Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
27-07-2022 06:36
Behavioral task
behavioral1
Sample
D8EF7CD835E91B48C79E4399D3C0F62BFF81F89B9214A21B389338589A88144A.exe
Resource
win7-20220718-en
windows7-x64
7 signatures
300 seconds
General
-
Target
D8EF7CD835E91B48C79E4399D3C0F62BFF81F89B9214A21B389338589A88144A.exe
-
Size
4.0MB
-
MD5
e0e07a35ff1497561b199c9e7545525b
-
SHA1
c34279d7d225ec347ae6c2393bd529825688b39d
-
SHA256
d8ef7cd835e91b48c79e4399d3c0f62bff81f89b9214a21b389338589a88144a
-
SHA512
51ece1be7136d7add05f4e069932153f2b472903375ca2827ab6e6cca64e68215d46f7ffea8db2c0d63efdac887192d0fd972ba096a387824e3f9bfff5c0a6b9
Malware Config
Signatures
-
YTStealer payload 2 IoCs
resource yara_rule behavioral1/memory/1044-54-0x00000000003A0000-0x0000000001179000-memory.dmp family_ytstealer behavioral1/memory/1044-57-0x00000000003A0000-0x0000000001179000-memory.dmp family_ytstealer -
resource yara_rule behavioral1/memory/1044-54-0x00000000003A0000-0x0000000001179000-memory.dmp upx behavioral1/memory/1044-57-0x00000000003A0000-0x0000000001179000-memory.dmp upx -
Deletes itself 1 IoCs
pid Process 1716 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1044 D8EF7CD835E91B48C79E4399D3C0F62BFF81F89B9214A21B389338589A88144A.exe 1044 D8EF7CD835E91B48C79E4399D3C0F62BFF81F89B9214A21B389338589A88144A.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1044 wrote to memory of 1716 1044 D8EF7CD835E91B48C79E4399D3C0F62BFF81F89B9214A21B389338589A88144A.exe 28 PID 1044 wrote to memory of 1716 1044 D8EF7CD835E91B48C79E4399D3C0F62BFF81F89B9214A21B389338589A88144A.exe 28 PID 1044 wrote to memory of 1716 1044 D8EF7CD835E91B48C79E4399D3C0F62BFF81F89B9214A21B389338589A88144A.exe 28 PID 1716 wrote to memory of 1136 1716 cmd.exe 30 PID 1716 wrote to memory of 1136 1716 cmd.exe 30 PID 1716 wrote to memory of 1136 1716 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\D8EF7CD835E91B48C79E4399D3C0F62BFF81F89B9214A21B389338589A88144A.exe"C:\Users\Admin\AppData\Local\Temp\D8EF7CD835E91B48C79E4399D3C0F62BFF81F89B9214A21B389338589A88144A.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\D8EF7CD835E91B48C79E4399D3C0F62BFF81F89B9214A21B389338589A88144A.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 03⤵PID:1136
-
-