Overview

overview

10

Static

static

8

8013b5ae4a...66.pps

windows7_x64

10

8013b5ae4a...66.pps

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5894169612681216.zip

  • Size

    14KB

  • Sample

    210721-j2pnb98dna

  • MD5

    ea87affd5223e3bfbb886cfb9494d440

  • SHA1

    9b764a1c8ca5e0d09d95bb0782bf019d7e2e4341

  • SHA256

    1142a364ea5e976ec6a4ed0d4a2467f0cb4df6facfc9de46c05427908a14873d

  • SHA512

    c42d68227b21d4dc24432d0331b144064440bc717345f7a8f1d4e22e3ec7640e8ec438e238c771a7170d4053c1d7d4200ca13fcbcae128f8cab4e1454287bf5c

Score
10/10
oskiinfostealermacrospyware

Malware Config

Extracted

Family

oski

C2

103.153.76.164/we/ahsa/

Targets

    • Target

      8013b5ae4a210f76c8064e4e9c440fc4741364e9e3e3ef3794733762e1362866

    • Size

      81KB

    • MD5

      c4d5a9e052e1e81e33658247863a2a0e

    • SHA1

      539f1241fe23603b64b5417317b7b69876537a24

    • SHA256

      8013b5ae4a210f76c8064e4e9c440fc4741364e9e3e3ef3794733762e1362866

    • SHA512

      cf9ed0c1c28d17be440d754ae191a72a0d9579948ec32d93ad7f905ff1faec032ea46b3d148267e5fb5fb4d2265cf6b1c3200d3ba436059adb971601505a0344

    Score
    10/10
    oskiinfostealerspyware

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

      infostealeroski

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks