General

  • Target

    e480e28c74a635845673fd030eb47734.exe

  • Size

    268KB

  • Sample

    210730-ep3sbfh586

  • MD5

    e480e28c74a635845673fd030eb47734

  • SHA1

    913f51d9deee32c6953a3ce9fbe04dd85f4c78f1

  • SHA256

    d83a8f3a3475132ef153741a21858652a2f03a4e62d56f6864c8800fb0a0da45

  • SHA512

    620d5be5d4874d5f89b2d301e9900fb25c11cf1630c5fd901e8d34e71ea3c467931e3b284bb16309e26a81a79ba1abd945c20ea908917e378fdac356c54e1571

Malware Config

Extracted

Family

oski

C2

nedu1994.xyz

Targets

    • Target

      e480e28c74a635845673fd030eb47734.exe

    • Size

      268KB

    • MD5

      e480e28c74a635845673fd030eb47734

    • SHA1

      913f51d9deee32c6953a3ce9fbe04dd85f4c78f1

    • SHA256

      d83a8f3a3475132ef153741a21858652a2f03a4e62d56f6864c8800fb0a0da45

    • SHA512

      620d5be5d4874d5f89b2d301e9900fb25c11cf1630c5fd901e8d34e71ea3c467931e3b284bb16309e26a81a79ba1abd945c20ea908917e378fdac356c54e1571

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • Downloads MZ/PE file

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks