Analysis
-
max time kernel
45s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-08-2022 01:49
Behavioral task
behavioral1
Sample
5bea09608f815c54c80389a46f87b8de4731dba9808e0833f7cc112c89e84b65.exe
Resource
win7-20220812-en
windows7-x64
6 signatures
300 seconds
General
-
Target
5bea09608f815c54c80389a46f87b8de4731dba9808e0833f7cc112c89e84b65.exe
-
Size
4.0MB
-
MD5
dc52531c394cfa7c1e09f2e05cc57d03
-
SHA1
104be0615af4e7aaed5ee653ed63ce7ba87e5eae
-
SHA256
5bea09608f815c54c80389a46f87b8de4731dba9808e0833f7cc112c89e84b65
-
SHA512
4b8906210f1b2c8c878614bda2a02de9d3ce5e680d5f26d99c3aa869c6ed2060c61770ee6c7dfec0ce472267b83ad3028c1d5afb78ce48d1f2bc988d588ee7af
-
SSDEEP
98304:UHW5fshQzuTwM0shXcByNK/mXJnWly3YRsDO7TWL1iI5TfVJJi:UhZwDzQM/mXZW3kOfWLQIR9JJi
Malware Config
Signatures
-
YTStealer payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1848-54-0x0000000000D40000-0x0000000001B19000-memory.dmp family_ytstealer behavioral1/memory/1848-57-0x0000000000D40000-0x0000000001B19000-memory.dmp family_ytstealer -
Processes:
resource yara_rule behavioral1/memory/1848-54-0x0000000000D40000-0x0000000001B19000-memory.dmp upx behavioral1/memory/1848-57-0x0000000000D40000-0x0000000001B19000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5bea09608f815c54c80389a46f87b8de4731dba9808e0833f7cc112c89e84b65.exepid process 1848 5bea09608f815c54c80389a46f87b8de4731dba9808e0833f7cc112c89e84b65.exe 1848 5bea09608f815c54c80389a46f87b8de4731dba9808e0833f7cc112c89e84b65.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5bea09608f815c54c80389a46f87b8de4731dba9808e0833f7cc112c89e84b65.execmd.exedescription pid process target process PID 1848 wrote to memory of 1068 1848 5bea09608f815c54c80389a46f87b8de4731dba9808e0833f7cc112c89e84b65.exe cmd.exe PID 1848 wrote to memory of 1068 1848 5bea09608f815c54c80389a46f87b8de4731dba9808e0833f7cc112c89e84b65.exe cmd.exe PID 1848 wrote to memory of 1068 1848 5bea09608f815c54c80389a46f87b8de4731dba9808e0833f7cc112c89e84b65.exe cmd.exe PID 1068 wrote to memory of 596 1068 cmd.exe choice.exe PID 1068 wrote to memory of 596 1068 cmd.exe choice.exe PID 1068 wrote to memory of 596 1068 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bea09608f815c54c80389a46f87b8de4731dba9808e0833f7cc112c89e84b65.exe"C:\Users\Admin\AppData\Local\Temp\5bea09608f815c54c80389a46f87b8de4731dba9808e0833f7cc112c89e84b65.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\5bea09608f815c54c80389a46f87b8de4731dba9808e0833f7cc112c89e84b65.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 03⤵