General

  • Target

    AWB-9899691012.exe

  • Size

    708KB

  • Sample

    210401-jm1hm1kanx

  • MD5

    ec57669d9ea9b2ce78acd0962dd37761

  • SHA1

    175f43377e8df78601a8c93a6885025647b95e56

  • SHA256

    9dbdfcb4749e6e441ca65cf71d75944cf90111832d10b8048b70cfe084b6e675

  • SHA512

    20a34130753d3bf5249727f80cf2d6f34cc771837b89796fed700e04b76928a98bf81a5433696d6b4e4c29dea9848586fab1b9de7b5eaed214ef67d06ea42d38

Malware Config

Extracted

Family

oski

C2

http://45.85.90.220

Targets

    • Target

      AWB-9899691012.exe

    • Size

      708KB

    • MD5

      ec57669d9ea9b2ce78acd0962dd37761

    • SHA1

      175f43377e8df78601a8c93a6885025647b95e56

    • SHA256

      9dbdfcb4749e6e441ca65cf71d75944cf90111832d10b8048b70cfe084b6e675

    • SHA512

      20a34130753d3bf5249727f80cf2d6f34cc771837b89796fed700e04b76928a98bf81a5433696d6b4e4c29dea9848586fab1b9de7b5eaed214ef67d06ea42d38

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Downloads MZ/PE file

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Tasks