Analysis
-
max time kernel
41s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
23-06-2022 04:23
Static task
static1
Behavioral task
behavioral1
Sample
7232f4353c71d5937cac64600fc01804f354603b5d1086921cfda57b0649a1de.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
7232f4353c71d5937cac64600fc01804f354603b5d1086921cfda57b0649a1de.exe
-
Size
4.0MB
-
MD5
9b38f8f3b26a75b6e13b73a366b61abb
-
SHA1
cc748fb9e5816df5b6e4e5f307bb7b60989c1f9b
-
SHA256
7232f4353c71d5937cac64600fc01804f354603b5d1086921cfda57b0649a1de
-
SHA512
0d15e67c0c07bfe25e41ed35617dfe8cc169edf452559a3212d85f42cd596db0ebe7d060beb2b0b4819db001415cbbcc5057a669776218dc739d66d85cfd046c
Malware Config
Signatures
-
YTStealer payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1960-54-0x0000000000F00000-0x0000000001CC8000-memory.dmp family_ytstealer behavioral1/memory/1960-56-0x0000000000F00000-0x0000000001CC8000-memory.dmp family_ytstealer -
Processes:
resource yara_rule behavioral1/memory/1960-54-0x0000000000F00000-0x0000000001CC8000-memory.dmp upx behavioral1/memory/1960-56-0x0000000000F00000-0x0000000001CC8000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 764 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
7232f4353c71d5937cac64600fc01804f354603b5d1086921cfda57b0649a1de.exepid Process 1960 7232f4353c71d5937cac64600fc01804f354603b5d1086921cfda57b0649a1de.exe 1960 7232f4353c71d5937cac64600fc01804f354603b5d1086921cfda57b0649a1de.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7232f4353c71d5937cac64600fc01804f354603b5d1086921cfda57b0649a1de.execmd.exedescription pid Process procid_target PID 1960 wrote to memory of 764 1960 7232f4353c71d5937cac64600fc01804f354603b5d1086921cfda57b0649a1de.exe 29 PID 1960 wrote to memory of 764 1960 7232f4353c71d5937cac64600fc01804f354603b5d1086921cfda57b0649a1de.exe 29 PID 1960 wrote to memory of 764 1960 7232f4353c71d5937cac64600fc01804f354603b5d1086921cfda57b0649a1de.exe 29 PID 764 wrote to memory of 1164 764 cmd.exe 31 PID 764 wrote to memory of 1164 764 cmd.exe 31 PID 764 wrote to memory of 1164 764 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\7232f4353c71d5937cac64600fc01804f354603b5d1086921cfda57b0649a1de.exe"C:\Users\Admin\AppData\Local\Temp\7232f4353c71d5937cac64600fc01804f354603b5d1086921cfda57b0649a1de.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\7232f4353c71d5937cac64600fc01804f354603b5d1086921cfda57b0649a1de.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 03⤵PID:1164
-
-