MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


YoungLotus


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71
SHA3-384 hash: a4c3ccf7ae49824983420bfaf4ca84ea5f7326a9c79e5f820ecc538380723e56f0f9c98924e820449c890fe0a53cbf2e
SHA1 hash: ad4135e142b3e9564d90d96eca0c21e17f0de542
MD5 hash: 3d3aedfaeaf39544ff74fe6fe4541fc2
humanhash: edward-connecticut-jupiter-kansas
File name:3d3aedfaeaf39544ff74fe6fe4541fc2
Download: download sample
Signature YoungLotus
Create hunting rule
File size:46'592 bytes
First seen:2024-06-30 05:06:18 UTC
Last seen:2024-06-30 05:22:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep 768:XQ7R4nqTvoV22QbyMhOk9w+wRGtVEhq8C5eIdp5b4Fk0v5za:w4nVV22Q+mO0wrwVEUdpaFjv5G
Threatray 25 similar samples on MalwareBazaar
TLSH T15C23E15B53164362F8F2337A934ACB51898CF858E49EC70038E0A45DEEB5A84D3EC736
TrID 52.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win32 Executable (generic) (4504/4/1)
4.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe UPX younglotus

Intelligence

File Origin
# of uploads :
2
# of downloads :
426
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen28.63414.24129.23403.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6680e8097d0a7ff58bc78b09win10vpnfull_triage
Tags:
Execution Generic Network Stealth Zegost
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Launching the process to change the firewall settings
Creating a process with a hidden window
Launching the process to change network settings
Searching for synchronization primitives
Launching a service
Creating a service
Creating a process from a recently created file
Connection attempt to an infection source
Launching a process
Creating a window
Possible injection to a system process
Blocking the Windows Defender launch
Enabling autorun for a service
Moving of the original file
Query of malicious DNS domain
Enabling autorun
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Labled as:
Mint.Zard.Generic
Link:
https://www.hybrid-analysis.com/sample/d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Gh0st RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c43fd1d9-4d94-46df-a900-2126a9c9ad02
Result
Threat name:
BlackMoon
Create hunting rule
Detection:
malicious
Classification:
rans.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1464793
Signature
Adds new windows firewall policy
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Contains functionality to detect sleep reduction / modifications
Downloads files with wrong headers with respect to MIME Content-Type
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain checking for user administrative privileges
Found stalling execution ending in API Sleep call
Found strings related to Crypto-Mining
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Uses netsh to modify the Windows network and firewall settings
Yara detected BlackMoon Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1464793 Sample: npsPf7NXA2.exe Startdate: 30/06/2024 Architecture: WINDOWS Score: 100 87 web.4i7i.com 2->87 89 web.362-com.com 2->89 91 8 other IPs or domains 2->91 97 Snort IDS alert for network traffic 2->97 99 Multi AV Scanner detection for domain / URL 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 7 other signatures 2->103 9 npsPf7NXA2.exe 4 3 2->9         started        13 mscorsvw.exe 20 2->13         started        16 svchost.exe 2->16         started        signatures3 process4 dnsIp5 79 C:\Windows\Microsoft.NET\...\mscorsvw.exe, PE32 9->79 dropped 81 C:\Windows\...\mscorsvw.exe:Zone.Identifier, ASCII 9->81 dropped 115 Found strings related to Crypto-Mining 9->115 117 Uses netsh to modify the Windows network and firewall settings 9->117 119 Adds new windows firewall policy 9->119 121 Modifies the windows firewall 9->121 18 svchost.exe 9->18         started        23 netsh.exe 2 9->23         started        25 netsh.exe 2 9->25         started        33 8 other processes 9->33 95 cl-gl6dcaf7d1.gcdn.co 81.28.12.12, 49732, 80 TCU-COM-ASTCUComisanISPcompanyThemainbusinessdire Russian Federation 13->95 83 C:\Windows\SysWOW64\config\...\445[1].jpg, PE32 13->83 dropped 85 C:\Windows\4455.exe, PE32 13->85 dropped 123 Multi AV Scanner detection for dropped file 13->123 125 Found stalling execution ending in API Sleep call 13->125 127 Drops executables to the windows directory (C:\Windows) and starts them 13->127 27 4455.exe 13->27         started        29 mscorsvw.exe 13->29         started        35 33 other processes 13->35 31 WerFault.exe 16->31         started        37 31 other processes 16->37 file6 signatures7 process8 dnsIp9 93 hook.ftp21.cc 211.108.60.155, 49736, 80 SKB-ASSKBroadbandCoLtdKR Korea Republic of 18->93 69 C:\Windows\Temp\MpMgSvc.exe, PE32 18->69 dropped 71 C:\Windows\Temp\Hooks.exe, PE32 18->71 dropped 73 C:\Windows\SysWOW64\config\...\MpMgSvc[1].jpg, PE32 18->73 dropped 75 C:\Windows\SysWOW64\config\...\Hooks[1].jpg, PE32 18->75 dropped 105 System process connects to network (likely due to code injection or exploit) 18->105 107 Contains functionality to detect sleep reduction / modifications 18->107 39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        77 C:\Windows\Logs\RunDllExe.dll, PE32+ 27->77 dropped 109 Multi AV Scanner detection for dropped file 27->109 111 Found evasive API chain checking for user administrative privileges 27->111 43 netsh.exe 27->43         started        45 netsh.exe 27->45         started        51 7 other processes 27->51 47 WerFault.exe 29->47         started        113 Drops executables to the windows directory (C:\Windows) and starts them 31->113 53 8 other processes 33->53 55 3 other processes 35->55 49 conhost.exe 37->49         started        file10 signatures11 process12 process13 57 conhost.exe 43->57         started        59 conhost.exe 45->59         started        61 conhost.exe 51->61         started        63 conhost.exe 51->63         started        65 conhost.exe 51->65         started        67 3 other processes 51->67
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71/
Threat name:
Win32.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2024-06-21 08:09:59 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ctzrnph543v6zaoj5hsgkni4qgg5jgz6zoompkrh7a3acwr3jyq._file
Verdict:
malicious
Similar samples:
123708c94dfdaa113b728c02279cc353a9e51405f12a1b4a724d14578d40ef54
YoungLotus
1ea1a7e89ed12f1da22fe246c4238f89c2fb63487d54ff2ab10e1dffc6ac1fb9
YoungLotus
1ee0cf0204f6f3967b405450d9153552512aa68c85fabab509fdedd27f85f1df
YoungLotus
28225c5622637cdaed8342e14560e8de7b53dd6ba145d973643fc4b5bdd67b75
YoungLotus
87acb80c8127897c186bb0fadfa3d915a8c6ef89823cfabcd1b6e8e54d66cd90
YoungLotus
8df11bc47c07352f2052b8f1c2edd21d0d3c5267bd5d9c8427ae8443498c6ced
YoungLotus
b3b62af91e165a60821497476e5ad7b4a1f97231da74b2f4601b62f139cfdcb4
YoungLotus
ba0abd1154d7aa9cca0c3b57aacb600e95a35f1ecb9869b9f476f79171966c5c
YoungLotus
f8105c176cdb46bb1feeaf74ea310272dbca379bd82de975b9ab7ac6974af060
YoungLotus
ff74910fadbf214950608806110debda7a3728df1cdfc60beeec74b74317ead8
YoungLotus
+ 15 additional samples on MalwareBazaar
Result
Malware family:
gh0strat
Create hunting rule
Score:
  10/10
Tags:
family:blackmoon family:gh0strat banker discovery evasion persistence privilege_escalation rat trojan upx
Link:
https://tria.ge/reports/240630-frzjdstgjd/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Drops file in Windows directory
Suspicious use of SetThreadContext
Creates a Windows Service
Drops file in System32 directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Unexpected DNS network traffic destination
Boot or Logon Autostart Execution: Port Monitors
Downloads MZ/PE file
Modifies Windows Firewall
Server Software Component: Terminal Services DLL
Creates a large amount of network flows
Blackmoon, KrBanker
Detect Blackmoon payload
Gh0st RAT payload
Gh0strat
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f51052d3-f88d-4ecf-9ccc-eb30e0a3f67d
Unpacked files
SH256 hash:
f8f0e1646a40813d516c11428afc508732f416732f76fe1d6627ccba8410340d
MD5 hash:
e6374741a897ffa54d1c8cdd8812152d
SHA1 hash:
17d83b473f5b67a1dd4f45b70ceb9827af7dbfe2
Detections:
win_younglotus_g0
Create hunting rule
win_younglotus_auto
Create hunting rule
check_installed_software
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Link:
https://www.unpac.me/results/5644f708-d0be-48db-8dfd-fe36c5aae65c/
SH256 hash:
ee13f49654b8f33b400d8efce9d2541885e38ac8c896fb7a2b4261c77fc52d29
MD5 hash:
a23ac981b9fdd90b4d5e3e6e19b1e159
SHA1 hash:
ce064380cd2db9d844c32daee432d86b1d479ef5
Link:
https://www.unpac.me/results/5644f708-d0be-48db-8dfd-fe36c5aae65c/
SH256 hash:
92b74f0ee5b54b9c7c179cb7cfb857eccfdeffdd73dbb0d04a76fa2a00e4db46
MD5 hash:
1af8d7d2077cb039dea1e69e8f96536d
SHA1 hash:
35e7f63230db6692d4ba7484869e9fb9cd3ee501
Link:
https://www.unpac.me/results/5644f708-d0be-48db-8dfd-fe36c5aae65c/
SH256 hash:
79fdd317eb8067be608149adca2890403e1139a4f872142ba93cdd0fd2939b35
MD5 hash:
8a29316c0b52ac1540b4bbd7558e0427
SHA1 hash:
258b34c2a74e9ec3afe1d4ee7b800b82f042c611
Detections:
win_younglotus_g0
Create hunting rule
check_installed_software
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Link:
https://www.unpac.me/results/5644f708-d0be-48db-8dfd-fe36c5aae65c/
SH256 hash:
d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71
MD5 hash:
3d3aedfaeaf39544ff74fe6fe4541fc2
SHA1 hash:
ad4135e142b3e9564d90d96eca0c21e17f0de542
Link:
https://www.unpac.me/results/5644f708-d0be-48db-8dfd-fe36c5aae65c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d0a798b5e7ef/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Armadillov1xxv2xx
Create hunting rule
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:win_younglotus_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.younglotus.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

YoungLotus

Executable exe d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2914056/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA

Comments


Avatar
zbet commented on 2024-06-30 05:06:19 UTC

url : hxxp://down.ftp21.cc/wmi.jpg