Copy of SN po_1100111010.r10

General
Target

Copy of SN po_1100111010.r10

Size

232KB

Sample

210415-gvv9mtxbg6

Score
10 /10
MD5

3937caf54bcc1b10dfa2c0c8fa323ebd

SHA1

18fb9a5feb578b61e57041bce5b3f6ddbe1e1143

SHA256

8aab7c82bd2fdb732deaa0a13703fd525820af323b38a48787a266bd41963f91

SHA512

215ac4a518f42f6883c281bf227ef9a4aa8d654b261216e0a9d3e93f35f8d8b6e4d06d772cb9562691665c04b0dc24b1af17661e63539bd98308d44d41b51923

Malware Config

Extracted

Family oski
C2

45.144.225.118

Extracted

Family azorult
C2

http://lexusbiscuit.com/OiuBn/index.php

Targets
Target

Copy of SN po_1100111010.exe

MD5

3b6e9a0e999ec5d9bc5c54ae54048c52

Filesize

246KB

Score
10 /10
SHA1

f146a15efc6ec066455068a3e4d5b36b1ef2a567

SHA256

c4553e1a62dfc26ae2dd5914a6fb8ea3a7f5ecb7cbb9ca5668dd6024328e9b6c

SHA512

97c5e1bef7e8df3474efaa60937a80f91f717494f260354c207c6a026c2d28a5db833575232973296a61be75487523e85139cc322cd85c86294f95035233d765

Tags

Signatures

  • Azorult

    Description

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    Tags

  • Oski

    Description

    Oski is an infostealer targeting browser data, crypto wallets.

    Tags

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads local data of messenger clients

    Description

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation