MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 951f412449f8469a97ae025871d3ed16e10b74015f1652e98dce3e956b991627. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


YoungLotus


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 951f412449f8469a97ae025871d3ed16e10b74015f1652e98dce3e956b991627
SHA3-384 hash: 7782f29a15d6f6deb19c2a5fd6d0cf861781b969d2793978c99072c789828ce89b07c0d20dec1ab976e2156c613f68c1
SHA1 hash: e6ed73c940afc296fb3882c4f99fb78a2b6a178a
MD5 hash: 4463cd67ccaef1c8496a5d0c65db50ef
humanhash: mango-edward-july-comet
File name:1433.exe
Download: download sample
Signature YoungLotus
Create hunting rule
File size:335'872 bytes
First seen:2021-02-11 08:59:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 379120d6f13ae4a93d5cae3294dacf13 (1 x YoungLotus)
ssdeep 6144:rR4RsEZtGzlYIVsWH5I716peaxnNZuu3:rR4SEjG5/3H5TpeEnH
Threatray 286 similar samples on MalwareBazaar
TLSH 0B649E2237B0CD7EC2D385328F96BB79AAF5F5404D264A0363A15B1CDE758528B27326
Reporter r3dbU7z
Tags:exe younglotus

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1433.exe
Verdict:
Suspicious activity
Analysis date:
2021-02-11 09:00:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7b97b368-8f89-4eb5-8d6d-7d77778bad4d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116725/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader25.16839.8549.7576.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a file
Creating a service
Launching a service
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Adding an access-denied ACE
Sending a custom TCP request
Sending a UDP request
Enabling autorun for a service
Moving of the original file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/605536
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/951f412449f8469a97ae025871d3ed16e10b74015f1652e98dce3e956b991627/
Threat name:
Win32.Backdoor.Zegost
Create hunting rule
Status:
Malicious
First seen:
2017-08-05 01:23:07 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1a64802e01d94712cb6daf8339296b78cf0a7a81251e80937d01d975b31938dc
YoungLotus
444a3fc4d9a6d2c9c575cdaea0b681c81b83d2fde1b16e151ac38f130bd025b8
YoungLotus
5c4e6eecbe723e4e904cdf8b9216fff10e1ca13de98d99e170b5090946770c21
YoungLotus
6ab3c98c93e0973a6d291313199fb6afb3ee259509f1282acaa4673687b6880b
YoungLotus
8b0b997df4882199524434c36242f97d3af8a459f02b2432b65e21780549a537
YoungLotus
8f7ff10567c83a5775c6029b9d9986c97fd0d31dcdeb028d44734f3be5547c97
YoungLotus
b51b8c284864ea55b1d11eeaa556e8a33edf02a133422cedaaa5dd6c4fbc01f5
YoungLotus
d05821af6ec028f7f37738d83f4628e7dfbee77f7603478a5c13da68744794d9
YoungLotus
d6fbd0290c17928e93ceff77d1cecf13894a6fcafb8fe1c67ab2d0f387973429
YoungLotus
dde7e89ba6965c2cebe16c2949727280444e7a29cedc815c327c1bdd7da9fbcd
YoungLotus
+ 276 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210211-m6vdjk83nx/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
Drops file in System32 directory
Executes dropped EXE
Unpacked files
SH256 hash:
294fb0ded1382e77b72011e93b2ad2f064c6cfd9091d7ebc03054c104a6f2316
MD5 hash:
79cc2678e088969b36ca33cfb1548a21
SHA1 hash:
8504243f82c4ce296c28832482a04c67fcef7090
Detections:
win_younglotus_g0
Create hunting rule
win_younglotus_auto
Create hunting rule
Link:
https://www.unpac.me/results/e0385852-cd93-4ab8-b25b-40744f13e873/
SH256 hash:
951f412449f8469a97ae025871d3ed16e10b74015f1652e98dce3e956b991627
MD5 hash:
4463cd67ccaef1c8496a5d0c65db50ef
SHA1 hash:
e6ed73c940afc296fb3882c4f99fb78a2b6a178a
Link:
https://www.unpac.me/results/e0385852-cd93-4ab8-b25b-40744f13e873/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/951f412449f8469a97ae025871d3ed16e10b74015f1652e98dce3e956b991627

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_younglotus_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_younglotus_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/116725/

Comments