MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfe5a7e03d6d57dae9d1eb74e5a1d837a04ac3c9c9822e1ee26c6a586c6a7342. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


YoungLotus


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bfe5a7e03d6d57dae9d1eb74e5a1d837a04ac3c9c9822e1ee26c6a586c6a7342
SHA3-384 hash: ccf2559ae9c87b8a8e333fa73287eb5f69670ab2e816549c790f0ffa70eab448bc41b5bb7b70e063cdc9034faa41f6fa
SHA1 hash: afcf8f1a476a69c5437f26f4f5fe9e804596384d
MD5 hash: c71bc644e5a8670940bb091f1e6f7002
humanhash: saturn-aspen-nine-minnesota
File name:vmp.exe
Download: download sample
Signature YoungLotus
Create hunting rule
File size:5'560'320 bytes
First seen:2021-05-04 04:47:06 UTC
Last seen:2021-05-04 05:53:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 66407d48a07473416c3881accab69aa1 (1 x YoungLotus)
ssdeep 98304:nHaZutELxnX125iYCpMEDD+SchEif9HRO3qCtyaiAb3xAaWeX1HYDW3kxQGY+WMQ:HaZkAnFVYA7D2EORshoAb3x4YHYaiQGu
Threatray 56 similar samples on MalwareBazaar
TLSH 0D46237711290145D0F6C93EC53BBED972F756374D81E8F8A4AAE9C22736EE0E102693
Reporter LittleRedBean2
Tags:exe younglotus

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/149670/
Detection(s):
SecuriteInfo.com.Variant.Bulz.171391.28211.1149.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Creating a process from a recently created file
Sending a UDP request
Enabling autorun for a service
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Banbra
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/709173
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if browser processes are running
Detected VMProtect packer
Drops executables to the windows directory (C:\Windows) and starts them
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect debuggers by setting the trap flag for special instructions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Banbra
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 403509 Sample: vmp.exe Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected Banbra 2->42 44 3 other signatures 2->44 7 Shennong.bat 2->7         started        10 vmp.exe 1 2 2->10         started        13 svchost.exe 2->13         started        15 10 other processes 2->15 process3 dnsIp4 50 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->50 52 Machine Learning detection for dropped file 7->52 54 Checks if browser processes are running 7->54 56 Drops executables to the windows directory (C:\Windows) and starts them 7->56 18 Shennong.bat 1 15 7->18         started        26 C:\Windows\SysWOW64\Shennong.bat, PE32 10->26 dropped 28 C:\Windows\...\Shennong.bat:Zone.Identifier, ASCII 10->28 dropped 58 Tries to detect debuggers by setting the trap flag for special instructions 10->58 60 Hides threads from debuggers 10->60 62 Changes security center settings (notifications, updates, antivirus, firewall) 13->62 22 MpCmdRun.exe 1 13->22         started        36 127.0.0.1 unknown unknown 15->36 file5 signatures6 process7 dnsIp8 30 users.qzone.qq.com 58.250.136.113, 443, 49722, 49723 UNICOM-SHENZHEN-IDCChinaUnicomGuangdongIPnetworkCN China 18->30 32 e1.luyouxia.net 103.205.6.44, 25645, 49720 CHINANET-JS-AS-APASNumberforCHINANETjiangsuprovinceba China 18->32 34 qq1218143595.e1.luyouxia.net 18->34 46 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->46 48 Hides threads from debuggers 18->48 24 conhost.exe 22->24         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bfe5a7e03d6d57dae9d1eb74e5a1d837a04ac3c9c9822e1ee26c6a586c6a7342/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-05-04 04:48:09 UTC
AV detection:
14 of 47 (29.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x7s2pyb5nvl5v2or5n2olioyg6qevq6jzgbc4hxcnrvfq3dkonba._file
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270
YoungLotus
1b189602123e4dba4522d442877fb0862a8fbbc4cc6d187954ba27039bea7d9c
YoungLotus
2aaad8177d08507b09dc3d419b4d31f65db6fe6bc6314ffce650b9fc57f0817c
YoungLotus
2ace0be70434934b6e140f679a0c1551dd589abedfb1f6abeb5ceffaf0a1b9d9
YoungLotus
2c9e0f6e90b663293874332acd2cab44b8a28011337c99e828e86e3b9d1585c2
YoungLotus
36cbc77a5caaf8f805bc7347ee4cd27657fca600ea5e202e633aca7a09d73297
YoungLotus
6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9
YoungLotus
a3c2207806f9be710f3a1d1cbf1149a708bb080946e2368c8e826f5cef2293e4
YoungLotus
a761168b889a5c5ff56defeb1cedb786ffa90e3b61b6660cfc41e49b1ee638f0
YoungLotus
b655d3b9c40b930c8418be42858df38464ed574350bdef24dc99d1159e688e0b
YoungLotus
+ 46 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
vmprotect
Link:
https://tria.ge/reports/210504-pdkea1mqye/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates connected drives
Executes dropped EXE
VMProtect packed file
Unpacked files
SH256 hash:
d45becb92efbfe93644bb309402bb99dca7144cf9c5bff09b3b37e5259c497e6
MD5 hash:
1e236c7da3f5717d961a6ba2489edf72
SHA1 hash:
0ab78952c666988b7978b4ccc1824f853a6455a3
Detections:
win_younglotus_g0
Create hunting rule
win_younglotus_auto
Create hunting rule
Link:
https://www.unpac.me/results/537b7ae6-cfa0-449a-8c0f-f17e19efa8d4/
SH256 hash:
a9e71267cc9526f09f532cfe552f512df9b8f239cb06f3e85f1727ecaa2444fc
MD5 hash:
b22c4a37b68d073f4b41273d462855b3
SHA1 hash:
e1224af4dd4599447a0a69203690a01def56127b
Detections:
win_younglotus_g0
Create hunting rule
Link:
https://www.unpac.me/results/537b7ae6-cfa0-449a-8c0f-f17e19efa8d4/
SH256 hash:
bfe5a7e03d6d57dae9d1eb74e5a1d837a04ac3c9c9822e1ee26c6a586c6a7342
MD5 hash:
c71bc644e5a8670940bb091f1e6f7002
SHA1 hash:
afcf8f1a476a69c5437f26f4f5fe9e804596384d
Link:
https://www.unpac.me/results/537b7ae6-cfa0-449a-8c0f-f17e19efa8d4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bfe5a7e03d6d57dae9d1eb74e5a1d837a04ac3c9c9822e1ee26c6a586c6a7342

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_Mal1
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_younglotus_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

YoungLotus

Executable exe bfe5a7e03d6d57dae9d1eb74e5a1d837a04ac3c9c9822e1ee26c6a586c6a7342

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/149670/

Comments