General
-
Target
RFQ-096857654.rar
-
Size
266KB
-
Sample
210728-kddwz6p1ce
-
MD5
ed7ed1bcea73972b69c6d77604e30cb4
-
SHA1
8c7cdabc378ba440a4d2083e783d9dbf4cb120ff
-
SHA256
df2fe0ba314c03f4a02572a43910d3730f1967fd16ca83973203352a082e0be5
-
SHA512
fe7768ec3224502fc4454e2b8eaef6eb4f441b5f2dccaebdefe868a197bcfbefbe1f4d598579df8032dd6a717d3ccca96a21936080b12a43a65106c2a7ace72f
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-096857654.exe
Resource
win7v20210410
Malware Config
Extracted
oski
evakark.xyz
Targets
-
-
Target
RFQ-096857654.exe
-
Size
313KB
-
MD5
5ad9f6be601fb9f23677c239c91deae2
-
SHA1
a0162b62231692e94ca41aac27cec6063179a9da
-
SHA256
90a9ef1c549a9f2646f6c603e27570832f371d25d2fc4b967c96f55fa034e557
-
SHA512
60d3f39a18811ac40c3b5d14e34eaac8334627545c703006f25e297b5f2fe3669715ea7e92a44f05991a0567a14a79c6f8a239651f85738ec30f61ae790a8737
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Downloads MZ/PE file
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-