General

  • Target

    Copy of SN po_1100111010.r10

  • Size

    232KB

  • Sample

    210415-1acbrxb94a

  • MD5

    3937caf54bcc1b10dfa2c0c8fa323ebd

  • SHA1

    18fb9a5feb578b61e57041bce5b3f6ddbe1e1143

  • SHA256

    8aab7c82bd2fdb732deaa0a13703fd525820af323b38a48787a266bd41963f91

  • SHA512

    215ac4a518f42f6883c281bf227ef9a4aa8d654b261216e0a9d3e93f35f8d8b6e4d06d772cb9562691665c04b0dc24b1af17661e63539bd98308d44d41b51923

Malware Config

Extracted

Family

oski

C2

45.144.225.118

Extracted

Family

azorult

C2

http://lexusbiscuit.com/OiuBn/index.php

Targets

    • Target

      Copy of SN po_1100111010.exe

    • Size

      246KB

    • MD5

      3b6e9a0e999ec5d9bc5c54ae54048c52

    • SHA1

      f146a15efc6ec066455068a3e4d5b36b1ef2a567

    • SHA256

      c4553e1a62dfc26ae2dd5914a6fb8ea3a7f5ecb7cbb9ca5668dd6024328e9b6c

    • SHA512

      97c5e1bef7e8df3474efaa60937a80f91f717494f260354c207c6a026c2d28a5db833575232973296a61be75487523e85139cc322cd85c86294f95035233d765

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks