ytstealer | 19fcb9180dac41b26fde9e8bc55cde777a170131adb5075222004d71d33aaecd

Analysis

max time kernel
41s
max time network
46s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
20/07/2022, 07:28

Target

19FCB9180DAC41B26FDE9E8BC55CDE777A170131ADB5075222004D71D33AAECD.exe
Size

4.0MB
MD5

188a2cf52285fc1de5d6049eb62b2b3a
SHA1

cd36dd0cc3a94cad8c1543fe0ad8dc711733a38b
SHA256

19fcb9180dac41b26fde9e8bc55cde777a170131adb5075222004d71d33aaecd
SHA512

92dc3a3e1017fd9d9be82f193981dc69835584d7724d98ad152cfa315d8670d0b5982ebc4490e336df75f4c48dff82a4a3006ba309e403f15eb713d594c83feb

Score

10^/10

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/2024-54-0x00000000001A0000-0x0000000000F68000-memory.dmp	family_ytstealer
behavioral1/memory/2024-57-0x00000000001A0000-0x0000000000F68000-memory.dmp	family_ytstealer

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2024-54-0x00000000001A0000-0x0000000000F68000-memory.dmp	upx
behavioral1/memory/2024-57-0x00000000001A0000-0x0000000000F68000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2024	19FCB9180DAC41B26FDE9E8BC55CDE777A170131ADB5075222004D71D33AAECD.exe
2024	19FCB9180DAC41B26FDE9E8BC55CDE777A170131ADB5075222004D71D33AAECD.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1084	2024	19FCB9180DAC41B26FDE9E8BC55CDE777A170131ADB5075222004D71D33AAECD.exe	29
PID 2024 wrote to memory of 1084	2024	19FCB9180DAC41B26FDE9E8BC55CDE777A170131ADB5075222004D71D33AAECD.exe	29
PID 2024 wrote to memory of 1084	2024	19FCB9180DAC41B26FDE9E8BC55CDE777A170131ADB5075222004D71D33AAECD.exe	29
PID 1084 wrote to memory of 892	1084	cmd.exe	31
PID 1084 wrote to memory of 892	1084	cmd.exe	31
PID 1084 wrote to memory of 892	1084	cmd.exe	31

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/2024-54-0x00000000001A0000-0x0000000000F68000-memory.dmp

Filesize
13.8MB

Download
memory/2024-57-0x00000000001A0000-0x0000000000F68000-memory.dmp

Filesize
13.8MB

Download