General

  • Target

    ddde6fc0ce346b0ab7bb0c8c02a09d33

  • Size

    1.2MB

  • Sample

    210728-gay7k3vz56

  • MD5

    ddde6fc0ce346b0ab7bb0c8c02a09d33

  • SHA1

    1067652f21fd05902288613746b5e2ea79bd07f9

  • SHA256

    a375d88a6666e7101b4f582ea0239033e4716e883ecb301245011e9c58054a9c

  • SHA512

    66a92b7f14371069d78876add097fb8f847755eff95edd846939566f0ce219b686f265c8a57dbe6e19e5f12145bfbfcccff09371413a758005d1aee7d8490c49

Malware Config

Extracted

Family

oski

C2

fine.le-pearl.com

Targets

    • Target

      ddde6fc0ce346b0ab7bb0c8c02a09d33

    • Size

      1.2MB

    • MD5

      ddde6fc0ce346b0ab7bb0c8c02a09d33

    • SHA1

      1067652f21fd05902288613746b5e2ea79bd07f9

    • SHA256

      a375d88a6666e7101b4f582ea0239033e4716e883ecb301245011e9c58054a9c

    • SHA512

      66a92b7f14371069d78876add097fb8f847755eff95edd846939566f0ce219b686f265c8a57dbe6e19e5f12145bfbfcccff09371413a758005d1aee7d8490c49

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Downloads MZ/PE file

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks