General

  • Target

    PO5621.scr.exe

  • Size

    307KB

  • Sample

    210506-rjzmm2qc3s

  • MD5

    769971b221bd083f1f14c70b6a04a1fc

  • SHA1

    2302767a678cd7f7c68081028fdc69dc9eea9fd3

  • SHA256

    a68ec0c26f99b4f59d0abbd7cc98de6d9136ffe0d822d8056476d356121e5011

  • SHA512

    b1f472f4990b2b3958118c4839cb6f2dfe21be84786c89ffe18efbb456f821de7b2943033d85b9df17d8ad0d4fe1c42dafc96df868fda99e2f2731b24b1572b3

Malware Config

Extracted

Family

oski

C2

203.159.80.65

Targets

    • Target

      PO5621.scr.exe

    • Size

      307KB

    • MD5

      769971b221bd083f1f14c70b6a04a1fc

    • SHA1

      2302767a678cd7f7c68081028fdc69dc9eea9fd3

    • SHA256

      a68ec0c26f99b4f59d0abbd7cc98de6d9136ffe0d822d8056476d356121e5011

    • SHA512

      b1f472f4990b2b3958118c4839cb6f2dfe21be84786c89ffe18efbb456f821de7b2943033d85b9df17d8ad0d4fe1c42dafc96df868fda99e2f2731b24b1572b3

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Downloads MZ/PE file

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Tasks