MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 426b4361fc059b4c2e98f072f989e5dd59f508785be8bd2165e87d38e9a6284d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


YTStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 426b4361fc059b4c2e98f072f989e5dd59f508785be8bd2165e87d38e9a6284d
SHA3-384 hash: 0534d380c2351a5e383077a70142509dd2cd24fa4563a534b63ce5c85cec8359963edfb6ec18e3f4b4fbbf5c9e5e383e
SHA1 hash: edef9ad78265347a821d1201c0b1afc59cc1c11a
MD5 hash: f9a93fa82c1194cd2545a527463945db
humanhash: charlie-london-whiskey-twelve
File name:file
Download: download sample
Signature YTStealer
Create hunting rule
File size:4'232'704 bytes
First seen:2022-08-26 13:30:55 UTC
Last seen:2022-08-29 16:30:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep 98304:us5ZW5Hafm6WAmtHK52B7wnx7otb8XtCgxdth02GjRnXQCwd:OHa+qmtHKy72x7oUdth026
Threatray 106 similar samples on MalwareBazaar
TLSH T18D1633F9468EE142C259ABB24708BA39751E7034832B566FF8709728CB0D156FCD9A73
TrID 64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12)
25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter andretavare5
Tags:exe YTStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc572676066_643406307?hash=P6yDEwRfgCTeZTVdM64fEtWfjMhMSBR7MNGqs1ETCKT&dl=GU3TENRXGYYDMNQ:1661520536:CbuXfCVgv8hZZsr12H5o1olLhMbtq6AL1wd36eLYKgw&api=1&no_preview=1#penchik

Intelligence

File Origin
# of uploads :
33
# of downloads :
414
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2022-08-26 13:33:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/35123ce4-374f-4b55-b23e-d7e7cf503849

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/301414/
Detection(s):
SecuriteInfo.com.ArtemisF9A93FA82C11.8366.20321.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the system32 subdirectories
Creating a file
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/6308cb19f205e2ee767a718e/reports/08967a5b-59fa-48aa-9b2c-bf31dc7d6c50/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
YTStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fca39dce-616a-4146-be21-8168fc57d868
Result
Threat name:
YTStealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1058430
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected YTStealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 690947 Sample: file.exe Startdate: 26/08/2022 Architecture: WINDOWS Score: 84 26 Antivirus detection for URL or domain 2->26 28 Antivirus / Scanner detection for submitted sample 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected YTStealer 2->32 7 file.exe 2->7         started        process3 dnsIp4 24 goback.delivery 104.21.84.12, 443, 49770 CLOUDFLARENETUS United States 7->24 34 Tries to harvest and steal browser information (history, passwords, etc) 7->34 11 powershell.exe 14 7->11         started        14 powershell.exe 10 7->14         started        16 powershell.exe 10 7->16         started        signatures5 process6 signatures7 36 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->36 38 Queries memory information (via WMI often done to detect virtual machines) 11->38 18 conhost.exe 11->18         started        20 conhost.exe 14->20         started        22 conhost.exe 16->22         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/426b4361fc059b4c2e98f072f989e5dd59f508785be8bd2165e87d38e9a6284d/
Threat name:
Win64.Infostealer.Goback
Create hunting rule
Status:
Malicious
First seen:
2022-08-26 13:31:22 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ijvugyp4awnuyluy6bzptcpf3vm7kcdylpul2ilf5b6tr2ngfbgq._file
Verdict:
suspicious
Similar samples:
0111c56fecef2c68c49cf2f1da1ba0dfedc73d5162ec71e9461a05885d424679
YTStealer
2537af94a4828edf5b859e4af8ddad46d740b317e7812c30f7402ac55f64f2e9
YTStealer
2f92554a407ab10b4d8485ab5924f7ed2a52dedc735a21b828dba224d839391e
YTStealer
39b2f8df45c1356963ad36795c5d739b1201ca4798fbcc016ed3316a8a30cc9a
YTStealer
5a023cfa4b4784d7155b39f4bfe4cbfad7e180c99a927dea04445cec4d9d7275
YTStealer
6ace84c8a5b97075e435df18a59c7dcaa90091c8b3140deedf5139329d1890df
YTStealer
7b6662b7e68c82c21609f9c989adbbaeeb2b96fc546a3cdd54168f0d3b743583
YTStealer
b5310daa207f4baf357415201fc7365e91a62d6273bd5128d9a900081d782c4a
YTStealer
c267127537997e7e1120c7703fc894ee5bf83c7747fd3736fe91fc627eb6da52
YTStealer
ef91b2a1887cb0fa13a3305220dfb78d4d7b041fe8177b5810772e0d27487f90
YTStealer
+ 96 additional samples on MalwareBazaar
Result
Malware family:
ytstealer
Create hunting rule
Score:
  10/10
Tags:
family:ytstealer spyware stealer upx
Link:
https://tria.ge/reports/220826-qsdcnadahl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Reads user/profile data of web browsers
UPX packed file
YTStealer
YTStealer payload
Unpacked files
SH256 hash:
fc3b27a84f9e46df49521c0e7ec75d9dd242a6cd0b9ac68c6e99d5b6efe490ec
MD5 hash:
a3a52a786454a0e43992208f82785b9f
SHA1 hash:
e0bc203be103eecb5aab90f15db2b95f1d3145fd
Link:
https://www.unpac.me/results/0c14f6e6-6775-424a-8144-814ee7363dda/
SH256 hash:
426b4361fc059b4c2e98f072f989e5dd59f508785be8bd2165e87d38e9a6284d
MD5 hash:
f9a93fa82c1194cd2545a527463945db
SHA1 hash:
edef9ad78265347a821d1201c0b1afc59cc1c11a
Link:
https://www.unpac.me/results/0c14f6e6-6775-424a-8144-814ee7363dda/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/426b4361fc059b4c2e98f072f989e5dd59f508785be8bd2165e87d38e9a6284d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/301414/

Comments