General

  • Target

    Request Quotation for New inq no .2018-780.ace

  • Size

    289KB

  • Sample

    210419-qtg5nvbp8e

  • MD5

    565bcd5842892dfaf31d63b503dd9c84

  • SHA1

    d603c7333849be2af12bf6b2e5038f8ce4f50c56

  • SHA256

    4531046b672dc2cbb9dce96e1afdc886799ef9d326f6f2f027e936fdf47bc2f2

  • SHA512

    641d3a2274bf57f289d229a1209e914e48eaeae99051c996beca1185a7afbb4c541c775cdb84a0a7d25f2e729ea555679ab1e71b01261d39a41cdbf9feaf2b4b

Malware Config

Extracted

Family

oski

C2

31.210.20.228

Targets

    • Target

      Request Quotation for New inq no .2018-780.exe

    • Size

      429KB

    • MD5

      385cf85664e48a1456642948b86ddaee

    • SHA1

      fccccd86f97846e7ba4b58159bf4015e2b21a86e

    • SHA256

      d5e15aa82a4f0b9cbf333078abb260229c43f1b04037d7bab9ef1364da48262f

    • SHA512

      a3a131d8e4100332bc94b3115bc7257e92b646cda89ac45c4b06d066592ee36a31a74d9a405fb96a66d94032a4bc733af1a24bbf10f1d24f10a258dff583bb83

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Tasks