MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 caaa0d88dcfbd0e017a9b0b6c25cbdddc3e1bf27f2c96608989cd82ca6c47d36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


YTStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: caaa0d88dcfbd0e017a9b0b6c25cbdddc3e1bf27f2c96608989cd82ca6c47d36
SHA3-384 hash: cbd093d7e7a2f68df280f21d0629507a5ed183528ba473ff4c35addbdbdf6704dcf8b7a5fc731995da1811f72b7a0583
SHA1 hash: fa0181b57c6f2d281cd902582523b3764b8adbf2
MD5 hash: 817b1f542e3b5b0d5acc7c2222baffd0
humanhash: west-fish-violet-tango
File name:file
Download: download sample
Signature YTStealer
Create hunting rule
File size:4'231'680 bytes
First seen:2022-08-22 15:33:26 UTC
Last seen:2022-08-22 20:27:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep 98304:AwceLkllGCHA4wT725bdqs1WJFwT5049SdM2luc7KoQtRo:A0Ylzgx7UdqsmwZ9SdjlR2omRo
Threatray 155 similar samples on MalwareBazaar
TLSH T19116335C882E6C41C1BE26B80CA52D49C4102A78DF947EFB40D55E2EEEB1F8F75ADD12
TrID 64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12)
25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter andretavare5
Tags:exe YTStealer


Avatar
andretavare5
Sample downloaded from http://165.22.85.61/ec964/A9DCE.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
329
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2022-08-22 15:34:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e92f0dcd-0323-4a5e-936a-21c3cb2243da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/300306/
Detection(s):
SecuriteInfo.com.W64.Agent.EBR.genEldorado.32333.1822.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the system32 subdirectories
Creating a file
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/6303a23d13d4422dbbb96d1b/reports/8c7901c4-ba5b-4daf-b5c5-64f80e0d5e8e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
YTStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/00d80610-2eb7-4fda-af2b-fd40d3d767c9
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1055664
Signature
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 688183 Sample: file.exe Startdate: 22/08/2022 Architecture: WINDOWS Score: 72 17 Multi AV Scanner detection for domain / URL 2->17 19 Antivirus detection for URL or domain 2->19 21 Multi AV Scanner detection for submitted file 2->21 7 file.exe 3 2->7         started        process3 signatures4 23 Tries to harvest and steal browser information (history, passwords, etc) 7->23 10 powershell.exe 13 7->10         started        13 backgroundTaskHost.exe 3 17 7->13         started        process5 signatures6 25 Queries memory information (via WMI often done to detect virtual machines) 10->25 15 conhost.exe 10->15         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/caaa0d88dcfbd0e017a9b0b6c25cbdddc3e1bf27f2c96608989cd82ca6c47d36/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-08-22 03:53:37 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zkva3cg47pioaf5jwc3mexf53xb6dpzh6lewmceyttmczjwepu3a._file
Verdict:
suspicious
Similar samples:
1117aa3d97baa3fcc4cd60f695fb47ccef86fde7b3ffe7a26e6fe9c33a8b9c41
YTStealer
162167cc828134b6c0d08d5fc503955b4ee1a0a3efdc001709a6947be15ed3bd
YTStealer
1901ae31080f9b8f7c419290eab011086a00355a0451e9f634f545f771753901
YTStealer
30fbed67681818059d7b104cf61989607045a95f320d232304e94851faf16bc5
YTStealer
339022094a1725ae16b8a0571fa0ec432194af1331c69394254c71e942719297
YTStealer
768f937ddc3c623826e129ea564b79e0b7a46e05476b84971e61875cb9ebf16b
YTStealer
8f22fed63b011354380ce229b053b3b9167d66d37506acd6288886cf526edefe
YTStealer
ab479d019576efd4dd391e0bf3fc1bedb10367e1ece7157d609a283873a43645
YTStealer
adadc8e69ed95353daf38d970dcecffdde40cafc24fefd37db059ff19fcf2c79
YTStealer
f524babf2428be1c97d53f2c6508e9e851ff869d47f6957d9a71178308790200
YTStealer
+ 145 additional samples on MalwareBazaar
Result
Malware family:
ytstealer
Create hunting rule
Score:
  10/10
Tags:
family:ytstealer spyware stealer upx
Link:
https://tria.ge/reports/220822-szsf9shgdp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Reads user/profile data of web browsers
UPX packed file
YTStealer
YTStealer payload
Unpacked files
SH256 hash:
8d4ada38420d4c5026671a80abc1693c904e86316f4a310627636f480ada6c47
MD5 hash:
e96b6589054416eaa22271833196ce92
SHA1 hash:
6e7baf4651e6593909dde2351cc06dedbc06adb8
Link:
https://www.unpac.me/results/ebda380a-d47e-47a4-b8c5-83d224d8f5a4/
SH256 hash:
caaa0d88dcfbd0e017a9b0b6c25cbdddc3e1bf27f2c96608989cd82ca6c47d36
MD5 hash:
817b1f542e3b5b0d5acc7c2222baffd0
SHA1 hash:
fa0181b57c6f2d281cd902582523b3764b8adbf2
Link:
https://www.unpac.me/results/ebda380a-d47e-47a4-b8c5-83d224d8f5a4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/caaa0d88dcfbd0e017a9b0b6c25cbdddc3e1bf27f2c96608989cd82ca6c47d36

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/300306/
  
URLhaus
https://urlhaus.abuse.ch/url/2275645/

Comments