MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff3ae8fff0d1862d4bde8f61e0ed14ef76d6d2cc6d940bb83dc0b4cfdacc2752. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

YTStealer

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	ff3ae8fff0d1862d4bde8f61e0ed14ef76d6d2cc6d940bb83dc0b4cfdacc2752
SHA3-384 hash:	29e94202471e1013014917e65ac9df14dc7db07fcd6c7b99e541b6c8f28cdf62f63ee7c48e159abe5d82e4ac8a4d16a8
SHA1 hash:	4775ac52549c6547aa20239f5ac00ee6c9ef23f7
MD5 hash:	bb1dec3065d196ef788c2907ad6f5494
humanhash:	hamper-mississippi-white-uncle
File name:	file
Download:	download sample
Signature	YTStealer Create hunting rule
File size:	4'287'488 bytes
First seen:	2022-09-02 17:20:02 UTC
Last seen:	2024-10-24 21:23:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep	98304:povZKvwtbFyqeDZ1RLaTIZyS7+4ScSgOFzG7SdINkn:aZiYhyqez5TJ+ESgOFi76iw
TLSH	T1F61633B18F76DEBFD80DC3F6B7C42A8BA4049551191617E478BE22D5BD93209DCACCA0
TrID	64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12) 25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.8% (.EXE) OS/2 Executable (generic) (2029/13) 1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	andretavare5
Tags:	exe YTStealer

andretavare5

Sample downloaded from http://5.255.104.227/ad22b/a84eb.exe

Intelligence

File Origin

# of uploads :

# of downloads :

550

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2022-09-02 17:21:25 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a2888e2d-5a68-494c-ae38-acc492b1c79c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/307500/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.61709622.5528.18258.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Searching for the window

Creating a file in the system32 subdirectories

Creating a file

Launching a process

Creating a process with a hidden window

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Using the Windows Management Instrumentation requests

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug packed

Link:

https://www.filescan.io/uploads/63123bc08a289813e158b4d2/reports/e3f042ca-12c5-487c-8f44-1a001adc27b3/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/96505197-9ad4-4c7e-bf0e-3e2a61ea057f

Result

Threat name:

YTStealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1064283

Signature

Antivirus detection for URL or domain

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected YTStealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ff3ae8fff0d1862d4bde8f61e0ed14ef76d6d2cc6d940bb83dc0b4cfdacc2752/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=745or77q2gdc2s66r5q6b3iu553nnuwmnwkaxob5yc2m7wwme5ja._file

Result

Malware family:

ytstealer

Score:

10/10

Tags:

family:ytstealer spyware stealer upx

Link:

https://tria.ge/reports/220902-vwfpeacag8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Reads user/profile data of web browsers

UPX packed file

YTStealer

YTStealer payload

Unpacked files

SH256 hash:

9f668f262d20a043df9f4bfceb9feb028a548bccb78ae7e96888ac4a8a0a3224

MD5 hash:

41cb106835fc9944e70c44e3bfa66d05

SHA1 hash:

7c6b40e5fe9dfc4098a192a5d41d24546399c19f

Link:

https://www.unpac.me/results/2625650a-3314-482b-9091-15ab66d6615a/

SH256 hash:

ff3ae8fff0d1862d4bde8f61e0ed14ef76d6d2cc6d940bb83dc0b4cfdacc2752

MD5 hash:

bb1dec3065d196ef788c2907ad6f5494

SHA1 hash:

4775ac52549c6547aa20239f5ac00ee6c9ef23f7

Link:

https://www.unpac.me/results/2625650a-3314-482b-9091-15ab66d6615a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ff3ae8fff0d1862d4bde8f61e0ed14ef76d6d2cc6d940bb83dc0b4cfdacc2752

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/307500/

URLhaus

https://urlhaus.abuse.ch/url/2289983/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample