Resubmissions

12-04-2021 10:00

210412-a7hjh1yv6x 10

12-04-2021 08:35

210412-g5l3lkfx36 10

General

  • Target

    MT103_Swift-confirmation#4425-28373XXX.exe

  • Size

    795KB

  • Sample

    210412-g5l3lkfx36

  • MD5

    bb4489ef3af30a3f1ac77bca896285b3

  • SHA1

    e447d424cccd2e632233f86d4b20c0718cc45fcd

  • SHA256

    b2a66114f2afb03bd4087e7fc37d6c89ff7f3d3bd48d751dc9334a5a746f7c37

  • SHA512

    a91a49b9ed5c393288844434aeac3a58b217379d0116adb2a0492f090908545f11d1e2985792751c8c6d10b87a66d7d9b47954ce6aeef2080c355b68c9d0bb32

Malware Config

Extracted

Family

oski

C2

45.85.90.86

Targets

    • Target

      MT103_Swift-confirmation#4425-28373XXX.exe

    • Size

      795KB

    • MD5

      bb4489ef3af30a3f1ac77bca896285b3

    • SHA1

      e447d424cccd2e632233f86d4b20c0718cc45fcd

    • SHA256

      b2a66114f2afb03bd4087e7fc37d6c89ff7f3d3bd48d751dc9334a5a746f7c37

    • SHA512

      a91a49b9ed5c393288844434aeac3a58b217379d0116adb2a0492f090908545f11d1e2985792751c8c6d10b87a66d7d9b47954ce6aeef2080c355b68c9d0bb32

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Downloads MZ/PE file

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Tasks