

Win32.PUA.FlyStudio

Status:

Malicious

First seen:

2020-06-16 13:48:00 UTC

AV detection:

30 of 31 (96.77%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gva2vyqrd5gsskx6xekksslctb2syamueuaaeev2n4hizv3rsvba._file

Verdict:

malicious

YoungLotus

5002ced102dc1126d041848655d07dbcdc649046457a67c61a027e29779ce907

YoungLotus

683fa4be9635d3399ee7eb05dde053930faa95aae3f022cdc0e13e5980438b43

YoungLotus

86fffa0c9081c2cea5c4ec6d4ea6ccb67ff530807c1600ee481a6f1c7052071d

YoungLotus

8abec65ae164e9b277cdddba8cb63034e1c9ea1971b27973560c77f37c7a4daa

YoungLotus

9248b405edcc5411ccb36855b9da55f4b5b0e685b45dec9373395bf2c917aa01

YoungLotus

b76d846d53579c309b7e02d219446447793369f4bf2200de08a1827cca337440

YoungLotus

cc6297f7df4aca6dceda00c9812e06d20a3967924d4260df6909c1a86e36b415

YoungLotus

d520063afebc52854b83afea9f5ff52414f443b875f1994053a02256fd2d0a50

YoungLotus

f17c487b23b8e9ad8517a7548aac430f9a8481a92578a9f94c2989b92f3676d2

YoungLotus

+ 76 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/210331-w3tkfqk2c6/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Loads dropped DLL

Executes dropped EXE

Unpacked files

SH256 hash:

8ade6b21210f8944bc8ecf74e9dd602b0d108c70f2ed4e872bf958dafcf91a8d

MD5 hash:

805efb5e5b7f9af8be6962bf2fdaf0e3

SHA1 hash:

bb7377257f24c2069710a571b465f8b7f38f2ee7

Link:

https://www.unpac.me/results/7e185d3d-e0b0-414f-8674-6bdaac45398a/

SH256 hash:

f1a700ed2039e1491486e0dafef60028f1845c3504ada80da40465d298a6d5c9

MD5 hash:

a73fd7d6c82ea49b369e1763e1d7d807

SHA1 hash:

b24d90cf27d25f9e3799cea9c374438dc203154e

Detections:

win_younglotus_g0

win_younglotus_auto

Link:

https://www.unpac.me/results/7e185d3d-e0b0-414f-8674-6bdaac45398a/

SH256 hash:

46409c9edd64a5e355a01984a7159204c5bb08fac6ec6b0f3e5136aaaf0ce967

MD5 hash:

96ab6f67ed51330bc5cca48169479d7a

SHA1 hash:

96ed49bad8e75105f600836f14f163ec0451842d

Link:

https://www.unpac.me/results/7e185d3d-e0b0-414f-8674-6bdaac45398a/

SH256 hash:

3541aae2111f4d292afeb914a9496298752c019425000212ba6f0e8cd7719542

MD5 hash:

9ba0849998b51bd23d32fd2c29414ded

SHA1 hash:

bae5e3834e332024c402414f84487052d7f5a01f

Link:

https://www.unpac.me/results/7e185d3d-e0b0-414f-8674-6bdaac45398a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Klone

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3541aae2111f4d292afeb914a9496298752c019425000212ba6f0e8cd7719542

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	IceID_Bank_trojan Create hunting rule
Author:	unixfreaxjp
Description:	Detects IcedID..adjusted several times

Rule name:	INDICATOR_EXE_Packed_MPress Create hunting rule
Author:	ditekSHen
Description:	Detects executables built or packed with MPress PE compressor

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

Rule name:	win_younglotus_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/130074/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample