General

  • Target

    542f3ea693d61187bd10db0376a6b3e7.exe

  • Size

    256KB

  • Sample

    210420-4mpgp71lfs

  • MD5

    542f3ea693d61187bd10db0376a6b3e7

  • SHA1

    92409ffc8c6ea0ae55a76b6b15616f75174dba97

  • SHA256

    614ea8187654128fc27a51455ab3c8fdbb6d398382cd4d825cf795dbbf5d7966

  • SHA512

    cb383f540285ceb9232a4cc807b5287c4145f6c62fbf961385ef97a68034cc07c37337a595c403dbfe073ad0eac39ce765d58914856051a4c413d6ee5dbc4fb1

Malware Config

Extracted

Family

oski

C2

osiq.club

Targets

    • Target

      542f3ea693d61187bd10db0376a6b3e7.exe

    • Size

      256KB

    • MD5

      542f3ea693d61187bd10db0376a6b3e7

    • SHA1

      92409ffc8c6ea0ae55a76b6b15616f75174dba97

    • SHA256

      614ea8187654128fc27a51455ab3c8fdbb6d398382cd4d825cf795dbbf5d7966

    • SHA512

      cb383f540285ceb9232a4cc807b5287c4145f6c62fbf961385ef97a68034cc07c37337a595c403dbfe073ad0eac39ce765d58914856051a4c413d6ee5dbc4fb1

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Downloads MZ/PE file

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Tasks