MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd33339094e362e41135ae4852277a3f02f04c4ca89293d1981eb7bdd3a8474b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


YoungLotus


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd33339094e362e41135ae4852277a3f02f04c4ca89293d1981eb7bdd3a8474b
SHA3-384 hash: 13446a831e5c4c02ae1c8dba31ddc238e9e427ec5c097f812c6c947d631703086a543036778d57a6f99a4aef14c5f034
SHA1 hash: 6e53d112f368617af66692fb72251ed734698410
MD5 hash: 2f1725a2bfa9acc2977a5cb5a115f454
humanhash: paris-west-mike-xray
File name:2f1725a2bfa9acc2977a5cb5a115f454
Download: download sample
Signature YoungLotus
Create hunting rule
File size:200'707 bytes
First seen:2022-07-22 23:40:44 UTC
Last seen:2022-07-23 00:38:03 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash c0619bc0db8c7ebcb896207338eb481d (1 x YoungLotus)
ssdeep 3072:nwHJkDq5vkMqaL3y3zyj+Mkwa2j7OHQmvFP+JAdY6PwVuAcUulzXnq95X:nwp2iLXNkmWwxJYY6PwuXq95X
Threatray 108 similar samples on MalwareBazaar
TLSH T1FB14D041B7E188B0D5BF123902B6895122BEBD549EF18E1FBFD4128E68710E09E75B73
TrID 29.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
25.1% (.EXE) UPX compressed Win32 Executable (27066/9/6)
15.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter openctibr
Tags:dll OpenCTI.BR Sandboxed younglotus

Intelligence

File Origin
# of uploads :
2
# of downloads :
299
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/293512/
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Packer.Exebundle-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows directory
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Creating a file
Creating a service
Launching a service
Searching for synchronization primitives
Moving a file to the Windows subdirectory
Replacing files
Enabling autorun for a service
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed scar shell32.dll
Link:
https://www.filescan.io/uploads/62db360bf56fa6e45df8efc5/reports/956b263c-33e8-4f9a-827a-dda1cf88ebe3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/97576c09-0df6-4b1b-8738-47884a551d99
Result
Threat name:
Young Lotus, Zegost
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1039513
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if browser processes are running
Connects to a pastebin service (likely for C&C)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Young Lotus
Yara detected Zegost
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 672007 Sample: zePuRkS1Xn Startdate: 23/07/2022 Architecture: WINDOWS Score: 100 63 pcwap.zzyumi.com 2->63 87 Antivirus detection for dropped file 2->87 89 Antivirus / Scanner detection for submitted sample 2->89 91 Multi AV Scanner detection for dropped file 2->91 93 7 other signatures 2->93 11 loaddll32.exe 2 2->11         started        14 svchost.exe 2->14         started        17 svchost.exe 1 2->17         started        19 12 other processes 2->19 signatures3 process4 dnsIp5 61 C:\Windows\Header.exe, PE32 11->61 dropped 22 cmd.exe 1 11->22         started        24 Header.exe 15 11->24         started        107 Changes security center settings (notifications, updates, antivirus, firewall) 14->107 28 MpCmdRun.exe 1 14->28         started        109 System process connects to network (likely due to code injection or exploit) 17->109 65 127.0.0.1 unknown unknown 19->65 67 time.windows.com 19->67 30 csrss.exe 19->30         started        file6 signatures7 process8 dnsIp9 32 rundll32.exe 3 22->32         started        69 35hb.com 24->69 71 num3.17986.net 67.21.93.231, 49759, 49760, 80 ST-BGPUS United States 24->71 73 pastebin.com 172.67.34.170, 443, 49758, 49776 CLOUDFLARENETUS United States 24->73 95 Antivirus detection for dropped file 24->95 97 Multi AV Scanner detection for dropped file 24->97 36 cmd.exe 1 24->36         started        38 conhost.exe 28->38         started        signatures10 process11 file12 55 C:\Windows\tools.exe, PE32 32->55 dropped 85 Drops executables to the windows directory (C:\Windows) and starts them 32->85 40 tools.exe 3 1 32->40         started        45 Header.exe 15 32->45         started        47 tools.exe 32->47         started        49 conhost.exe 36->49         started        signatures13 process14 dnsIp15 75 pcwap.zzyumi.com 40->75 77 192.168.2.1 unknown unknown 40->77 57 C:\Windows\SysWOW64\28872875.bak (copy), PE32 40->57 dropped 59 C:\Program Files\Common Files\...\csrss.exe, PE32 40->59 dropped 99 Antivirus detection for dropped file 40->99 101 Multi AV Scanner detection for dropped file 40->101 103 Machine Learning detection for dropped file 40->103 105 2 other signatures 40->105 79 35hb.com 45->79 81 64.32.28.235, 49782, 80 ST-BGPUS United States 45->81 83 2 other IPs or domains 45->83 51 cmd.exe 1 45->51         started        file16 signatures17 process18 process19 53 conhost.exe 51->53         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd33339094e362e41135ae4852277a3f02f04c4ca89293d1981eb7bdd3a8474b/
Threat name:
Win32.Trojan.Siscos
Create hunting rule
Status:
Malicious
First seen:
2020-03-21 00:06:41 UTC
File Type:
PE (Dll)
Extracted files:
124
AV detection:
31 of 41 (75.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zuztheeu4nroiejvvzefej32h4bpatcmvcjjhumyd2333u5ii5fq._file
Verdict:
malicious
Similar samples:
32ed59ce4299490ce95d293f6304b1932873091fc0a3ec4db3052a89214245a7
YoungLotus
4cdabf346e79baa2efe9c70b359a1b4366b16e0de4aa4984d92aeb08ae2a71e8
YoungLotus
7e2d96a16f1c04dd0906f90ba3a827b55e35dc616ea21a6dfbd3c596f47b22c3
YoungLotus
b0e5fe8c3639e8e3777da2130157bb13b2ee8c99bd4929ed2d245e49ccee19c4
YoungLotus
bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90
YoungLotus
e6c357c2c7c70b4630dbdcd86df2d98ed28cbd47a9efcbf727fe0fdbc5d5fefa
YoungLotus
+ 98 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/220722-3pegrsafa2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Creates a Windows Service
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
947c6e4de828a79da09b7990dd2a95a7a4d53bddca52228977350d1826a94b30
MD5 hash:
3ae9119db0a42f4e97e319b745183588
SHA1 hash:
b312f71f686158da8d1f11f02f73a4522948c15b
Link:
https://www.unpac.me/results/a75b6037-2920-4a8a-882e-205a927434b0/
SH256 hash:
e872fdf8d7f5ed8a12f2eb8206a6197e329e231794208ce891c9f9a5342c58bc
MD5 hash:
af28b29a05f234f819850c6be0764f2a
SHA1 hash:
39ae9641c6d15b6bb91d28c9e3460acef2f98410
Detections:
win_younglotus_g0
Create hunting rule
Link:
https://www.unpac.me/results/a75b6037-2920-4a8a-882e-205a927434b0/
SH256 hash:
cd33339094e362e41135ae4852277a3f02f04c4ca89293d1981eb7bdd3a8474b
MD5 hash:
2f1725a2bfa9acc2977a5cb5a115f454
SHA1 hash:
6e53d112f368617af66692fb72251ed734698410
Link:
https://www.unpac.me/results/a75b6037-2920-4a8a-882e-205a927434b0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd33339094e362e41135ae4852277a3f02f04c4ca89293d1981eb7bdd3a8474b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/293512/

Comments