MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f92554a407ab10b4d8485ab5924f7ed2a52dedc735a21b828dba224d839391e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


YTStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f92554a407ab10b4d8485ab5924f7ed2a52dedc735a21b828dba224d839391e
SHA3-384 hash: 7c6069f38d86dbba1a25db1ac1907129e2e9208895b2ab81194e6705a1d47b194d451ee7c7f1cfa6cacb1cb089101e25
SHA1 hash: 7ed293f0cf8426b4bfbb8d0144fe3fb97e2d6c83
MD5 hash: f5c9a86d3405816dd987976a96793a96
humanhash: carpet-magnesium-skylark-princess
File name:file
Download: download sample
Signature YTStealer
Create hunting rule
File size:4'234'240 bytes
First seen:2022-08-23 14:29:40 UTC
Last seen:2022-08-23 15:40:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep 98304:DiWCL/rtIkroAEl7GNo4dHHFATQqpDjKD:yS/NWo4dHl4QqpDjK
Threatray 93 similar samples on MalwareBazaar
TLSH T1C01633EB580DEE1CFB5217346EB67E69FA3C8B02FD34B68D01286105F5130159AEB61E
TrID 64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12)
25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter andretavare5
Tags:exe YTStealer


Avatar
andretavare5
Sample downloaded from http://188.241.58.71/ec964/A9DCE.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
370
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2022-08-23 14:32:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/afbc0362-a815-48ad-ab04-dce3a71c144b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/300615/
Detection(s):
SecuriteInfo.com.ArtemisF5C9A86D3405.11661.4783.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the system32 subdirectories
Creating a file
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/6304e4ba6a5c2490f87da656/reports/7b324321-437a-44d0-a372-bc32c17ce0c7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
YTStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/91af9997-4d2c-4302-98b8-df8ab1e4cb36
Result
Threat name:
YTStealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1056370
Signature
Antivirus / Scanner detection for submitted sample
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Yara detected YTStealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 688884 Sample: file Startdate: 23/08/2022 Architecture: WINDOWS Score: 64 23 goback.delivery 2->23 25 Antivirus / Scanner detection for submitted sample 2->25 27 Yara detected YTStealer 2->27 8 file.exe 2->8         started        signatures3 process4 process5 10 powershell.exe 13 8->10         started        13 powershell.exe 12 8->13         started        15 powershell.exe 12 8->15         started        signatures6 29 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->29 31 Queries memory information (via WMI often done to detect virtual machines) 10->31 17 conhost.exe 10->17         started        19 conhost.exe 13->19         started        21 conhost.exe 15->21         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f92554a407ab10b4d8485ab5924f7ed2a52dedc735a21b828dba224d839391e/
Threat name:
Win64.Infostealer.Goback
Create hunting rule
Status:
Malicious
First seen:
2022-08-23 14:30:23 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f6jfkssapkyqwtmeqwvvsjhx5uvffxw4onncdobi3orcjwbzhepa._file
Verdict:
suspicious
Similar samples:
1117aa3d97baa3fcc4cd60f695fb47ccef86fde7b3ffe7a26e6fe9c33a8b9c41
YTStealer
162167cc828134b6c0d08d5fc503955b4ee1a0a3efdc001709a6947be15ed3bd
YTStealer
1901ae31080f9b8f7c419290eab011086a00355a0451e9f634f545f771753901
YTStealer
30fbed67681818059d7b104cf61989607045a95f320d232304e94851faf16bc5
YTStealer
339022094a1725ae16b8a0571fa0ec432194af1331c69394254c71e942719297
YTStealer
8f22fed63b011354380ce229b053b3b9167d66d37506acd6288886cf526edefe
YTStealer
adadc8e69ed95353daf38d970dcecffdde40cafc24fefd37db059ff19fcf2c79
YTStealer
caaa0d88dcfbd0e017a9b0b6c25cbdddc3e1bf27f2c96608989cd82ca6c47d36
YTStealer
f524babf2428be1c97d53f2c6508e9e851ff869d47f6957d9a71178308790200
YTStealer
faa3e926d4b9981b4b21a9c5a2cd61dd573b8eee6938a9519dbdfcabb32073c2
YTStealer
+ 83 additional samples on MalwareBazaar
Result
Malware family:
ytstealer
Create hunting rule
Score:
  10/10
Tags:
family:ytstealer spyware stealer upx
Link:
https://tria.ge/reports/220823-rwaxdafcgr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Reads user/profile data of web browsers
UPX packed file
YTStealer
YTStealer payload
Unpacked files
SH256 hash:
793e60131a21b3fc9ea2fc533e8502590ec386e1e0655a1608d90ef35e77d65a
MD5 hash:
d4c43cffd783792ce5a8757e44cf6c5c
SHA1 hash:
3838bdf032df2f5cf391f7403973aad1718f90bb
Link:
https://www.unpac.me/results/0ff5ffbc-44d6-47e1-aa15-9c5842a263b5/
SH256 hash:
2f92554a407ab10b4d8485ab5924f7ed2a52dedc735a21b828dba224d839391e
MD5 hash:
f5c9a86d3405816dd987976a96793a96
SHA1 hash:
7ed293f0cf8426b4bfbb8d0144fe3fb97e2d6c83
Link:
https://www.unpac.me/results/0ff5ffbc-44d6-47e1-aa15-9c5842a263b5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/2f92554a407ab10b4d8485ab5924f7ed2a52dedc735a21b828dba224d839391e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/300615/
  
URLhaus
https://urlhaus.abuse.ch/url/2276166/

Comments