General

  • Target

    406171ecbe8c3d96852acef91ec2e6db

  • Size

    571KB

  • Sample

    210728-tvqh94wgcn

  • MD5

    406171ecbe8c3d96852acef91ec2e6db

  • SHA1

    5fb7a4fc46659b510fbcbb51d9e08bdf08490b62

  • SHA256

    8e07cf5e12ed70918b410fdb95fdf6905c191df169df5fdf994daac99c8bd359

  • SHA512

    d0c472148ded74e627d33f1f1124b9275ba8ab9d2cb1443a88ebfecce57755b7e88d39e77819bbba75dad6cf905ba85e5372ca9341790f56e121263ababf10a3

Malware Config

Extracted

Family

oski

C2

fair.le-pearl.com

Targets

    • Target

      406171ecbe8c3d96852acef91ec2e6db

    • Size

      571KB

    • MD5

      406171ecbe8c3d96852acef91ec2e6db

    • SHA1

      5fb7a4fc46659b510fbcbb51d9e08bdf08490b62

    • SHA256

      8e07cf5e12ed70918b410fdb95fdf6905c191df169df5fdf994daac99c8bd359

    • SHA512

      d0c472148ded74e627d33f1f1124b9275ba8ab9d2cb1443a88ebfecce57755b7e88d39e77819bbba75dad6cf905ba85e5372ca9341790f56e121263ababf10a3

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • Downloads MZ/PE file

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks