Analysis
-
max time kernel
37s -
max time network
42s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 20:56
Behavioral task
behavioral1
Sample
YTbotpro.exe
Resource
win10v2004-20221111-en
General
-
Target
YTbotpro.exe
-
Size
320KB
-
MD5
5c4577025e266b3e52fe22c4051fb5ad
-
SHA1
1b9dd3a30686c64da035d384306d09e35f2b39c0
-
SHA256
eadfac21e4580ff8425d7b233a46f097710f6b132aaa42cbf7f9b7a7fc174b52
-
SHA512
7747563f58a32c94ec5c70f9e4019a50822a243144d0e71888321c867553341970231d09a658b0d509535fd01fb895b96fb5db2c1007d7b00ed9326e15fd70dd
-
SSDEEP
6144:Cm/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvD:Cm/Q6P8j/svm1TXI5tZB
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1604-132-0x0000000000390000-0x00000000003E6000-memory.dmp family_stormkitty -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
YTbotpro.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 YTbotpro.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 YTbotpro.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 YTbotpro.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 7 IoCs
Processes:
YTbotpro.exedescription ioc process File created C:\Users\Admin\AppData\Local\WIJBFSKT\FileGrabber\Desktop\desktop.ini YTbotpro.exe File opened for modification C:\Users\Admin\AppData\Local\WIJBFSKT\FileGrabber\Desktop\desktop.ini YTbotpro.exe File created C:\Users\Admin\AppData\Local\WIJBFSKT\FileGrabber\Documents\desktop.ini YTbotpro.exe File created C:\Users\Admin\AppData\Local\WIJBFSKT\FileGrabber\Downloads\desktop.ini YTbotpro.exe File created C:\Users\Admin\AppData\Local\WIJBFSKT\FileGrabber\Pictures\desktop.ini YTbotpro.exe File created C:\Users\Admin\AppData\Local\WIJBFSKT\FileGrabber\Pictures\Saved Pictures\desktop.ini YTbotpro.exe File created C:\Users\Admin\AppData\Local\WIJBFSKT\FileGrabber\Pictures\Camera Roll\desktop.ini YTbotpro.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 freegeoip.app 9 freegeoip.app 14 api.ipify.org -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
YTbotpro.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier YTbotpro.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 YTbotpro.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
YTbotpro.exepid process 1604 YTbotpro.exe 1604 YTbotpro.exe 1604 YTbotpro.exe 1604 YTbotpro.exe 1604 YTbotpro.exe 1604 YTbotpro.exe 1604 YTbotpro.exe 1604 YTbotpro.exe 1604 YTbotpro.exe 1604 YTbotpro.exe 1604 YTbotpro.exe 1604 YTbotpro.exe 1604 YTbotpro.exe 1604 YTbotpro.exe 1604 YTbotpro.exe 1604 YTbotpro.exe 1604 YTbotpro.exe 1604 YTbotpro.exe 1604 YTbotpro.exe 1604 YTbotpro.exe 1604 YTbotpro.exe 1604 YTbotpro.exe 1604 YTbotpro.exe 1604 YTbotpro.exe 1604 YTbotpro.exe 1604 YTbotpro.exe 1604 YTbotpro.exe 1604 YTbotpro.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
YTbotpro.exedescription pid process Token: SeDebugPrivilege 1604 YTbotpro.exe -
outlook_office_path 1 IoCs
Processes:
YTbotpro.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 YTbotpro.exe -
outlook_win_path 1 IoCs
Processes:
YTbotpro.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 YTbotpro.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\YTbotpro.exe"C:\Users\Admin\AppData\Local\Temp\YTbotpro.exe"1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1604-132-0x0000000000390000-0x00000000003E6000-memory.dmpFilesize
344KB
-
memory/1604-133-0x00000000060D0000-0x0000000006162000-memory.dmpFilesize
584KB
-
memory/1604-134-0x0000000006720000-0x0000000006CC4000-memory.dmpFilesize
5.6MB
-
memory/1604-135-0x0000000006570000-0x00000000065D6000-memory.dmpFilesize
408KB