MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e33a23357c21735f7c2c471aeecedbd7daf9c3cdf2908104bca26f14eef592a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


YoungLotus


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e33a23357c21735f7c2c471aeecedbd7daf9c3cdf2908104bca26f14eef592a3
SHA3-384 hash: 881edd0d0fff4a6e6b643fccf34a5f29f36b41af03f412357ca2f2199c7a4a0fdc3b3defebda555571533d46fb55465e
SHA1 hash: bede8f980adbc5e96eaeb617f144ea88a5ca9a74
MD5 hash: 6c49c225109e4aaf07e1f4aa2770d214
humanhash: sad-carolina-skylark-freddie
File name:6c49c225109e4aaf07e1f4aa2770d214.exe
Download: download sample
Signature YoungLotus
Create hunting rule
File size:1'722'368 bytes
First seen:2021-03-22 07:11:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash edde0414dac6027c066f48d36f7f81dd (2 x YoungLotus)
ssdeep 24576:RG1XhZG+pRbmmiZ/WdmWv5JI3GS2lU6ggX3YHB+UN1VceJv9gzWz3DCjnarrpm:RCG+pFZIamWfU2lUgZE1VczWbuKm
Threatray 4 similar samples on MalwareBazaar
TLSH 94853382E0C32E16DC2B2F3641C4D8BBC650D99AEC1676BD4960857EB3C8D6FD60ED16
Reporter abuse_ch
Tags:exe younglotus

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6c49c225109e4aaf07e1f4aa2770d214.exe
Verdict:
No threats detected
Analysis date:
2021-03-22 07:13:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/56747c96-0e50-4f5a-b104-6f9e0ae7f231

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Mpress-7
Create hunting rule

