General
-
Target
re-vised order.ppt
-
Size
82KB
-
Sample
210728-m1gj97kyba
-
MD5
3a6bf8741146517256d801797e2fe53d
-
SHA1
e93c991aeb35d33060797bfa68f679d42eedb4df
-
SHA256
0a3243ca06d020dee0438281fabb0310f6e39fe787f9b99ea648bdb9332c7a67
-
SHA512
a94f62875f1154965383cb495eb13f509e2330ce5a76ee23296a260330298c19baec41b1bba681fbeeef8a74753b104309ad3e0db6426ae527316b015fad2f6d
Static task
static1
Behavioral task
behavioral1
Sample
re-vised order.ppt
Resource
win7v20210408
Behavioral task
behavioral2
Sample
re-vised order.ppt
Resource
win10v20210410
Malware Config
Extracted
oski
103.99.1.60/we/sb/
Targets
-
-
Target
re-vised order.ppt
-
Size
82KB
-
MD5
3a6bf8741146517256d801797e2fe53d
-
SHA1
e93c991aeb35d33060797bfa68f679d42eedb4df
-
SHA256
0a3243ca06d020dee0438281fabb0310f6e39fe787f9b99ea648bdb9332c7a67
-
SHA512
a94f62875f1154965383cb495eb13f509e2330ce5a76ee23296a260330298c19baec41b1bba681fbeeef8a74753b104309ad3e0db6426ae527316b015fad2f6d
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Process spawned suspicious child process
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
-
Suspicious use of SetThreadContext
-