MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a023cfa4b4784d7155b39f4bfe4cbfad7e180c99a927dea04445cec4d9d7275. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

YTStealer

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	5a023cfa4b4784d7155b39f4bfe4cbfad7e180c99a927dea04445cec4d9d7275
SHA3-384 hash:	775a0ee1dc8c8f156ef968cd7f7aba6f056d766c021c478b35c3bbde35f1de83a9cfc94f54872a4de411b3930a46ee27
SHA1 hash:	e68c5bfadad67008db69aac7e9bcdfbef0400a2c
MD5 hash:	c67948e2a2841a9f509a02e753284ccb
humanhash:	september-utah-timing-coffee
File name:	file
Download:	download sample
Signature	YTStealer Create hunting rule
File size:	4'233'216 bytes
First seen:	2022-08-24 15:24:32 UTC
Last seen:	2022-09-01 13:54:52 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep	98304:BvNSbka56zGduC1acyfu5lfTIkBE98ohkOdDEQ9M9bSWz:BIOzGdX1+fu5hIkBfohN5R9Mw
TLSH	T1AB16339695B2FE4DEDFFF0B6482442150A2C39C619FF85CA900BB815471F1F8AF1668B
TrID	64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12) 25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.8% (.EXE) OS/2 Executable (generic) (2029/13) 1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	andretavare5
Tags:	exe YTStealer

andretavare5

Sample downloaded from http://5.255.103.154/aa4c5/A9DCE.exe

Intelligence

File Origin

# of uploads :

# of downloads :

322

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2022-08-24 15:30:18 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/7854c285-1c3d-435c-8e2e-8c856bef9d16

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/300879/

Detection(s):

SecuriteInfo.com.W64.Agent.EBR.genEldorado.9395.8679.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file in the system32 subdirectories

Creating a file

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Launching a process

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug packed

Link:

https://www.filescan.io/uploads/630642d2c9bbd990978f64cf/reports/21c80a0c-e669-4ef8-9fe4-99e5c1c4518a/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

YTStealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5894d25a-113e-4402-a092-01ecf9222ffa

Result

Threat name:

YTStealer

Detection:

malicious

Classification:

troj.evad.spyw

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1057083

Signature

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected YTStealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5a023cfa4b4784d7155b39f4bfe4cbfad7e180c99a927dea04445cec4d9d7275/

Threat name:

Win64.Adware.RedCap

Status:

Malicious

First seen:

2022-08-24 15:25:26 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=libdz6sli6cnofk3hh2l7zgl7ll6dagjtkjh32qeirooytm5oj2q._file

Verdict:

suspicious

Result

Malware family:

ytstealer

Score:

10/10

Tags:

family:ytstealer spyware stealer upx

Link:

https://tria.ge/reports/220824-stlrjafcfn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Reads user/profile data of web browsers

UPX packed file

YTStealer

YTStealer payload

Unpacked files

SH256 hash:

dfc10d64779585a45cc7cb3ba3c76556977d97dacadfe1b51d0221bd91e4877d

MD5 hash:

d87454c489418cac41699668e2ab9d5d

SHA1 hash:

c1e26a16b819fb8a385bddff8818455733532b24

Link:

https://www.unpac.me/results/faf88c3d-ffa0-44fd-a44f-25c221f720c9/

SH256 hash:

5a023cfa4b4784d7155b39f4bfe4cbfad7e180c99a927dea04445cec4d9d7275

MD5 hash:

c67948e2a2841a9f509a02e753284ccb

SHA1 hash:

e68c5bfadad67008db69aac7e9bcdfbef0400a2c

Link:

https://www.unpac.me/results/faf88c3d-ffa0-44fd-a44f-25c221f720c9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5a023cfa4b4784d7155b39f4bfe4cbfad7e180c99a927dea04445cec4d9d7275

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/300879/

URLhaus

https://urlhaus.abuse.ch/url/2276508/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample