General

  • Target

    IMG602741105.exe

  • Size

    225KB

  • Sample

    210503-gwyvbn5wva

  • MD5

    0e444899ae75dd87e33621fd953ed450

  • SHA1

    3c1ec410dcdb4992e58c20a215354fb3714b2b28

  • SHA256

    5e90997364ac5c40a3c374faa4a11c74e9d040e42c10a2dcab169818e1d717b5

  • SHA512

    01e0af5122b9aa2fc58ad552ab91eb1b6dc6fc7ece3338faa2e4fc41835742bc8387ab93f6f8d810cc73405e11cfeea59b6aa323fcdcb80b979a4911673905eb

Malware Config

Extracted

Family

oski

C2

198.98.49.140

Targets

    • Target

      IMG602741105.exe

    • Size

      225KB

    • MD5

      0e444899ae75dd87e33621fd953ed450

    • SHA1

      3c1ec410dcdb4992e58c20a215354fb3714b2b28

    • SHA256

      5e90997364ac5c40a3c374faa4a11c74e9d040e42c10a2dcab169818e1d717b5

    • SHA512

      01e0af5122b9aa2fc58ad552ab91eb1b6dc6fc7ece3338faa2e4fc41835742bc8387ab93f6f8d810cc73405e11cfeea59b6aa323fcdcb80b979a4911673905eb

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Downloads MZ/PE file

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Tasks