MiscreantPunch.SingleXOR.EXE.229.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Creating a file in the Windows directory
Creating a service
Launching a service
Launching a process
Moving a file to the Windows subdirectory
DNS request
Creating a file
Launching cmd.exe command interpreter
Sending a UDP request
Using the Windows Management Instrumentation requests
Searching for the window
Adding an access-denied ACE
Sending an HTTP GET request
Possible injection to a system process
Creating a file in the Windows subdirectories
Running batch commands
Creating a process with a hidden window
Enabling autorun for a service
Launching the process to interact with network services
Launching a tool to kill processes
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
ETERNALBLUE
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/647389
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Drops batch files with force delete cmd (self deletion)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected ETERNALBLUE
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 372659 Sample: nmGAaaF18P.exe Startdate: 22/03/2021 Architecture: WINDOWS Score: 100 70 site.indonesias.website 2->70 72 indonesias.website 2->72 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for URL or domain 2->82 84 Antivirus detection for dropped file 2->84 86 12 other signatures 2->86 9 nmGAaaF18P.exe 44 2->9         started        13 svchost.exe 2->13         started        16 svchost.exe 2 2 2->16         started        18 svchost.exe 1 2->18         started        signatures3 process4 dnsIp5 60 C:\Windows\Help\dxdiag.exe, PE32 9->60 dropped 62 C:\Windows\Fonts\Ms\xdvl-0.dll, PE32 9->62 dropped 64 C:\Windows\Fonts\Ms\ucl.dll, PE32 9->64 dropped 66 28 other files (26 malicious) 9->66 dropped 98 Detected unpacking (changes PE section rights) 9->98 100 Submitted sample is a known malware sample 9->100 102 Drops batch files with force delete cmd (self deletion) 9->102 106 2 other signatures 9->106 20 cmd.exe 1 9->20         started        23 dxdiag.exe 3 1 9->23         started        74 indonesias.website 43.229.153.157, 13141, 49724, 49725 TELECOM-HKHongKongTelecomGlobalDataCentreHK Hong Kong 13->74 76 site.indonesias.website 13->76 78 192.168.2.1 unknown unknown 13->78 104 System process connects to network (likely due to code injection or exploit) 13->104 26 cmd.exe 1 16->26         started        28 conhost.exe 16->28         started        file6 signatures7 process8 file9 88 Uses ping.exe to sleep 20->88 90 Uses cmd line tools excessively to alter registry or file data 20->90 92 Drops executables to the windows directory (C:\Windows) and starts them 20->92 96 2 other signatures 20->96 30 svchost.exe 4 1 20->30         started        33 PING.EXE 1 20->33         started        36 net.exe 1 20->36         started        44 13 other processes 20->44 58 C:\Windows\svchost.exe, PE32 23->58 dropped 94 Drops PE files with benign system names 23->94 38 net.exe 1 26->38         started        40 net.exe 26->40         started        42 sc.exe 1 26->42         started        46 5 other processes 26->46 signatures10 process11 dnsIp12 108 Antivirus detection for dropped file 30->108 68 127.0.0.1 unknown unknown 33->68 48 net1.exe 1 36->48         started        50 net1.exe 36->50         started        52 net1.exe 1 38->52         started        54 net1.exe 40->54         started        56 net1.exe 1 44->56         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e33a23357c21735f7c2c471aeecedbd7daf9c3cdf2908104bca26f14eef592a3/
Threat name:
Win32.Exploit.ShadowBrokers
Create hunting rule
Status:
Malicious
First seen:
2021-03-22 05:05:34 UTC
AV detection:
28 of 47 (59.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4m5cgnl4efzv67bmi4no5tw327nptq6n6kiicbf4ujxrj3xvskrq._file
Verdict:
malicious
Similar samples:
044d234d96ba4d2c8d6b75dce9f3b778137708ed2fd39edfab8711d3431f8763
YoungLotus
30898e79c019a359c6bc25a0217531494c12cfe62384beadc861eb622b811378
YoungLotus
47418562c100061fe1d3344b769fbbe22e433f079726628ced1ec4f7f845febc
YoungLotus
951f412449f8469a97ae025871d3ed16e10b74015f1652e98dce3e956b991627
YoungLotus
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion upx
Link:
https://tria.ge/reports/210322-9x17fnz8zn/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Runs net.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Windows directory
Launches sc.exe
Loads dropped DLL
Executes dropped EXE
Stops running service(s)
UPX packed file
Unpacked files
SH256 hash:
f6d2e3e8f692485be9fc1f99f621bf12bdb67a8ff710a9c0cf42192dbdcc1b74
MD5 hash:
e09550cd32c8cff0559318b45b99d952
SHA1 hash:
f26fa9271e5a5bd0531c08fd478a5e1ae44ed0c0
Detections:
win_younglotus_g0
Create hunting rule
win_younglotus_auto
Create hunting rule
Link:
https://www.unpac.me/results/5d807b21-1266-4c34-97b7-08fcc8f80873/
Parent samples :
47418562c100061fe1d3344b769fbbe22e433f079726628ced1ec4f7f845febc
e33a23357c21735f7c2c471aeecedbd7daf9c3cdf2908104bca26f14eef592a3
428280c60495d98bb323401c877783e641d21f649684fbacbb29bc8067bf6635
SH256 hash:
03768472bcc3b5e5476e02a5bf21b0075724a8c5eb1472df48559452392f0142
MD5 hash:
531a0818cf2f3564832d3c9502137450
SHA1 hash:
3a596de45830a2b0394e8b5d69637735cf5c5487
Link:
https://www.unpac.me/results/5d807b21-1266-4c34-97b7-08fcc8f80873/
SH256 hash:
e9ed78b7993968901fcefff924ec0900204faefe942cb296c6759122f65e69d9
MD5 hash:
2fc520069d8f36d27aaa0c101c64cef7
SHA1 hash:
a335fb15ce87e4589fd4cd9f74db4abfb602e4a4
Link:
https://www.unpac.me/results/5d807b21-1266-4c34-97b7-08fcc8f80873/
SH256 hash:
ad05c3bbc42bd293f8994ce9c3c696179b4413fe63147ffe3a8cf141447143d6
MD5 hash:
b21cec8827ce05bccf116d65e4b07ba0
SHA1 hash:
e8c958475c2096eb1da5d99780d7e0b145dec090
Link:
https://www.unpac.me/results/5d807b21-1266-4c34-97b7-08fcc8f80873/
SH256 hash:
e33a23357c21735f7c2c471aeecedbd7daf9c3cdf2908104bca26f14eef592a3
MD5 hash:
6c49c225109e4aaf07e1f4aa2770d214
SHA1 hash:
bede8f980adbc5e96eaeb617f144ea88a5ca9a74
Link:
https://www.unpac.me/results/5d807b21-1266-4c34-97b7-08fcc8f80873/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Blohi
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e33a23357c21735f7c2c471aeecedbd7daf9c3cdf2908104bca26f14eef592a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_younglotus_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

YoungLotus

Executable exe e33a23357c21735f7c2c471aeecedbd7daf9c3cdf2908104bca26f14eef592a3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/210541/
  
Delivery method
Distributed via web download

Comments