MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e2d96a16f1c04dd0906f90ba3a827b55e35dc616ea21a6dfbd3c596f47b22c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

YoungLotus

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	7e2d96a16f1c04dd0906f90ba3a827b55e35dc616ea21a6dfbd3c596f47b22c3
SHA3-384 hash:	65ef4778b6f9a9a23008876d6a7fcc9c0c82cc0ffd77a6df4a9eb2d73fa469db7b5f75912da12e3b0886d9c206f94f1b
SHA1 hash:	c8a313930ba09eafd7a5d36efa20fe36b0030651
MD5 hash:	01ca48b073743e7f525c3b5969009c46
humanhash:	solar-indigo-july-beryllium
File name:	点击此处安装简体中文飞机语言汉化包.exe
Download:	download sample
Signature	YoungLotus Create hunting rule
File size:	3'018'875 bytes
First seen:	2022-05-16 13:00:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	92580736950a4e490c70c5c6a137f563 (1 x YoungLotus)
ssdeep	49152:XJ0X3jngai++GwmnJxMzNxxFiMw6DHWMZDXt:Z0HI+bnXMJN1FpXt
Threatray	16 similar samples on MalwareBazaar
TLSH	T1A5D59F00E106E01ED57701BE4EBF721DB15DAF640305B6C7A28C3E6D5BBA8E1793A46E
TrID	38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 13.0% (.EXE) Win64 Executable (generic) (10523/12/4) 8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter	obfusor
Tags:	exe Farfli RAT younglotus

Intelligence

File Origin

# of uploads :

# of downloads :

267

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

pcrat

ID:

File name:

点击此处安装简体中文飞机语言汉化包.exe

Verdict:

Malicious activity

Analysis date:

2022-05-16 23:29:38 UTC

Tags:

trojan rat pcrat gh0st

Link:

https://app.any.run/tasks/7957be64-c2d7-44f5-85cd-21c8ee6f8930

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/271136/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %AppData% subdirectories

Creating a window

Changing a file

Searching for synchronization primitives

Launching a service

Sending a custom TCP request

Sending an HTTP POST request

DNS request

Searching for the window

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/18026/overview

Behaviour

MalwareBazaar

CursorPosition

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe greyware keylogger overlay packed

Link:

https://www.filescan.io/uploads/62824af2bc516cf66c28c5a7/reports/bdfb06fc-8b6d-46d7-8685-3b712fc52f30/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/15120d81-3e63-4034-abd2-6a9460731a8f

Result

Threat name:

Young Lotus

Detection:

malicious

Classification:

troj

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/994928

Signature

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Young Lotus

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7e2d96a16f1c04dd0906f90ba3a827b55e35dc616ea21a6dfbd3c596f47b22c3/

Threat name:

Win32.Backdoor.Lotok

Status:

Malicious

First seen:

2022-05-16 13:01:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pywznilpdqcn2cig7ef2hkbhwvpdlxdbn2rbu3p32pczn5d3elbq._file

Verdict:

malicious

YoungLotus

0e4c2040ee56cf81df3334e99fb2e419e9ed81a3c9d47bd8f57bb8a95a927baa

YoungLotus

1876e6fe34192e24fcb2245199c99a6735a6424151044564506b14bd670e1f91

YoungLotus

1ae94a167f7ef76891fda0551c8306cb5834e9e89bca30c8a72921d376e0d3e1

YoungLotus

38590535738c42247dc06b18dc9bf011859942183a2de27e2f0fa2400bfa38d8

YoungLotus

5e5f8efd6ced3f58cc5212b0f68a8badb9419b87a99fa1683ecc2f49e5103c1d

YoungLotus

97a6d37991a271facf6254ac7e4f4072bb3718cdc01c2fc8d92e3953a3f8b453

YoungLotus

cb1b5642d56aedff09b5eb8368bf54d2ec8a710de5f7cfcfb7fdc6148619dfd8

YoungLotus

e6c357c2c7c70b4630dbdcd86df2d98ed28cbd47a9efcbf727fe0fdbc5d5fefa

YoungLotus

+ 6 additional samples on MalwareBazaar

Result

Malware family:

gh0strat

Score:

10/10

Tags:

family:gh0strat rat upx

Link:

https://tria.ge/reports/220516-p87qrscec5/

Behaviour

Checks processor information in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Enumerates connected drives

UPX packed file

Gh0st RAT payload

Gh0strat

Unpacked files

SH256 hash:

a26653c405eeec49150dc41fedce09a34cb96b4ff550a84968dafa37572bc8be

MD5 hash:

41e99a5cb7c9b401773cabafe2d54c80

SHA1 hash:

c82b20b24ef0c0746af0357a217463b751d5ae51

Detections:

win_younglotus_g0

Link:

https://www.unpac.me/results/e94608ea-29bb-49d6-9cf3-eb4627636737/

Parent samples :

5e5f8efd6ced3f58cc5212b0f68a8badb9419b87a99fa1683ecc2f49e5103c1d
2addf0687e15d5da150548c7dd1d27bd3138b8ed464e0fe8cc6d091e34842ed3
bda9ac7c976d4077921a53b7b178aa402254d9e1e81a3eb7a5cc462982df9f0e
1876e6fe34192e24fcb2245199c99a6735a6424151044564506b14bd670e1f91
695dbd8c8d80719168bb3987b62fa5348f480ce00f4afbe54efae3a647fc2552
97a6d37991a271facf6254ac7e4f4072bb3718cdc01c2fc8d92e3953a3f8b453
1ae94a167f7ef76891fda0551c8306cb5834e9e89bca30c8a72921d376e0d3e1
04a7caa6cb7a45a1251f28f4ad9479e78f0fed395851c97729d30cc0490062e3
0e4c2040ee56cf81df3334e99fb2e419e9ed81a3c9d47bd8f57bb8a95a927baa
38590535738c42247dc06b18dc9bf011859942183a2de27e2f0fa2400bfa38d8
5fc335f79202263e7e68942ffc5f14d705db9caf44c09255ba142f5489a28155
3b2d63085e9da6b031fac137cc960379d46c895a0af0c75b7934c5057ed638cd
ac003329806ad003d7db1b36782431b0dce1aeca52cd9234983e8e1f78971164
252283a77c47a726452e660a27e434048a2020b8b7ff473164546d2f0d42d6db
e6c357c2c7c70b4630dbdcd86df2d98ed28cbd47a9efcbf727fe0fdbc5d5fefa
7e2d96a16f1c04dd0906f90ba3a827b55e35dc616ea21a6dfbd3c596f47b22c3
0a7efe1575204e7d7060acaf97370d560c72c30e5c3c57523d53fe35e2730e9e
7c02890decef71660dfe21a565fb508d7428092390976a964617cd50d672003b
32ed59ce4299490ce95d293f6304b1932873091fc0a3ec4db3052a89214245a7
37110e2a1293cd0ca22acee8dc6f21fc3de998ecf7f184b24c100428cffbb8ed
dacf404f18ed74e385ac6e44d264222ce138a16de81e6c1e9a45c3016c63588b

SH256 hash:

7e2d96a16f1c04dd0906f90ba3a827b55e35dc616ea21a6dfbd3c596f47b22c3

MD5 hash:

01ca48b073743e7f525c3b5969009c46

SHA1 hash:

c8a313930ba09eafd7a5d36efa20fe36b0030651

Link:

https://www.unpac.me/results/e94608ea-29bb-49d6-9cf3-eb4627636737/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Farfli

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/7e2d96a16f1c04dd0906f90ba3a827b55e35dc616ea21a6dfbd3c596f47b22c3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/271136/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample