oski | e33c87beec2f985630825a38da83fefa75e3ce178e2a702d4f419cf32f99450e | Triage

Submit
Reports

Overview

overview

Static

static

PO_60360570.doc

windows7_x64

PO_60360570.doc

windows10_x64

1

Sharing

General

Target

PO_60360570.doc
Size

1.1MB
Sample

210420-zv5yk4hsvj
MD5

e4a5e953841f2f5c61b373dd2a4494e9
SHA1

1dec8d12cac28ab21f1f470f179de4046e41bb2e
SHA256

e33c87beec2f985630825a38da83fefa75e3ce178e2a702d4f419cf32f99450e
SHA512

931db856ef234a4c40c8ba9b0c03d6eaf4e5203c3d1cf7e3af1cb7ed12b06a880c86956a7e04814905ae13fc84750031ee57809cad390847b66f37f62131aeb0

Score

10^/10

oski discovery infostealer persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

PO_60360570.doc

Resource

win7v20210408

oski discovery infostealer persistence spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PO_60360570.doc

Resource

win10v20210408

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

oski

C2

osiq.club

Targets

- Target
  
  PO_60360570.doc
- Size
  
  1.1MB
- MD5
  
  e4a5e953841f2f5c61b373dd2a4494e9
- SHA1
  
  1dec8d12cac28ab21f1f470f179de4046e41bb2e
- SHA256
  
  e33c87beec2f985630825a38da83fefa75e3ce178e2a702d4f419cf32f99450e
- SHA512
  
  931db856ef234a4c40c8ba9b0c03d6eaf4e5203c3d1cf7e3af1cb7ed12b06a880c86956a7e04814905ae13fc84750031ee57809cad390847b66f37f62131aeb0
Score

10^/10

oski discovery infostealer persistence spyware stealer
- Oski
  Oski is an infostealer targeting browser data, crypto wallets.
  infostealer oski
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

oskidiscoveryinfostealerpersistencespywarestealer

behavioral2

© 2018-2024

Terms | Privacy