MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3cd7a6ace2b75e39ea2a4ff5a3e4e27c840dc32606cd74990224814b2d3ac9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


YoungLotus


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3cd7a6ace2b75e39ea2a4ff5a3e4e27c840dc32606cd74990224814b2d3ac9d
SHA3-384 hash: f45ea75b472edfc67e1dd17ae43974677a64cbf668675830aae17d5dea28f4746517cee4f176df9d9072d16c9cbe43a4
SHA1 hash: 83b1ede8c8f10b92d7296d375fb0612e0b080da3
MD5 hash: 3632599571a4d48730d07a09343d1bde
humanhash: august-jig-white-sad
File name:3632599571a4d48730d07a09343d1bde.dll
Download: download sample
Signature YoungLotus
Create hunting rule
File size:110'592 bytes
First seen:2023-02-26 18:59:33 UTC
Last seen:2023-02-26 20:27:21 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash efbedc2d31c01d615e0f9cc07136a4ad (1 x YoungLotus)
ssdeep 1536:Oh3MU/5bLDCMtm/ejs5x2WcHG82RqNoRKV2KoyqkvILnzZh/Qz6r:mt5bLDtm/ejs5xqHG82RWqWILzZRQO
Threatray 16 similar samples on MalwareBazaar
TLSH T1F5B36A82F58600FAD74A067534BE33329678A9550FF08F979F56EFAD2C23183AD79241
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b03970f072fca480 (1 x YoungLotus)
Reporter abuse_ch
Tags:dll younglotus

Intelligence

File Origin
# of uploads :
2
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/369865/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.6416.30237.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
83%
Tags:
greyware shell32.dll
Link:
https://www.filescan.io/uploads/63fbac35885563d6c8bc0eee/reports/faa8a19a-90ff-4a5d-be16-2145f6d1bb6a/overview
Verdict:
Malicious
Labled as:
Trojan.Antavmu
Link:
https://www.hybrid-analysis.com/sample/a3cd7a6ace2b75e39ea2a4ff5a3e4e27c840dc32606cd74990224814b2d3ac9d
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dfea1ee0-0456-46b9-a8b6-ed4231a9f080
Result
Threat name:
GhostRat, Nitol
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1182751
Signature
Checks if browser processes are running
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to determine the online IP of the system
Contains functionality to infect the boot sector
Contains functionality to inject threads in other processes
Creates an undocumented autostart registry key
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected GhostRat
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a3cd7a6ace2b75e39ea2a4ff5a3e4e27c840dc32606cd74990224814b2d3ac9d/
Threat name:
Win32.Trojan.Antavmu
Create hunting rule
Status:
Malicious
First seen:
2023-02-26 19:00:10 UTC
File Type:
PE (Dll)
Extracted files:
5
AV detection:
8 of 25 (32.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=upgxu2wofn26hhvcut7vupsoe7eebxbsmbwnosmqejebjmwtvsoq._file
Verdict:
malicious
Similar samples:
2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4
YoungLotus
6e406696172c35ffeb20528df4a002746a6c8c01016c33530b7d7d210ad8ebfc
YoungLotus
6edcd6a56400375b8f349a96f1ec0fc03c6b4f26c6f12ed2cfb032744fb9b929
YoungLotus
af7ba44606b943ddb885c2a225e5e91c17cd15c8ca7f26ac90e7331c3f4094d2
YoungLotus
c3c655e28a4fc1b268ea9f755c8a4c2418b713f2abc641c30519c4ca641d84b8
YoungLotus
d5aa8ca98c65f958cea8f4a831a15ca2af8c375277a06584ba0d786e919db43c
YoungLotus
e52af19dce25d51f9cf258613988b8edc583f7c7e134d3e1b834d9aab9c7c4c4
YoungLotus
ec0dcfe2d8380a4bafadb3ed73b546cbf73ef78f893e32202042a5818b67ce56
YoungLotus
f1412515481a806ff3350065c8fc0c4c667b1545738deadbf5a1e18291147e48
YoungLotus
+ 6 additional samples on MalwareBazaar
Result
Malware family:
fatalrat
Create hunting rule
Score:
  10/10
Tags:
family:fatalrat infostealer rat
Link:
https://tria.ge/reports/230226-xnm5mahf9v/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Fatal Rat payload
FatalRat
Unpacked files
SH256 hash:
a3cd7a6ace2b75e39ea2a4ff5a3e4e27c840dc32606cd74990224814b2d3ac9d
MD5 hash:
3632599571a4d48730d07a09343d1bde
SHA1 hash:
83b1ede8c8f10b92d7296d375fb0612e0b080da3
Link:
https://www.unpac.me/results/6b164f6f-5eba-4fad-81d6-c1098f2c8bf5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/a3cd7a6ace2b75e39ea2a4ff5a3e4e27c840dc32606cd74990224814b2d3ac9d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
Author:ditekSHen
Description:Detects executables calling ClearMyTracksByProcess
Rule name:MALWARE_Win_FatalRAT
Create hunting rule
Author:ditekSHen
Description:Detects FatalRAT
Rule name:win_fatal_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.fatal_rat.
Rule name:win_fatal_rat_w0
Create hunting rule
Author:AT&T Alien Labs
Description:Detects FatalRAT, unpacked malware.
Reference:https://cybersecurity.att.com/blogs/labs-research/new-sophisticated-rat-in-town-fatalrat-analysis

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/369865/

Comments