MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6edcd6a56400375b8f349a96f1ec0fc03c6b4f26c6f12ed2cfb032744fb9b929. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

YoungLotus

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	6edcd6a56400375b8f349a96f1ec0fc03c6b4f26c6f12ed2cfb032744fb9b929
SHA3-384 hash:	6648c9b9734017b31ee2ca26a05c4fe8393a824828f051a70c77a588e7eb534f34fedec47b539d846269bfacd11b6ec9
SHA1 hash:	17fb30ce969ffa7c70b19f00aa0358e276bf6c94
MD5 hash:	296a3994412ee27eb9b76ca0738f91ae
humanhash:	sixteen-ink-william-hotel
File name:	296a3994412ee27eb9b76ca0738f91ae.dll
Download:	download sample
Signature	YoungLotus Create hunting rule
File size:	167'936 bytes
First seen:	2023-02-24 13:16:12 UTC
Last seen:	2023-02-24 14:34:56 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	3b1c4bbb9e374d6bbf1eb7ea6babf283 (1 x YoungLotus)
ssdeep	3072:xNLlQvwD5d6fh6yjBPAoBLEPg7JBIiPTjU72:7KSdoA6LEPimibj42
Threatray	13 similar samples on MalwareBazaar
TLSH	T171F31921E5A281B3C24D1534046E2734A6795BACCF368FD3A718FE9D09371C26D36A9E
TrID	42.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 17.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 13.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 11.6% (.EXE) Win32 Executable (generic) (4505/5/1) 5.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	79756cecb29999b9 (734 x Heodo, 20 x Nitol, 20 x ManusCrypt)
Reporter	abuse_ch
Tags:	dll younglotus

Intelligence

File Origin

# of uploads :

# of downloads :

211

Origin country :

n/a

Vendor Threat Intelligence

Detection:

FatalRAT

Link:

https://www.capesandbox.com/analysis/369440/

Detection(s):

Sanesecurity.Malware.28933.BadIN.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/63f8b8cf0796d7d621e867a5/reports/de3e6882-90ae-49d7-9c31-66a3e2e1f506/overview

Verdict:

Malicious

Labled as:

GenKryptik.FDXF trojan

Link:

https://www.hybrid-analysis.com/sample/6edcd6a56400375b8f349a96f1ec0fc03c6b4f26c6f12ed2cfb032744fb9b929

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/20cf25ff-171d-4407-82c9-1f02a094c72e

Result

Threat name:

GhostRat, Nitol

Detection:

malicious

Classification:

bank.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1181867

Signature

Checks if browser processes are running

Contains functionality to access PhysicalDrive, possible boot sector overwrite

Contains functionality to automate explorer (e.g. start an application)

Contains functionality to capture and log keystrokes

Contains functionality to detect virtual machines (IN, VMware)

Contains functionality to determine the online IP of the system

Contains functionality to infect the boot sector

Contains functionality to inject threads in other processes

Creates an undocumented autostart registry key

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected GhostRat

Yara detected Nitol

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6edcd6a56400375b8f349a96f1ec0fc03c6b4f26c6f12ed2cfb032744fb9b929/

Threat name:

Win32.Trojan.Antavmu

Status:

Malicious

First seen:

2023-02-24 13:17:07 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

14 of 25 (56.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=n3onnjleaa3vxdzutklpd3apya6gwtzgy3ys5uwpwazhit5zxeuq._file

Verdict:

malicious

YoungLotus

2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4

YoungLotus

6e406696172c35ffeb20528df4a002746a6c8c01016c33530b7d7d210ad8ebfc

YoungLotus

af7ba44606b943ddb885c2a225e5e91c17cd15c8ca7f26ac90e7331c3f4094d2

YoungLotus

b01719e59675236df1a0e1a78cdd97455c0cf18426c7ec0f52df1f3a78209f65

YoungLotus

d5aa8ca98c65f958cea8f4a831a15ca2af8c375277a06584ba0d786e919db43c

YoungLotus

e52af19dce25d51f9cf258613988b8edc583f7c7e134d3e1b834d9aab9c7c4c4

YoungLotus

ec0dcfe2d8380a4bafadb3ed73b546cbf73ef78f893e32202042a5818b67ce56

YoungLotus

f1412515481a806ff3350065c8fc0c4c667b1545738deadbf5a1e18291147e48

YoungLotus

+ 3 additional samples on MalwareBazaar

Result

Malware family:

fatalrat

Score:

10/10

Tags:

family:fatalrat infostealer rat

Link:

https://tria.ge/reports/230224-qjc1jabd37/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Blocklisted process makes network request

Fatal Rat payload

FatalRat

Unpacked files

SH256 hash:

6edcd6a56400375b8f349a96f1ec0fc03c6b4f26c6f12ed2cfb032744fb9b929

MD5 hash:

296a3994412ee27eb9b76ca0738f91ae

SHA1 hash:

17fb30ce969ffa7c70b19f00aa0358e276bf6c94

Link:

https://www.unpac.me/results/a6aeaa56-d394-4b9e-8e9e-904dd597171e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/6edcd6a56400375b8f349a96f1ec0fc03c6b4f26c6f12ed2cfb032744fb9b929

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/369440/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample