General

  • Target

    re-vised order.ppt

  • Size

    82KB

  • Sample

    210728-m1gj97kyba

  • MD5

    3a6bf8741146517256d801797e2fe53d

  • SHA1

    e93c991aeb35d33060797bfa68f679d42eedb4df

  • SHA256

    0a3243ca06d020dee0438281fabb0310f6e39fe787f9b99ea648bdb9332c7a67

  • SHA512

    a94f62875f1154965383cb495eb13f509e2330ce5a76ee23296a260330298c19baec41b1bba681fbeeef8a74753b104309ad3e0db6426ae527316b015fad2f6d

Malware Config

Extracted

Family

oski

C2

103.99.1.60/we/sb/

Targets

    • Target

      re-vised order.ppt

    • Size

      82KB

    • MD5

      3a6bf8741146517256d801797e2fe53d

    • SHA1

      e93c991aeb35d33060797bfa68f679d42eedb4df

    • SHA256

      0a3243ca06d020dee0438281fabb0310f6e39fe787f9b99ea648bdb9332c7a67

    • SHA512

      a94f62875f1154965383cb495eb13f509e2330ce5a76ee23296a260330298c19baec41b1bba681fbeeef8a74753b104309ad3e0db6426ae527316b015fad2f6d

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks