Multi-License Discount Quote

Change Region

English
Threat Database Stealers Trojan.Stealer.YC

Trojan.Stealer.YC

By CagedTech in Stealers, Trojans

Threat Scorecard

Popularity Rank: 21,293
Threat Level: 80 % (High)
Infected Computers: 535
First Seen: November 27, 2023
Last Seen: March 24, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.Stealer.YC
Signature status: Modified signature

Known Samples

MD5: e7dfdf5eba23dc4d65b18af4779d3c69
SHA1: 213926a1fbe69dc1e07c37907c95505a1a792649
SHA256: 81E484C03F0AB8F21A72E919BB5663212FEC97878B46A5D365E5E118FDF90F1A
File Size: 2.45 MB, 2445631 bytes
MD5: 9731786455b1037f9a39a9181291a0e9
SHA1: d5f93cb853886ef714155d428ef000c200633834
SHA256: 664DDC752ACC07F7C9ED960D387F3E1D1C985B285AD45743A5407698A508D144
File Size: 2.37 MB, 2367352 bytes
MD5: 60baae4028249e3375c3062fe279e1cd
SHA1: 15b5f788a62a858260ebdbce920263ec1f19e84a
SHA256: 8EFCC60752A9E140F6900EF262E5BCEBFB8F3F921B7EE356638310BC0BA680C0
File Size: 2.43 MB, 2432888 bytes
MD5: 93c1a4e84b01e66e10ddb7feea8be9e9
SHA1: 73b441c603abe4ca9aa37d10b922b639595e2de2
SHA256: 613FB5FC132A1117486F5213A039E4EDDEFB37F8CE1D9DFCCC7B0FE5C9036160
File Size: 2.25 MB, 2254336 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File doesn't have relocations information
  • File has TLS information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
Show More
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name Microsoft Corporation
File Description
  • Microsoft OneDrive
  • Microsoft SharePoint
File Version 21.220.1024.0005
Internal Name Client Application
Legal Copyright © Microsoft Corporation. All rights reserved.
Original Filename
  • Microsoft.SharePoint.exe
  • OneDrive.exe
Product Name
  • Microsoft OneDrive
  • Microsoft SharePoint
Product Version 21.220.1024.0005
Special Build b/build/2c205c5c-e050-0ffd-f7d0-63786687edbc

Digital Signatures

Signer Root Status
Microsoft Corporation Microsoft Code Signing PCA 2010 Hash Mismatch

File Traits

  • 2+ executable sections
  • big overlay
  • HighEntropy
  • x86

Block Information

Total Blocks: 2,546
Potentially Malicious Blocks: 258
Whitelisted Blocks: 2,231
Unknown Blocks: 57

Visual Map

0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x ? x x x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 x 0 0 0 0 x x 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 x 0 x x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 0 x x 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 x x ? 0 x x ? x x ? 0 0 0 0 0 0 x x 0 0 0 0 x 0 0 0 0 0 0 0 x ? x x x 0 x x x x x 0 x 0 x 0 x 0 x ? x x x x x x x x 0 x 0 0 x 0 0 0 0 0 x x x 0 0 0 0 0 0 0 0 x 0 x x x x 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 ? x 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 x 0 0 x x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 x x x x ? x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 x 0 0 0 x x x 0 0 x 0 0 0 0 0 x 0 x 0 0 0 0 0 0 x x x 0 x x x x x 0 x 0 x x x 0 x ? x ? 0 x 0 x 0 x x x 0 x x x x x x 0 0 x ? x 0 0 x 0 0 0 0 0 0 0 0 x 0 0 0 x 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x 0 0 x x x x ? x x x 0 0 0 0 0 x 0 0 0 0 0 0 x 0 0 0 x x x x x x 0 0 x x x x x x x 0 0 x 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 x 0 0 x x x 0 x 0 0 ? x x 0 0 0 0 0 0 0 0 x x 0 0 0 0 x 0 0 x x 0 x 0 x x x x x 0 0 x x 0 0 0 0 0 0 0 0 0 x x x 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 2 0 x x 2 0 2 2 2 2 2 2 2 0 2 2 2 2 2 2 2 2 0 2 0 0 2 0 2 2 2 2 0 0 2 2 2 2 2 2 2 2 0 2 2 2 2 2 2 2 2 2 2 2 2 2 0 x x 0 2 2 2 2 2 2 2 x 2 2 0 0 2 2 2 2 0 0 0 2 2 2 2 2 2 2 0 2 2 2 2 2 2 2 2 2 0 0 2 2 2 0 2 2 2 2 0 2 2 2 2 2 2 2 2 0 2 2 2 2 2 2 2 0 0 0 2 2 2 2 2 2 2 2 2 2 2 2 2 2 0 0 2 2 2 2 2 2 2 0 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 x x 0 0 2 0 2 0 2 2 2 2 2 2 0 0 0 0 x x 0 0 x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x x 0 0 0 0 0 0 0 x x x x x x x 0 x x 0 x x x 0 x 0 x 0 0 x x 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 x x x ? 0 x x x 0 x 0 x x 0 x x 0 x x x x x x 0 0 x x 0 0 0 x x 0 0 0 0 0 0 0 0 x 0 0 x 0 x x x x x x x x 2 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 3 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 2 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File Attributes
c:\windows\20bc9d Generic Write,Read Attributes
c:\windows\system.ini Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\onedrive::repairattempted  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\advanced::hidden  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusoverride  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::firewalldisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::firewalloverride  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::updatesdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::uacdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::antivirusoverride  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::antivirusdisablenotify  RegNtPreCreateKey
Show More
HKLM\software\wow6432node\microsoft\security center\svc::firewalldisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::firewalloverride  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::updatesdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::uacdisablenotify  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings::globaluseroffline RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\policies\system::enablelua RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::enablefirewall RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::donotallowexceptions RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::disablenotifications  RegNtPreCreateKey
HKCU\software\stvncyfrlda::m1_0  RegNtPreCreateKey
HKCU\software\stvncyfrlda::m2_0 RegNtPreCreateKey
HKCU\software\stvncyfrlda::m3_0 権ă RegNtPreCreateKey
HKCU\software\stvncyfrlda::m4_0 RegNtPreCreateKey
HKCU\software\stvncyfrlda\168128873::1735290733 RegNtPreCreateKey
HKCU\software\stvncyfrlda\168128873::-824385830 RegNtPreCreateKey
HKCU\software\stvncyfrlda\168128873::910904903 RegNtPreCreateKey
HKCU\software\stvncyfrlda\168128873::-1648771660 # RegNtPreCreateKey
HKCU\software\stvncyfrlda\168128873::86519073 = RegNtPreCreateKey
HKCU\software\stvncyfrlda\168128873::1821809806 http://gatheredovertime.com/nb4http://imagebucket.biz/nv4 RegNtPreCreateKey
HKCU\software\stvncyfrlda\168128873::-737866757 RegNtPreCreateKey

Windows API Usage

Category API
Process Shell Execute
  • CreateProcess

Shell Command Execution

C:\Users\Tekqxlpb\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe OneDriveStandaloneUpdater.exe /repair:21.220.1024.0005 /OneDrivePid:3180
C:\Users\Rhcfmork\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe OneDriveStandaloneUpdater.exe /repair:21.220.1024.0005 /OneDrivePid:6040

Trending

Most Viewed

Loading...