ytstealer | 8c0391f7670e8328b7c350bd9e144ecab2ab84434b15007b39ecf41d68d854aa

Analysis

max time kernel
45s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/08/2022, 02:09

Target

8c0391f7670e8328b7c350bd9e144ecab2ab84434b15007b39ecf41d68d854aa.exe
Size

4.0MB
MD5

46c0d9c4e8db1eaf2687789644d39866
SHA1

6f2c69937950d0282b707e9e98247dce569b3fdc
SHA256

8c0391f7670e8328b7c350bd9e144ecab2ab84434b15007b39ecf41d68d854aa
SHA512

7b7235357b039b8d8e39455982194aba1544684eda6adf72559878fc8ddd33e24ee602f9ee29d89108b42ed9becb175a9d6f58e4a56067a688a999e6219b0f42
SSDEEP

98304:P12iEhf20tpcvJRdM+qi0gbGuB9/uFGYUxs15xaCRNL3VIx:PhO2mpcvJRXqHgbhYmGfd3V

Score

10^/10

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/1544-54-0x00000000003A0000-0x0000000001168000-memory.dmp	family_ytstealer
behavioral1/memory/1544-57-0x00000000003A0000-0x0000000001168000-memory.dmp	family_ytstealer

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1544-54-0x00000000003A0000-0x0000000001168000-memory.dmp	upx
behavioral1/memory/1544-57-0x00000000003A0000-0x0000000001168000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1544	8c0391f7670e8328b7c350bd9e144ecab2ab84434b15007b39ecf41d68d854aa.exe
1544	8c0391f7670e8328b7c350bd9e144ecab2ab84434b15007b39ecf41d68d854aa.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 512	1544	8c0391f7670e8328b7c350bd9e144ecab2ab84434b15007b39ecf41d68d854aa.exe	28
PID 1544 wrote to memory of 512	1544	8c0391f7670e8328b7c350bd9e144ecab2ab84434b15007b39ecf41d68d854aa.exe	28
PID 1544 wrote to memory of 512	1544	8c0391f7670e8328b7c350bd9e144ecab2ab84434b15007b39ecf41d68d854aa.exe	28
PID 512 wrote to memory of 1176	512	cmd.exe	30
PID 512 wrote to memory of 1176	512	cmd.exe	30
PID 512 wrote to memory of 1176	512	cmd.exe	30

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/1544-54-0x00000000003A0000-0x0000000001168000-memory.dmp

Filesize
13.8MB

Download
memory/1544-57-0x00000000003A0000-0x0000000001168000-memory.dmp

Filesize
13.8MB

Download