MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe5ae51a975c574691bb439e36d0a25c2ae64888fa2bd83d179a43b86e5dc2e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


YoungLotus


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe5ae51a975c574691bb439e36d0a25c2ae64888fa2bd83d179a43b86e5dc2e8
SHA3-384 hash: a14ef8af55498e357b330f1588843c1c5d1ce6ef78f2c18e1d6aefa75a5f79b7654711db4c6f927266af858a7d5d0417
SHA1 hash: 7a1ae2e8a75d01e269de4c2ad6067a4146593aac
MD5 hash: 95e5ca72df58cefa481b6b360bf7d5d3
humanhash: maine-violet-east-kansas
File name:95e5ca72df58cefa481b6b360bf7d5d3
Download: download sample
Signature YoungLotus
Create hunting rule
File size:585'728 bytes
First seen:2024-01-05 03:52:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8bd80946f485d704bb1a70a7c2516e7d (5 x YoungLotus)
ssdeep 6144:iV+u0bUDMT2EDFjj4bflswu/jtLFVgT/WOfrtNswrEH7fYP7cQKO+3Y1tMmbWs:Ob3MKbflsw0t5VgLWYtHraOz+3Y12wW
Threatray 6 similar samples on MalwareBazaar
TLSH T119C4BFA271E1C0F6C28651314E67EB76A3F6DAA40F225F8373E8CE1C79355829736325
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10523/12/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 2936968991d1cec6 (5 x YoungLotus)
Reporter zbetcheckin
Tags:32 exe younglotus

Intelligence

File Origin
# of uploads :
1
# of downloads :
415
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fe5ae51a975c574691bb439e36d0a25c2ae64888fa2bd83d179a43b86e5dc2e8.exe
Verdict:
No threats detected
Analysis date:
2024-01-05 04:11:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f779f2c8-c6b8-4cb4-9542-7c38734724c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/469563/
Detection(s):
Win.Dropper.Gh0stRAT-9783913-0
Create hunting rule

Win.Trojan.Mikey-9862566-0
Create hunting rule

Win.Trojan.Mikey-9862598-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows directory
Searching for synchronization primitives
Сreating synchronization primitives
Searching for the window
Sending a custom TCP request
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Moving of the original file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
farfli gh0strat hook keylogger lolbin packed shell32
Link:
https://www.filescan.io/uploads/65977d1fb4e856b72834b2bd/reports/71c5a111-26ff-4985-990d-d4185315f240/overview
Verdict:
Malicious
Labled as:
Trojan.Malware.Generic
Link:
https://www.hybrid-analysis.com/sample/fe5ae51a975c574691bb439e36d0a25c2ae64888fa2bd83d179a43b86e5dc2e8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3abc1116-ef14-4c3e-9e22-6a6e8373aca8
Result
Threat name:
n/a
Detection:
malicious
Classification:
bank.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1370169
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Checks if browser processes are running
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fe5ae51a975c574691bb439e36d0a25c2ae64888fa2bd83d179a43b86e5dc2e8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe5ae51a975c574691bb439e36d0a25c2ae64888fa2bd83d179a43b86e5dc2e8/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2024-01-03 03:53:35 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
28 of 37 (75.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7znokguxlrlunen3iopdnufclqvomsei7iv5qpixtjb3q3s5ylua._file
Verdict:
malicious
Similar samples:
33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889
YoungLotus
453196885b342bd95497c0a04f0fd781bd7015c2245aec1ec07e32e80b55b997
YoungLotus
b867428ec9adc7134924cf71e05558eb35a64e1ed17ada1d41788fa8a213ed84
YoungLotus
f11b08065089f6a0b1606264970e8addd187088be6df9b019d43360c6c0029b7
YoungLotus
Result
Malware family:
gh0strat
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat persistence rat
Link:
https://tria.ge/reports/240105-ee4rxaaec2/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
Drops file in Windows directory
Adds Run key to start application
Gh0st RAT payload
Gh0strat
Unpacked files
SH256 hash:
fe5ae51a975c574691bb439e36d0a25c2ae64888fa2bd83d179a43b86e5dc2e8
MD5 hash:
95e5ca72df58cefa481b6b360bf7d5d3
SHA1 hash:
7a1ae2e8a75d01e269de4c2ad6067a4146593aac
Link:
https://www.unpac.me/results/270eedca-d052-4055-a274-cd1d35029b41/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe5ae51a975c574691bb439e36d0a25c2ae64888fa2bd83d179a43b86e5dc2e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NsPack29NorthStar
Create hunting rule
Author:malware-lu
Rule name:nSpackV2xLiuXingPing
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

YoungLotus

Executable exe fe5ae51a975c574691bb439e36d0a25c2ae64888fa2bd83d179a43b86e5dc2e8

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/469563/

Comments


Avatar
zbet commented on 2024-01-05 03:52:03 UTC

url : hxxp://124.223.99.42:8888/Server.exe