MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec694d5b05f7aa43e3e701e40686039a38d6827e5e944ba73de07f31da18d608. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

YoungLotus

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	ec694d5b05f7aa43e3e701e40686039a38d6827e5e944ba73de07f31da18d608
SHA3-384 hash:	f3d0245c6974a7603bf427d1f31c51dc628f890509a1b5679ca5c010c969a1f569baac9401a839f562d4016ba9f0f4c8
SHA1 hash:	5c2c9e20f5607534128265bbbd03794be01e9e1d
MD5 hash:	61a6445842bfd501f8e8c63a18e899cd
humanhash:	mexico-wisconsin-don-mobile
File name:	马尼拉公厕碎尸女教师！只因不愿做校长情人.cmd
Download:	download sample
Signature	YoungLotus Create hunting rule
File size:	1'835'008 bytes
First seen:	2021-09-22 00:32:52 UTC
Last seen:	2021-09-22 02:01:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e2afc946bb1a7942e18b4d1a8f444ebd (9 x YoungLotus, 2 x Nitol)
ssdeep	49152:ynIAkIbQy7h9Xk2rWL7jhzxpIa6Ed6kd8:QkIbBpsjzl6Ene
Threatray	31 similar samples on MalwareBazaar
TLSH	T114859D11AECC4CB2E2A73230455E777951ADF8606B3086C76394779DEC34BC16A3A39B
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	ActorExpose
Tags:	exe younglotus

Intelligence

File Origin

# of uploads :

2

# of downloads :

212

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.BackDoor.Farfli.131.6070.20741.UNOFFICIAL

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8878ea6c-2498-4132-b9ea-b1947de8946b

Result

Threat name:

Unknown

Detection:

malicious

Classification:

bank.spyw.evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/855268

Signature

Checks if browser processes are running

Contains functionality to capture and log keystrokes

Malicious sample detected (through community Yara rule)

Tries to evade analysis by execution special instruction which cause usermode exception

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ec694d5b05f7aa43e3e701e40686039a38d6827e5e944ba73de07f31da18d608/

Threat name:

Win32.Backdoor.Farfli

Status:

Malicious

First seen:

2021-09-22 00:33:05 UTC

AV detection:

20 of 45 (44.44%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5ruu2wyf66vehy7hahsanbqdti4nnat6l2kexjz54b7tdwqy2yea._file

Verdict:

malicious

Similar samples:

18984d5f98b9d1955336d1838ff42f2837a1f79cd4ed6f407c94aa86274da706

1f7ec9ca2d023ebd99e86693932bf90d24efae626bc7510f1751a2b7c4599af1

40995428d8fcbe2da30dca08cd15228bb4b08a4dea38e78d71181d3fda5a4f42

5e4b70fa595cb17cba9e674ec3fa574d830b43d3a4b6b3417d8c8c243880e93c

87930e435af99eda9ad298493193b5ca78d4c3aeba7747158f2e983e8ee4445f

c2a2aaca2d8fd293bcaf00fc35be7c828fd2733be3805bfac24e0d6f4c52c3b9

c44ad28fc848a4ce9345b127f0bf84909539fb8cfaf14091190a46417107be76

c8605992ffb507e5f35424921c2efb8a3234005e559398637fd8104f6f0373c5

ce10ba646288c5d971b29dea47dddf38a2ed848ffd9e734c02e17a9cc5fc6055

+ 21 additional samples on MalwareBazaar

Result

Malware family:

chinese_generic_botnet

Score:

10/10

Tags:

family:chinese_generic_botnet botnet persistence

Link:

https://tria.ge/reports/210922-av7raaagg9/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Drops file in Program Files directory

Adds Run key to start application

Enumerates connected drives

Chinese Botnet Payload

Generic Chinese Botnet

Unpacked files

SH256 hash:

b7c9285cdaaef8c8f479f8e8d2f318d4924f14dddd6ccda58b73cedcddaa6404

MD5 hash:

7bbc49f3d0f8a10e94efa4dd1c84cf94

SHA1 hash:

66cdabeb120a61f8fe96ca9b6b5a5a3927edde9e

Detections:

win_younglotus_auto

Link:

https://www.unpac.me/results/0031d352-ec92-49cc-88d8-b31cedbd154a/

Parent samples :

ec694d5b05f7aa43e3e701e40686039a38d6827e5e944ba73de07f31da18d608
7e2a64b1518d22cdb493edbbbde9d69d3e81c2c4da3fc8bd3defd931b989ba8c

SH256 hash:

ec694d5b05f7aa43e3e701e40686039a38d6827e5e944ba73de07f31da18d608

MD5 hash:

61a6445842bfd501f8e8c63a18e899cd

SHA1 hash:

5c2c9e20f5607534128265bbbd03794be01e9e1d

Link:

https://www.unpac.me/results/0031d352-ec92-49cc-88d8-b31cedbd154a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.75

Link:

https://yomi.yoroi.company/submissions/ec694d5b05f7aa43e3e701e40686039a38d6827e5e944ba73de07f31da18d608

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample