ytstealer | 66700485fd96ef2cba4e6a7089d34586d2330fa67b10ee51be9c3d1911ec53e7

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
20/07/2022, 07:59

Target

66700485FD96EF2CBA4E6A7089D34586D2330FA67B10EE51BE9C3D1911EC53E7.exe
Size

4.0MB
MD5

d557b2f69defa06f1a2f6eba633c8d35
SHA1

26b2bb7c101e1ccd03c6e579b47eecc3e258b5e8
SHA256

66700485fd96ef2cba4e6a7089d34586d2330fa67b10ee51be9c3d1911ec53e7
SHA512

f935e6227a19c316b54df412122852b0de0a190515454bf05692187b5a971a3a5dbe639450edea3c041ea58607afb486afc1e5922ca09d7f988e001b87e01608

Score

10^/10

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/1940-54-0x0000000001340000-0x0000000002108000-memory.dmp	family_ytstealer
behavioral1/memory/1940-57-0x0000000001340000-0x0000000002108000-memory.dmp	family_ytstealer

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1940-54-0x0000000001340000-0x0000000002108000-memory.dmp	upx
behavioral1/memory/1940-57-0x0000000001340000-0x0000000002108000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1940	66700485FD96EF2CBA4E6A7089D34586D2330FA67B10EE51BE9C3D1911EC53E7.exe
1940	66700485FD96EF2CBA4E6A7089D34586D2330FA67B10EE51BE9C3D1911EC53E7.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1884	1940	66700485FD96EF2CBA4E6A7089D34586D2330FA67B10EE51BE9C3D1911EC53E7.exe	28
PID 1940 wrote to memory of 1884	1940	66700485FD96EF2CBA4E6A7089D34586D2330FA67B10EE51BE9C3D1911EC53E7.exe	28
PID 1940 wrote to memory of 1884	1940	66700485FD96EF2CBA4E6A7089D34586D2330FA67B10EE51BE9C3D1911EC53E7.exe	28
PID 1884 wrote to memory of 1348	1884	cmd.exe	30
PID 1884 wrote to memory of 1348	1884	cmd.exe	30
PID 1884 wrote to memory of 1348	1884	cmd.exe	30

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/1940-54-0x0000000001340000-0x0000000002108000-memory.dmp

Filesize
13.8MB

Download
memory/1940-57-0x0000000001340000-0x0000000002108000-memory.dmp

Filesize
13.8MB

Download