ytstealer | 18fb5108dc25caac2c5cccff5583a297d3eff58ec86a28b6fd6b3e5c542c5f78

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
15-09-2022 03:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18fb5108dc25caac2c5cccff5583a297d3eff58ec86a28b6fd6b3e5c542c5f78.exe
Size

4.0MB
MD5

ed6dddc2516c34092d53008a482784dc
SHA1

8569ebfeba7c442af07555325dffa09cb164d139
SHA256

18fb5108dc25caac2c5cccff5583a297d3eff58ec86a28b6fd6b3e5c542c5f78
SHA512

93b83727d8311e52087cc30156ee8cc958474d47bd86d2f52424b0bfe34adc483d4980a29aef684ec69292024f57a444bb02b308a1cb254ae5bc48b809012e79
SSDEEP

98304:ttNhYl6DdXAUusbZ4IHdXFdacq21lkB9lMVCTWQi+Pb9Ei:ttjHDdXAUTaq/SywlMVB+RE

Score

10^/10

ytstealer spyware stealer upx

Malware Config

Signatures

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1912-54-0x0000000001350000-0x0000000002119000-memory.dmp	family_ytstealer
behavioral1/memory/1912-57-0x0000000001350000-0x0000000002119000-memory.dmp	family_ytstealer

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1912-54-0x0000000001350000-0x0000000002119000-memory.dmp	upx
behavioral1/memory/1912-57-0x0000000001350000-0x0000000002119000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

18fb5108dc25caac2c5cccff5583a297d3eff58ec86a28b6fd6b3e5c542c5f78.exe

pid	process
1912	18fb5108dc25caac2c5cccff5583a297d3eff58ec86a28b6fd6b3e5c542c5f78.exe
1912	18fb5108dc25caac2c5cccff5583a297d3eff58ec86a28b6fd6b3e5c542c5f78.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

18fb5108dc25caac2c5cccff5583a297d3eff58ec86a28b6fd6b3e5c542c5f78.execmd.exe

description	pid	process	target process
PID 1912 wrote to memory of 1976	1912	18fb5108dc25caac2c5cccff5583a297d3eff58ec86a28b6fd6b3e5c542c5f78.exe	cmd.exe
PID 1912 wrote to memory of 1976	1912	18fb5108dc25caac2c5cccff5583a297d3eff58ec86a28b6fd6b3e5c542c5f78.exe	cmd.exe
PID 1912 wrote to memory of 1976	1912	18fb5108dc25caac2c5cccff5583a297d3eff58ec86a28b6fd6b3e5c542c5f78.exe	cmd.exe
PID 1976 wrote to memory of 584	1976	cmd.exe	choice.exe
PID 1976 wrote to memory of 584	1976	cmd.exe	choice.exe
PID 1976 wrote to memory of 584	1976	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\18fb5108dc25caac2c5cccff5583a297d3eff58ec86a28b6fd6b3e5c542c5f78.exe
"C:\Users\Admin\AppData\Local\Temp\18fb5108dc25caac2c5cccff5583a297d3eff58ec86a28b6fd6b3e5c542c5f78.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\18fb5108dc25caac2c5cccff5583a297d3eff58ec86a28b6fd6b3e5c542c5f78.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 0
    3⤵
    PID:584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/584-56-0x0000000000000000-mapping.dmp

Download
memory/1912-54-0x0000000001350000-0x0000000002119000-memory.dmp

Filesize
13.8MB

Download
memory/1912-57-0x0000000001350000-0x0000000002119000-memory.dmp

Filesize
13.8MB

Download
memory/1976-55-0x0000000000000000-mapping.dmp

Download