MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2537af94a4828edf5b859e4af8ddad46d740b317e7812c30f7402ac55f64f2e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

YTStealer

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	2537af94a4828edf5b859e4af8ddad46d740b317e7812c30f7402ac55f64f2e9
SHA3-384 hash:	6dc7283848370dc45fe852aeb217bb9017aefade44ba740ac452016a56193dce566e7766d431251f82f6df636aeb7b7e
SHA1 hash:	a1fa77240cb17b2eda490487de1f45c7f4f4494f
MD5 hash:	dbdabe272ad89931f5b26ccf4c5ef13a
humanhash:	hot-shade-floor-leopard
File name:	file
Download:	download sample
Signature	YTStealer Create hunting rule
File size:	4'233'728 bytes
First seen:	2022-08-23 14:27:34 UTC
Last seen:	2022-08-23 15:40:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep	98304:u/I3jX6m/pmTq8V0hXDPFofiKfA7MHylLL/El+NU:u/SjXxZ8V0lFbKfA7PlHE8N
Threatray	108 similar samples on MalwareBazaar
TLSH	T1EE163306736576D2C88CB7B8107EFFE3FD0D5CEA078A367795AB80A4463463E2690536
TrID	64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12) 25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.8% (.EXE) OS/2 Executable (generic) (2029/13) 1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	andretavare5
Tags:	exe YTStealer

andretavare5

Sample downloaded from http://188.241.58.71/ec964/bfB48.exe

Intelligence

File Origin

# of uploads :

# of downloads :

355

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2022-08-23 14:28:53 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2c1650bc-f342-4e4c-b9e7-1f66db799443

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/300614/

Detection(s):

SecuriteInfo.com.W64.Agent.EBR.genEldorado.2752.22391.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file in the system32 subdirectories

Creating a file

Launching a process

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug packed

Link:

https://www.filescan.io/uploads/6304e4b713d4422dbbbc5724/reports/307cf0b4-66c5-4d52-b682-291b2b0ae04c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

YTStealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/227f855b-fbee-4f2a-af26-37e24b4cd261

Result

Threat name:

YTStealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1056371

Signature

Antivirus / Scanner detection for submitted sample

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected YTStealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2537af94a4828edf5b859e4af8ddad46d740b317e7812c30f7402ac55f64f2e9/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2022-08-23 14:28:21 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

24 of 40 (60.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eu327ffeqkhn6w4ftzfprxnni3lubmyx46asymhxiavmkx3e6luq._file

Verdict:

suspicious

YTStealer

162167cc828134b6c0d08d5fc503955b4ee1a0a3efdc001709a6947be15ed3bd

YTStealer

1901ae31080f9b8f7c419290eab011086a00355a0451e9f634f545f771753901

YTStealer

2f92554a407ab10b4d8485ab5924f7ed2a52dedc735a21b828dba224d839391e

YTStealer

339022094a1725ae16b8a0571fa0ec432194af1331c69394254c71e942719297

YTStealer

8f22fed63b011354380ce229b053b3b9167d66d37506acd6288886cf526edefe

YTStealer

adadc8e69ed95353daf38d970dcecffdde40cafc24fefd37db059ff19fcf2c79

YTStealer

caaa0d88dcfbd0e017a9b0b6c25cbdddc3e1bf27f2c96608989cd82ca6c47d36

YTStealer

f524babf2428be1c97d53f2c6508e9e851ff869d47f6957d9a71178308790200

YTStealer

faa3e926d4b9981b4b21a9c5a2cd61dd573b8eee6938a9519dbdfcabb32073c2

YTStealer

+ 98 additional samples on MalwareBazaar

Result

Malware family:

ytstealer

Score:

10/10

Tags:

family:ytstealer spyware stealer upx

Link:

https://tria.ge/reports/220823-rsz24afcdq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Reads user/profile data of web browsers

UPX packed file

YTStealer

YTStealer payload

Unpacked files

SH256 hash:

56779f99b9a46a3cdc925c46115a195249886101972c34e7c9f4f3bea1e5917c

MD5 hash:

7d31d43ddce0552f3d103f9a762191d0

SHA1 hash:

5bc2b6de2f64812ad5b9995ad67b3136cad4f916

Link:

https://www.unpac.me/results/010c11c9-6ad5-4aa2-b6c4-570b54c45851/

SH256 hash:

2537af94a4828edf5b859e4af8ddad46d740b317e7812c30f7402ac55f64f2e9

MD5 hash:

dbdabe272ad89931f5b26ccf4c5ef13a

SHA1 hash:

a1fa77240cb17b2eda490487de1f45c7f4f4494f

Link:

https://www.unpac.me/results/010c11c9-6ad5-4aa2-b6c4-570b54c45851/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2537af94a4828edf5b859e4af8ddad46d740b317e7812c30f7402ac55f64f2e9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/300614/

URLhaus

https://urlhaus.abuse.ch/url/2276165/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample