SYMBOLCOMMON_NAMEaka. SYNONYMS
win.younglotus (Back to overview)

YoungLotus

aka: DarkShare
VTCollection    

Simple malware with proxy/RDP and download capabilities. It often comes bundled with installers, in particular in the Chinese realm.

PE timestamps suggest that it came into existence in the second half of 2014.

Some versions perform checks of the status of the internet connection (InternetGetConnectedState: MODEM, LAN, PROXY), some versions perform simple AV process-checks (CreateToolhelp32Snapshot).

References
2017-06-14Youtube (hasherezade)hasherezade
Unpacking YoungLotus malware
YoungLotus
Yara Rules
[TLP:WHITE] win_younglotus_auto (20260504 | Detects win.younglotus.)
rule win_younglotus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.younglotus."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.younglotus"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6802000080 e8???????? 83c41c 6a01 }
            // n = 4, score = 1000
            //   6802000080           | push                0x80000002
            //   e8????????           |                     
            //   83c41c               | add                 esp, 0x1c
            //   6a01                 | push                1

        $sequence_1 = { eb02 ebc9 8b45f8 50 }
            // n = 4, score = 800
            //   eb02                 | jmp                 4
            //   ebc9                 | jmp                 0xffffffcb
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   50                   | push                eax

        $sequence_2 = { ff15???????? 8945d8 68???????? 8b55c8 52 ff15???????? 8945d0 }
            // n = 7, score = 800
            //   ff15????????         |                     
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax
            //   68????????           |                     
            //   8b55c8               | mov                 edx, dword ptr [ebp - 0x38]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax

        $sequence_3 = { 3419 8b4d08 034dfc 8801 8b5508 }
            // n = 5, score = 800
            //   3419                 | xor                 al, 0x19
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   034dfc               | add                 ecx, dword ptr [ebp - 4]
            //   8801                 | mov                 byte ptr [ecx], al
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]

        $sequence_4 = { 64a100000000 50 64892500000000 81c4d0feffff 53 56 }
            // n = 6, score = 800
            //   64a100000000         | mov                 eax, dword ptr fs:[0]
            //   50                   | push                eax
            //   64892500000000       | mov                 dword ptr fs:[0], esp
            //   81c4d0feffff         | add                 esp, 0xfffffed0
            //   53                   | push                ebx
            //   56                   | push                esi

        $sequence_5 = { 8d95a8faffff 52 ff15???????? 83c408 }
            // n = 4, score = 800
            //   8d95a8faffff         | lea                 edx, [ebp - 0x558]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   83c408               | add                 esp, 8

        $sequence_6 = { 51 68???????? 68???????? ff15???????? 83c408 }
            // n = 5, score = 800
            //   51                   | push                ecx
            //   68????????           |                     
            //   68????????           |                     
            //   ff15????????         |                     
            //   83c408               | add                 esp, 8

        $sequence_7 = { 8d85f8fdffff 50 68???????? 8d8df8fdffff 51 ff15???????? }
            // n = 6, score = 800
            //   8d85f8fdffff         | lea                 eax, [ebp - 0x208]
            //   50                   | push                eax
            //   68????????           |                     
            //   8d8df8fdffff         | lea                 ecx, [ebp - 0x208]
            //   51                   | push                ecx
            //   ff15????????         |                     

        $sequence_8 = { 53 56 57 68???????? ff15???????? 8945dc 68???????? }
            // n = 7, score = 600
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   68????????           |                     
            //   ff15????????         |                     
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   68????????           |                     

        $sequence_9 = { 8d85e8feffff 68???????? 50 ff15???????? 6a01 }
            // n = 5, score = 400
            //   8d85e8feffff         | lea                 eax, [ebp - 0x118]
            //   68????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   6a01                 | push                1

        $sequence_10 = { 837c240c00 c706???????? 740f ff74240c 68???????? ff15???????? 8b442410 }
            // n = 7, score = 400
            //   837c240c00           | cmp                 dword ptr [esp + 0xc], 0
            //   c706????????         |                     
            //   740f                 | je                  0x11
            //   ff74240c             | push                dword ptr [esp + 0xc]
            //   68????????           |                     
            //   ff15????????         |                     
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]

        $sequence_11 = { 50 ff15???????? 83c40c 8d85f8fdffff 6a00 }
            // n = 5, score = 400
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc
            //   8d85f8fdffff         | lea                 eax, [ebp - 0x208]
            //   6a00                 | push                0

        $sequence_12 = { 8b35???????? 8365fc00 8bf8 68???????? }
            // n = 4, score = 400
            //   8b35????????         |                     
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   8bf8                 | mov                 edi, eax
            //   68????????           |                     

        $sequence_13 = { 8bf8 8b45fc 33c9 6a04 }
            // n = 4, score = 400
            //   8bf8                 | mov                 edi, eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   33c9                 | xor                 ecx, ecx
            //   6a04                 | push                4

        $sequence_14 = { e8???????? 8b45fc 83c40c 80cc10 }
            // n = 4, score = 400
            //   e8????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   83c40c               | add                 esp, 0xc
            //   80cc10               | or                  ah, 0x10

        $sequence_15 = { 51 ffd0 50 ffd3 }
            // n = 4, score = 400
            //   51                   | push                ecx
            //   ffd0                 | call                eax
            //   50                   | push                eax
            //   ffd3                 | call                ebx

    condition:
        7 of them and filesize < 106496
}
Download all Yara Rules