MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d00a8d861b0ef150cfd2cc298f4c01a1006ded8144a9b0b956fc3cb267397c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


YoungLotus


Vendor detections: 18


Intelligence 18 IOCs YARA 26 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d00a8d861b0ef150cfd2cc298f4c01a1006ded8144a9b0b956fc3cb267397c2
SHA3-384 hash: bdeb2bdee8c1cdd87a0f56b7e4af21883abc246941c9729737e6f06970b68877ed9df266ce89c9776dde337ea8db9626
SHA1 hash: bb7cd47c9e8da54479615e087dae97a03fc9093b
MD5 hash: 629c5de7eaa1475a8537f42542b11b99
humanhash: apart-oven-thirteen-west
File name:WinRAR.exe
Download: download sample
Signature YoungLotus
Create hunting rule
File size:1'942'500 bytes
First seen:2026-05-24 15:21:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e0a0e8f80bbd1a9c0078e57256f1c3d (8 x ValleyRAT, 5 x GCleaner, 4 x CoinMiner)
ssdeep 49152:JgqKIXzbUQEaLpkl9sUeoS4HdGieV8emYvEVj:JzEQlLg9Q4Qig89qEJ
Threatray 1 similar samples on MalwareBazaar
TLSH T18F95120AE7E404F8E0B7A1B8DD164903E777BC9E1761D78F07A856562F232A09D3E760
TrID 37.0% (.EXE) Win64 Executable (generic) (6522/11/2)
28.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
11.3% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
dhash icon 9494b494d4aeaeac (904 x DCRat, 486 x NirCmd, 172 x RedLineStealer)
Reporter Ling
Tags:exe SilverFox ValleyRAT younglotus


Avatar
CNGaoLing
SilverFox
IOC (IP 156.245.235.131) (IP 47.98.129.153)

Intelligence

File Origin
# of uploads :
1
# of downloads :
157
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
Archives Donut ValleyFall
Details
Archives
SFX commands and extracted archive contents
Donut
a maru hash IV, signature verification, donut-Chaskey encryption parameters, and a decrypted component or network parameters for download of the module
ValleyFall
configuration settings and possibly extracted component
Link:
https://research.acce.ciphertechsolutions.com/results/c5f93bc2-8e8b-4870-bde6-c0d2c1b5e9b8/
Malware family:
fatalrat
Create hunting rule
ID:
1
File name:
WinRAR.exe
Verdict:
Malicious activity
Analysis date:
2026-05-24 15:05:03 UTC
Tags:
anydesk rmm-tool donutloader loader valleyrat rat silverfox winos fatalrat
Link:
https://app.any.run/tasks/c6f8b014-fdb8-412c-8303-728ca363a013

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
FatalRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/67788/
Detection(s):
Win.Exploit.Rozena-10038302-0
Create hunting rule

SecuriteInfo.com.BackDoor.RevetRat.2.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a13175b5d76862ef9475c55
Tags:
shellcode dropper emotet virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Launching a process
Creating a file
Creating a process with a hidden window
Connection attempt
Connection attempt to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm base64 cmd crypto evasive expired-cert explorer explorer fingerprint fingerprint installer installer installer-heuristic lolbin lolbin microsoft_visual_cc obfuscated overlay packed packed reconnaissance regedit sfx tracker
Link:
https://www.filescan.io/uploads/6a1317ad861ee596e649bd18/reports/d0e69312-6ab0-4a51-b390-1b1882c07f3a/overview
Verdict:
Malicious
Labled as:
Trojan.VBS.Agent
Link:
https://www.hybrid-analysis.com/sample/5d00a8d861b0ef150cfd2cc298f4c01a1006ded8144a9b0b956fc3cb267397c2
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-05-24T11:56:00Z UTC
Last seen:
2026-05-24T14:44:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Ixeshe.sb HEUR:Trojan.Win64.Donut.a HEUR:Trojan-Dropper.Win32.Agent.pefng Trojan-Dropper.Win32.Agent.tkdkrn Trojan.Win32.Farfli.sb HEUR:Trojan.Multi.Donut.b Trojan.Win32.Inject.sb Backdoor.Win32.Xkcp.a Trojan.Agent.TCP.C&C Trojan.Win32.Shellcode.sb Trojan-Dropper.Win32.Injector.sb Backdoor.Win32.Lotok.sbd Backdoor.Win32.Farfli.sb Trojan.Antavmu.TCP.C&C PDM:Trojan.Win32.Generic Trojan.Win32.Shellcode.nyn
Link:
https://opentip.kaspersky.com/5d00a8d861b0ef150cfd2cc298f4c01a1006ded8144a9b0b956fc3cb267397c2/results?tab=lookup
Malware family:
Gh0st RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7791b2c9-3c22-4f30-b0de-9bb3d45c28ad
Score:
84%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5d00a8d861b0ef150cfd2cc298f4c01a1006ded8144a9b0b956fc3cb267397c2
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/629c5de7eaa1475a8537f42542b11b99
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d00a8d861b0ef150cfd2cc298f4c01a1006ded8144a9b0b956fc3cb267397c2/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/5d00a8d861b0ef150cfd2cc298f4c01a1006ded8144a9b0b956fc3cb267397c2
Threat name:
Win64.Exploit.DonutMarte
Create hunting rule
Status:
Malicious
First seen:
2026-05-24 15:21:16 UTC
File Type:
PE+ (Exe)
Extracted files:
94
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=luakrwdbwdxrkdh5ftbjr5gadiianxwycrfjwc4vn7b4wjtts7ba._file
Verdict:
malicious
Label(s):
fatalrat
Create hunting rule
valleyrat
Create hunting rule
donutloader
Create hunting rule
Similar samples:
5d00a8d861b0ef150cfd2cc298f4c01a1006ded8144a9b0b956fc3cb267397c2
YoungLotus
error
YoungLotus
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:fatalrat family:valleyrat_s2 backdoor discovery infostealer loader rat stealer trojan
Link:
https://tria.ge/reports/260524-sr2d7sg15q/
Behaviour
Runs regedit.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detects DonutLoader
Family: DonutLoader
Family: FatalRat
Family: ValleyRat
Fatal Rat payload
Malware Config
C2 Extraction:
156.245.235.131:443
127.0.0.1:8888
127.0.0.1:80
Unpacked files
SH256 hash:
5d00a8d861b0ef150cfd2cc298f4c01a1006ded8144a9b0b956fc3cb267397c2
MD5 hash:
629c5de7eaa1475a8537f42542b11b99
SHA1 hash:
bb7cd47c9e8da54479615e087dae97a03fc9093b
Link:
https://www.unpac.me/results/c012a2ad-f06d-408d-aa2b-90e3905e57d1/
SH256 hash:
101427a9f932d4160b3c9be04065d495576ab40a8109d9117a4d33f8b542a30d
MD5 hash:
c45a47b83a34843225ecd6dda2114af4
SHA1 hash:
3c89bfd1fc20c1dd68fc2aa3eef98b97007d73fe
Link:
https://www.unpac.me/results/c012a2ad-f06d-408d-aa2b-90e3905e57d1/
SH256 hash:
3c56a518dac09ff5dc34d99a97129051ddc93a1c907cca8274e8d08aa9f77e3c
MD5 hash:
e5e1a3ef0c1cf856dca6f71c239bfcde
SHA1 hash:
1d66842144767280f835811644980f72dde28edd
Link:
https://www.unpac.me/results/c012a2ad-f06d-408d-aa2b-90e3905e57d1/
SH256 hash:
4190f0a1306257ced4975448794e1d42be312e334ffccfb4910a4a39cde9df57
MD5 hash:
0a0042fe544c91cd57bc2f7ef40bb974
SHA1 hash:
8bf31f44ba3e47b8b186c3d8cc219a4d2f67da63
Link:
https://www.unpac.me/results/c012a2ad-f06d-408d-aa2b-90e3905e57d1/
SH256 hash:
4ba617cadc3806532eecd00957b2329ea8472224891228b99da3aacb002b75e9
MD5 hash:
125c4539da3d6aee3a2942bced7f06a3
SHA1 hash:
7dcb0f9091831e017af66a7a21cc80e71ad8b804
Link:
https://www.unpac.me/results/c012a2ad-f06d-408d-aa2b-90e3905e57d1/
SH256 hash:
4d20d7781a2edb9476a632fc3b32a503da501ec51707047f48d1fe5f5a23b194
MD5 hash:
f67b80bc3877723c0fee541ac2f8f68a
SHA1 hash:
6affa30e266b1bb71b40320d8a7fe34fc37d9b30
Link:
https://www.unpac.me/results/c012a2ad-f06d-408d-aa2b-90e3905e57d1/
SH256 hash:
54ad6fb80f28a8cd4424424f413c8f22a1cd6a617eb759aba2f7c2e90cbdc4f8
MD5 hash:
776384baba12ee60dd9caa8fc65ac017
SHA1 hash:
648aa40d1237fe6e9c19a14d543ba9cf3e9105a4
Link:
https://www.unpac.me/results/c012a2ad-f06d-408d-aa2b-90e3905e57d1/
SH256 hash:
5baa7efce0f3739812913e1a24d1cd326cd1fb53058719b415c835ecd2840e8a
MD5 hash:
dfd30f7dd0c43184de48d97d16cd5b41
SHA1 hash:
4462932615fb930deeb610f1354ee505845c7f82
Link:
https://www.unpac.me/results/c012a2ad-f06d-408d-aa2b-90e3905e57d1/
SH256 hash:
67a11355b9edc7cf9dd2e1e73ffbe00e00156926af8c93bcc1e254702b9ffa24
MD5 hash:
b811b6df1b996ecb5bc65ccb5275e3ce
SHA1 hash:
add783af63ed7453abcc0e7789bb424d1f3d5aee
Link:
https://www.unpac.me/results/c012a2ad-f06d-408d-aa2b-90e3905e57d1/
SH256 hash:
ad2dfda427e3ccb5c8404f0afafe71c64b862d2e26a67e1bfc2b40738fd0b873
MD5 hash:
94a8196066774252df015eedf02cca44
SHA1 hash:
28b6667f95888ebd0f19d98c4329a17fb1f8f27a
Link:
https://www.unpac.me/results/c012a2ad-f06d-408d-aa2b-90e3905e57d1/
SH256 hash:
c580b0002cfcfaac2449085b26df4dc13fd92aac7edb580a9133f252534abbe7
MD5 hash:
c08072b6f3943d9695fff0be053b7296
SHA1 hash:
8f41ca441cc2deb670ffd7ba851956304862f5b5
Link:
https://www.unpac.me/results/c012a2ad-f06d-408d-aa2b-90e3905e57d1/
SH256 hash:
c6aff750c97c94a594f6cfd6db2998c45e3c0cd9b4f779df1e8e72dc7b606534
MD5 hash:
290a004945b199b2aed82959b1623626
SHA1 hash:
f19020da6f6b99045b912e45cce1c0e00bdb6efd
Link:
https://www.unpac.me/results/c012a2ad-f06d-408d-aa2b-90e3905e57d1/
SH256 hash:
d793426ab222bdfc51f136f07663cdf34b31847ee32241e6f3589b3fc1886c22
MD5 hash:
156fb885f50d94624ca16289f21c1d66
SHA1 hash:
401e0ed9537cb1982dfbce4d869c664c22df5839
Link:
https://www.unpac.me/results/c012a2ad-f06d-408d-aa2b-90e3905e57d1/
SH256 hash:
d92e0f00c59425e74ed419c158414e2c1e34047d10072dcb9215a5c91b4050e0
MD5 hash:
fb2dc78b138f3fe4b7e5b3a3cf9760e4
SHA1 hash:
e9a82189ba821544bd63f5af6d78e757dce9a8cb
Link:
https://www.unpac.me/results/c012a2ad-f06d-408d-aa2b-90e3905e57d1/
SH256 hash:
df2a1b6abb9959042969046ac3df67fcbd763767d1338d1c8d36efa88cc95f2d
MD5 hash:
62833fbe9fc354c2243851d1d94346f6
SHA1 hash:
2d530b0c4b8135ff13f37b6f1f42621487ec73f6
Link:
https://www.unpac.me/results/c012a2ad-f06d-408d-aa2b-90e3905e57d1/
SH256 hash:
e861fbd1dd21bd09bede9ef4ced4fe32c1dd5e72f9d788cd41b7314290a638c5
MD5 hash:
4265854cf7082a0effaca9913ba1b584
SHA1 hash:
68ae4cd0f36c3b45da8810c7fe802feefc528396
Link:
https://www.unpac.me/results/c012a2ad-f06d-408d-aa2b-90e3905e57d1/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5d00a8d861b0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Armadillov1xxv2xx
Create hunting rule
Author:malware-lu
Rule name:Check_DriveSize
Create hunting rule
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dgaaga
Create hunting rule
Author:Harshit
Description:Detects suspicious PowerShell or registry activity
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:GenericGh0st
Create hunting rule
Author:Still
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
Author:ditekSHen
Description:Detects executables calling ClearMyTracksByProcess
Rule name:MALWARE_Win_FatalRAT
Create hunting rule
Author:ditekSHen
Description:Detects FatalRAT
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Suspicious_Process
Create hunting rule
Author:Security Research Team
Description:Suspicious process creation
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win32_younglotus
Create hunting rule
Author:Reedus0
Description:Rule for detecting YoungLotus malware
Rule name:Windows_Generic_Threat_7693d7fd
Create hunting rule
Author:Elastic Security
Rule name:win_fatal_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.fatal_rat.
Rule name:win_fatal_rat_w0
Create hunting rule
Author:AT&T Alien Labs
Description:Detects FatalRAT, unpacked malware.
Reference:https://cybersecurity.att.com/blogs/labs-research/new-sophisticated-rat-in-town-fatalrat-analysis

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

YoungLotus

Executable exe 5d00a8d861b0ef150cfd2cc298f4c01a1006ded8144a9b0b956fc3cb267397c2

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/67788/

Comments