oski

General

Target

RFQ-096857654.rar
Size

266KB
Sample

210728-kddwz6p1ce
MD5

ed7ed1bcea73972b69c6d77604e30cb4
SHA1

8c7cdabc378ba440a4d2083e783d9dbf4cb120ff
SHA256

df2fe0ba314c03f4a02572a43910d3730f1967fd16ca83973203352a082e0be5
SHA512

fe7768ec3224502fc4454e2b8eaef6eb4f441b5f2dccaebdefe868a197bcfbefbe1f4d598579df8032dd6a717d3ccca96a21936080b12a43a65106c2a7ace72f

Score

10^/10

Malware Config

Extracted

Family

oski

C2

evakark.xyz

Targets

- Target
  
  RFQ-096857654.exe
- Size
  
  313KB
- MD5
  
  5ad9f6be601fb9f23677c239c91deae2
- SHA1
  
  a0162b62231692e94ca41aac27cec6063179a9da
- SHA256
  
  90a9ef1c549a9f2646f6c603e27570832f371d25d2fc4b967c96f55fa034e557
- SHA512
  
  60d3f39a18811ac40c3b5d14e34eaac8334627545c703006f25e297b5f2fe3669715ea7e92a44f05991a0567a14a79c6f8a239651f85738ec30f61ae790a8737
Score

10^/10

oski discovery infostealer spyware stealer suricata
- Oski
  Oski is an infostealer targeting browser data, crypto wallets.
  infostealer oski
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- Downloads MZ/PE file
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

Downloads MZ/PE file

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2