oski | 2976262aeed56001f874b183072c03360a1dbcdde67bfdcc982078d3bc246857

General

Target

IMG_0501_765_013.exe
Size

222KB
MD5

716e89179126809cc5a4b476a03dda11
SHA1

29bfe1170a118c56776938fb44289884da261294
SHA256

2976262aeed56001f874b183072c03360a1dbcdde67bfdcc982078d3bc246857
SHA512

fbecf0cdd2bb9df647034bc16d0c6b9749406c30a10e4fa19305b592f066670af80137923c56ef2f9c12b3cc44a2eb99e1b1f9913ebc37abb775b6fd15e27e22

Score

10^/10

oski infostealer

Malware Config

Extracted

Family

oski

C2

31.210.21.154

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Suspicious use of SetThreadContext 1 IoCs

Processes:

IMG_0501_765_013.exe

description pid process target process

PID 1992 set thread context of 748 1992 IMG_0501_765_013.exe IMG_0501_765_013.exe

description	pid	process	target process
PID 1992 set thread context of 748	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

IMG_0501_765_013.exe

pid	process
1992	IMG_0501_765_013.exe
1992	IMG_0501_765_013.exe
1992	IMG_0501_765_013.exe
1992	IMG_0501_765_013.exe
1992	IMG_0501_765_013.exe
1992	IMG_0501_765_013.exe
1992	IMG_0501_765_013.exe
1992	IMG_0501_765_013.exe
1992	IMG_0501_765_013.exe
1992	IMG_0501_765_013.exe
1992	IMG_0501_765_013.exe
1992	IMG_0501_765_013.exe
1992	IMG_0501_765_013.exe
1992	IMG_0501_765_013.exe
1992	IMG_0501_765_013.exe
1992	IMG_0501_765_013.exe
1992	IMG_0501_765_013.exe
1992	IMG_0501_765_013.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

IMG_0501_765_013.exe

description pid process

Token: SeDebugPrivilege 1992 IMG_0501_765_013.exe

description	pid	process
Token: SeDebugPrivilege	1992	IMG_0501_765_013.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

IMG_0501_765_013.exe

description	pid	process	target process
PID 1992 wrote to memory of 1616	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe
PID 1992 wrote to memory of 1616	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe
PID 1992 wrote to memory of 1616	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe
PID 1992 wrote to memory of 1616	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe
PID 1992 wrote to memory of 1612	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe
PID 1992 wrote to memory of 1612	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe
PID 1992 wrote to memory of 1612	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe
PID 1992 wrote to memory of 1612	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe
PID 1992 wrote to memory of 1648	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe
PID 1992 wrote to memory of 1648	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe
PID 1992 wrote to memory of 1648	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe
PID 1992 wrote to memory of 1648	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe
PID 1992 wrote to memory of 652	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe
PID 1992 wrote to memory of 652	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe
PID 1992 wrote to memory of 652	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe
PID 1992 wrote to memory of 652	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe
PID 1992 wrote to memory of 748	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe
PID 1992 wrote to memory of 748	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe
PID 1992 wrote to memory of 748	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe
PID 1992 wrote to memory of 748	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe
PID 1992 wrote to memory of 748	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe
PID 1992 wrote to memory of 748	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe
PID 1992 wrote to memory of 748	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe
PID 1992 wrote to memory of 748	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe
PID 1992 wrote to memory of 748	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe
PID 1992 wrote to memory of 748	1992	IMG_0501_765_013.exe	IMG_0501_765_013.exe

C:\Users\Admin\AppData\Local\Temp\IMG_0501_765_013.exe
"C:\Users\Admin\AppData\Local\Temp\IMG_0501_765_013.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\IMG_0501_765_013.exe
C:\Users\Admin\AppData\Local\Temp\IMG_0501_765_013.exe
2⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\IMG_0501_765_013.exe
C:\Users\Admin\AppData\Local\Temp\IMG_0501_765_013.exe
2⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\IMG_0501_765_013.exe
C:\Users\Admin\AppData\Local\Temp\IMG_0501_765_013.exe
2⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\IMG_0501_765_013.exe
C:\Users\Admin\AppData\Local\Temp\IMG_0501_765_013.exe
2⤵
PID:652

C:\Users\Admin\AppData\Local\Temp\IMG_0501_765_013.exe
C:\Users\Admin\AppData\Local\Temp\IMG_0501_765_013.exe
2⤵
PID:748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/748-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/748-66-0x000000000040717B-mapping.dmp

Download
memory/748-67-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/748-68-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1992-60-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1992-62-0x00000000004F0000-0x00000000004F2000-memory.dmp

Filesize
8KB

Download
memory/1992-63-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1992-64-0x00000000005E0000-0x00000000005FF000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing