Analysis
-
max time kernel
165s -
max time network
187s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
30-08-2022 01:49
Behavioral task
behavioral1
Sample
597ea34e83fd4945907f9ef3bd934e3fc3ab28884e6f60b346529a3befd28d0f.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
300 seconds
General
-
Target
597ea34e83fd4945907f9ef3bd934e3fc3ab28884e6f60b346529a3befd28d0f.exe
-
Size
4.0MB
-
MD5
9ce2ce9dddea6bdfc766203c302bcc09
-
SHA1
c6a3be4a57b6f3b2addec22026a2e0e7cedfb56d
-
SHA256
597ea34e83fd4945907f9ef3bd934e3fc3ab28884e6f60b346529a3befd28d0f
-
SHA512
a7e86bd1d81422b6c0a161cb1636500a2a8ed78f48866079bacb55663fbc2279407f0ed4be76f846fc8e270b129a103adca6e5d48e07949ccbd18cd7c4deddf0
-
SSDEEP
98304:gFursxfz5vXRAzn7LYzY1Zp/+I/UNvhcIF9X0VMZ5POavi:6GCzxRsn7E8+HfZHX0VMZ5Gaq
Malware Config
Signatures
-
YTStealer payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1336-122-0x00000000013E0000-0x00000000021B9000-memory.dmp family_ytstealer -
Processes:
resource yara_rule behavioral2/memory/1336-120-0x00000000013E0000-0x00000000021B9000-memory.dmp upx behavioral2/memory/1336-122-0x00000000013E0000-0x00000000021B9000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
597ea34e83fd4945907f9ef3bd934e3fc3ab28884e6f60b346529a3befd28d0f.exepid process 1336 597ea34e83fd4945907f9ef3bd934e3fc3ab28884e6f60b346529a3befd28d0f.exe 1336 597ea34e83fd4945907f9ef3bd934e3fc3ab28884e6f60b346529a3befd28d0f.exe 1336 597ea34e83fd4945907f9ef3bd934e3fc3ab28884e6f60b346529a3befd28d0f.exe 1336 597ea34e83fd4945907f9ef3bd934e3fc3ab28884e6f60b346529a3befd28d0f.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
597ea34e83fd4945907f9ef3bd934e3fc3ab28884e6f60b346529a3befd28d0f.execmd.exedescription pid process target process PID 1336 wrote to memory of 2488 1336 597ea34e83fd4945907f9ef3bd934e3fc3ab28884e6f60b346529a3befd28d0f.exe cmd.exe PID 1336 wrote to memory of 2488 1336 597ea34e83fd4945907f9ef3bd934e3fc3ab28884e6f60b346529a3befd28d0f.exe cmd.exe PID 2488 wrote to memory of 2676 2488 cmd.exe choice.exe PID 2488 wrote to memory of 2676 2488 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\597ea34e83fd4945907f9ef3bd934e3fc3ab28884e6f60b346529a3befd28d0f.exe"C:\Users\Admin\AppData\Local\Temp\597ea34e83fd4945907f9ef3bd934e3fc3ab28884e6f60b346529a3befd28d0f.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\597ea34e83fd4945907f9ef3bd934e3fc3ab28884e6f60b346529a3befd28d0f.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 03⤵