MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 162167cc828134b6c0d08d5fc503955b4ee1a0a3efdc001709a6947be15ed3bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

YTStealer

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	162167cc828134b6c0d08d5fc503955b4ee1a0a3efdc001709a6947be15ed3bd
SHA3-384 hash:	f66ced6efb3ebaa9493b057dd774c70aa6319a6745d06fc3008b0330342923af9e89689a73dfe7ea6a640b260f13761d
SHA1 hash:	869b755bd85562cbb0ee028dacf8683ea4d0e492
MD5 hash:	a9103ecc6cb83874f969456e129799a1
humanhash:	butter-skylark-mexico-monkey
File name:	file
Download:	download sample
Signature	YTStealer Create hunting rule
File size:	4'228'608 bytes
First seen:	2022-08-22 15:10:23 UTC
Last seen:	2022-08-22 20:23:12 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep	98304:8jiyG7kzffaYEXdMIYFdC6Zfl4XKhE8dO5iJYpEEQego8m8:AiyRzfSX5Du9eKhOpgegf
Threatray	150 similar samples on MalwareBazaar
TLSH	T1E116332D2F860768C75923349714F04CFFD8E92A9AC6F2130EE25F641ED77C221A9A5C
TrID	64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12) 25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.8% (.EXE) OS/2 Executable (generic) (2029/13) 1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	andretavare5
Tags:	exe YTStealer

andretavare5

Sample downloaded from http://165.22.85.61/ec964/bfB48.exe

Intelligence

File Origin

# of uploads :

# of downloads :

315

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2022-08-22 15:13:36 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6710280e-bbda-40fb-a833-555c2b4d2351

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/300291/

Detection(s):

SecuriteInfo.com.W64.Agent.EBR.genEldorado.16712.12597.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file in the system32 subdirectories

Creating a file

Launching a process

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug packed

Link:

https://www.filescan.io/uploads/63039d4513d4422dbbb960cb/reports/206c4f18-4224-4681-a7fb-31f2d1b02e4e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

YTStealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/437e85fb-2144-46ed-a900-377293628f9f

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1055648

Signature

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/162167cc828134b6c0d08d5fc503955b4ee1a0a3efdc001709a6947be15ed3bd/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2022-08-22 03:56:02 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

11 of 26 (42.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cyqwptecqe2lnqgqrvp4ka4vlnhodifd57oaafyju2khxyk62o6q._file

Verdict:

suspicious

YTStealer

30fbed67681818059d7b104cf61989607045a95f320d232304e94851faf16bc5

YTStealer

339022094a1725ae16b8a0571fa0ec432194af1331c69394254c71e942719297

YTStealer

56013a94edeaf931e04fc0103058f3d183f1fd9f46e4e133d6f4bb63a0826486

YTStealer

768f937ddc3c623826e129ea564b79e0b7a46e05476b84971e61875cb9ebf16b

YTStealer

8f22fed63b011354380ce229b053b3b9167d66d37506acd6288886cf526edefe

YTStealer

ab479d019576efd4dd391e0bf3fc1bedb10367e1ece7157d609a283873a43645

YTStealer

adadc8e69ed95353daf38d970dcecffdde40cafc24fefd37db059ff19fcf2c79

YTStealer

f524babf2428be1c97d53f2c6508e9e851ff869d47f6957d9a71178308790200

YTStealer

faa3e926d4b9981b4b21a9c5a2cd61dd573b8eee6938a9519dbdfcabb32073c2

YTStealer

+ 140 additional samples on MalwareBazaar

Result

Malware family:

ytstealer

Score:

10/10

Tags:

family:ytstealer spyware stealer upx

Link:

https://tria.ge/reports/220822-skleeahebr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Reads user/profile data of web browsers

UPX packed file

YTStealer

YTStealer payload

Unpacked files

SH256 hash:

9c3ce5b5fd92ae19fb3ba5369cc6705eeb129681cd99e956c51f19d68926f871

MD5 hash:

ceec2f4ddcd6d751b4f13b7589fca7bd

SHA1 hash:

81deed6e332304cefe10a328a92b0c831d615efc

Link:

https://www.unpac.me/results/e6abc03e-368d-461a-9ef4-069c93fcf63f/

SH256 hash:

162167cc828134b6c0d08d5fc503955b4ee1a0a3efdc001709a6947be15ed3bd

MD5 hash:

a9103ecc6cb83874f969456e129799a1

SHA1 hash:

869b755bd85562cbb0ee028dacf8683ea4d0e492

Link:

https://www.unpac.me/results/e6abc03e-368d-461a-9ef4-069c93fcf63f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/162167cc828134b6c0d08d5fc503955b4ee1a0a3efdc001709a6947be15ed3bd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/300291/

URLhaus

https://urlhaus.abuse.ch/url/2275631/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample