MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b867428ec9adc7134924cf71e05558eb35a64e1ed17ada1d41788fa8a213ed84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

YoungLotus

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash:	b867428ec9adc7134924cf71e05558eb35a64e1ed17ada1d41788fa8a213ed84
SHA3-384 hash:	3d416296519c1ce07b41d1100ba80ce8981edd834bc3dfabaabcbbe59ce920bf771e43db66fec36be69e2085bcd68123
SHA1 hash:	95e70c362a9a4722970c0463ab2ea3383d48a0e4
MD5 hash:	6d6fed3f9b506274ca1c2ee202352e8a
humanhash:	oklahoma-stream-pip-single
File name:	819bef37164cc34b33e5cf80359c0ea0
Download:	download sample
Signature	YoungLotus Create hunting rule
File size:	2'990'080 bytes
First seen:	2020-11-17 12:47:40 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	fa02432f10515242cb30b2b09e85cdb0 (1 x YoungLotus)
ssdeep	49152:jALwbBlvQA90ypoLZPOw4cmBTtlKIKruQW6sigz:2u0ypoLZi9BTtlhKyQWa
Threatray	39 similar samples on MalwareBazaar
TLSH	6AD59E02B1A1C0F2D2092531CC6EA7F5A6B5AF95CE218F83F3A4FD6D7C716915A33225
Reporter	seifreed
Tags:	younglotus

Intelligence

File Origin

# of uploads :

# of downloads :

101

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the Windows directory

Creating a process from a recently created file

Creating a process with a hidden window

Moving a file to the %temp% directory

Replacing files

Launching a process

Searching for the window

Enabling the 'hidden' option for recently created files

Creating a service

Launching a service

Moving a file to the Windows subdirectory

Sending a custom TCP request

Enabling autorun for a service

Unauthorized injection to a system process

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b867428ec9adc7134924cf71e05558eb35a64e1ed17ada1d41788fa8a213ed84/

Threat name:

Win32.PUA.FlyStudio

Status:

Malicious

First seen:

2020-11-17 12:51:44 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xbtufdwjvxdrgsjez5y6avky5m22mtq62f5nuhkbpch2riqt5wca._file

Verdict:

malicious

YoungLotus

2a214959e1a85a4d11444053d4262961ee29e2cc53c3f4ae8f1a59152e5d67f3

YoungLotus

56133c0d017af35f49253926e3583cf72c36146ab7faa65b6058971685166652

YoungLotus

5edc0beea63d8b8533a31663df2bc2e860607c9befbd5fefc054afec6ce18ec9

YoungLotus

76b691202fbef6ff77ef70905b4795802839d92070c0c8a6b92a99b41ac7dd70

YoungLotus

870d16eb412c190d404ea3239d9d21339918f55dd3bfa92fe072a92cdfd30144

YoungLotus

8c3d5e134df25eda7738bbbfaea35569b90bbc9f00308ca32ff6feb76e783e11

YoungLotus

9248b405edcc5411ccb36855b9da55f4b5b0e685b45dec9373395bf2c917aa01

YoungLotus

bd668ef292ae01d2ed9a32b1ea054e2acb484f61e86481f306669637ba31ce82

YoungLotus

cc6297f7df4aca6dceda00c9812e06d20a3967924d4260df6909c1a86e36b415

YoungLotus

+ 29 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

persistence upx

Link:

https://tria.ge/reports/201117-d9vtrcehds/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

Drops file in Windows directory

Modifies service

Executes dropped EXE

UPX packed file

ServiceHost packer

Unpacked files

SH256 hash:

b867428ec9adc7134924cf71e05558eb35a64e1ed17ada1d41788fa8a213ed84

MD5 hash:

6d6fed3f9b506274ca1c2ee202352e8a

SHA1 hash:

95e70c362a9a4722970c0463ab2ea3383d48a0e4

Link:

https://www.unpac.me/results/8e865f83-ba00-4f79-982e-deb1a82d1068/

SH256 hash:

e940ed1846221d1d76cb893af78c5211cf0ef939d32e90e4ad90417052d905a3

MD5 hash:

d1c553650176a03f84904e09b14bba4a

SHA1 hash:

c34c2953198487cf39002746b5f924bde16eb26d

Link:

https://www.unpac.me/results/8e865f83-ba00-4f79-982e-deb1a82d1068/

SH256 hash:

c381975a53af9ff626d95391cf6108a7ccdcb7ab6e1f30d3d0b7704701c8aec9

MD5 hash:

3674d5a6b0b00c11ef1bb412155306b7

SHA1 hash:

934cefd2699042bf5085805d1086d33ae39949ba

Link:

https://www.unpac.me/results/8e865f83-ba00-4f79-982e-deb1a82d1068/

SH256 hash:

fcd0bf1d5ad0c159d3a44b17ee1bbd5fd9b2b3cd8a4fdb96a8c912a9c4de77cf

MD5 hash:

18e0cbfcabead5a81fa9799adc7cb2e1

SHA1 hash:

9f75f47708302190bbc5bc7465cb265aa88c9b24

Link:

https://www.unpac.me/results/8e865f83-ba00-4f79-982e-deb1a82d1068/

SH256 hash:

e6d9ffd36241b41dbfe11ec6d0c4465bcefd7c2b041f2ab95ef975013cfaaabe

MD5 hash:

4df8afc3ea0e42163b1bc98de50ccb74

SHA1 hash:

b15ae5db78a5f98932e85fdc34392a3144534eb6

Link:

https://www.unpac.me/results/8e865f83-ba00-4f79-982e-deb1a82d1068/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample