MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5310daa207f4baf357415201fc7365e91a62d6273bd5128d9a900081d782c4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

YTStealer

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	b5310daa207f4baf357415201fc7365e91a62d6273bd5128d9a900081d782c4a
SHA3-384 hash:	8eb9413bff5eb2fd8fd0b4e8bee5e0671a4c588a5a1ca75995607ecc293ff0921e028a511f8f6e778d23a77e69054c10
SHA1 hash:	2e217012be69428efce8bc63a8b114e75f638728
MD5 hash:	c4877fe395a2877012a9b1eccc07ac2f
humanhash:	neptune-shade-south-lithium
File name:	file
Download:	download sample
Signature	YTStealer Create hunting rule
File size:	4'232'192 bytes
First seen:	2022-08-24 14:41:08 UTC
Last seen:	2022-08-25 09:52:52 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep	98304:zEa5po5MC3Mi6eY41p1xHOuVHh/RbtiWetcX71zzEQ:zvpoeC8kl1xOYHhJbtoidx
Threatray	96 similar samples on MalwareBazaar
TLSH	T14D1633EB8BD2CBE4E32C56BA707099ED264475965D25C3D0CF0736910B2F0A67EAC874
TrID	64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12) 25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.8% (.EXE) OS/2 Executable (generic) (2029/13) 1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	andretavare5
Tags:	exe YTStealer

andretavare5

Sample downloaded from http://5.255.103.154/aa4c5/bfB48.exe

Intelligence

File Origin

# of uploads :

# of downloads :

352

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2022-08-24 14:44:42 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/59d525f2-59ef-44fc-9709-2e5bbf47b583

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/300875/

Detection(s):

SecuriteInfo.com.W64.Agent.EBR.genEldorado.25738.26831.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file in the system32 subdirectories

Creating a file

Launching a process

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug packed

Link:

https://www.filescan.io/uploads/630638ffc9bbd990978f3b2b/reports/d630ef59-1cf2-4bb7-9b7e-db7a8f2f8c3c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

YTStealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/476841e3-b831-41c2-922a-203e7b861b93

Result

Threat name:

YTStealer

Detection:

malicious

Classification:

troj.evad.spyw

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1057056

Signature

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Queries memory information (via WMI often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected YTStealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b5310daa207f4baf357415201fc7365e91a62d6273bd5128d9a900081d782c4a/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2022-08-24 14:42:23 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

14 of 26 (53.85%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wuyq3krap5f26nlucuqb7rzwl2i2mllcoo6vckgzveaaqhlyfrfa._file

Verdict:

suspicious

YTStealer

162167cc828134b6c0d08d5fc503955b4ee1a0a3efdc001709a6947be15ed3bd

YTStealer

1901ae31080f9b8f7c419290eab011086a00355a0451e9f634f545f771753901

YTStealer

2537af94a4828edf5b859e4af8ddad46d740b317e7812c30f7402ac55f64f2e9

YTStealer

2f92554a407ab10b4d8485ab5924f7ed2a52dedc735a21b828dba224d839391e

YTStealer

39b2f8df45c1356963ad36795c5d739b1201ca4798fbcc016ed3316a8a30cc9a

YTStealer

8f22fed63b011354380ce229b053b3b9167d66d37506acd6288886cf526edefe

YTStealer

adadc8e69ed95353daf38d970dcecffdde40cafc24fefd37db059ff19fcf2c79

YTStealer

caaa0d88dcfbd0e017a9b0b6c25cbdddc3e1bf27f2c96608989cd82ca6c47d36

YTStealer

faa3e926d4b9981b4b21a9c5a2cd61dd573b8eee6938a9519dbdfcabb32073c2

YTStealer

+ 86 additional samples on MalwareBazaar

Result

Malware family:

ytstealer

Score:

10/10

Tags:

family:ytstealer spyware stealer upx

Link:

https://tria.ge/reports/220824-r2zspafgf8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Reads user/profile data of web browsers

UPX packed file

YTStealer

YTStealer payload

Unpacked files

SH256 hash:

3a48296e21c2cec12c3b0e0ab76307bbc6c9b8fd34329a9b4e54b8dd4f022775

MD5 hash:

9ac3b5033f1bd12ba1884c9506e23c6b

SHA1 hash:

a7ad0c6768b8fc647630a3d69de41e09548eff28

Link:

https://www.unpac.me/results/9366e330-61bb-4f83-886d-5f89e20fa60a/

SH256 hash:

b5310daa207f4baf357415201fc7365e91a62d6273bd5128d9a900081d782c4a

MD5 hash:

c4877fe395a2877012a9b1eccc07ac2f

SHA1 hash:

2e217012be69428efce8bc63a8b114e75f638728

Link:

https://www.unpac.me/results/9366e330-61bb-4f83-886d-5f89e20fa60a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b5310daa207f4baf357415201fc7365e91a62d6273bd5128d9a900081d782c4a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/300875/

URLhaus

https://urlhaus.abuse.ch/url/2276452/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample