General

  • Target

    8e771b25550073599c67601bad91b7b4.exe

  • Size

    1017KB

  • Sample

    210730-vfx8tmb48a

  • MD5

    8e771b25550073599c67601bad91b7b4

  • SHA1

    0190b8be28d87e6b59a7b1b1d0d0cb78a199b9d6

  • SHA256

    c0765fd53d64c425a848b89fa1168552fd2cae90984cfa14c0b7d4e0789fece7

  • SHA512

    33d0c0f09154168ccce1c2090c12a894a853af3195c01dd3ab9cafb575b2792bdcc4a836108c2341f6b09ab349dd5630efffd94ef4b68a08520e2d46f60e423b

Malware Config

Extracted

Family

oski

C2

fine.le-pearl.com

Targets

    • Target

      8e771b25550073599c67601bad91b7b4.exe

    • Size

      1017KB

    • MD5

      8e771b25550073599c67601bad91b7b4

    • SHA1

      0190b8be28d87e6b59a7b1b1d0d0cb78a199b9d6

    • SHA256

      c0765fd53d64c425a848b89fa1168552fd2cae90984cfa14c0b7d4e0789fece7

    • SHA512

      33d0c0f09154168ccce1c2090c12a894a853af3195c01dd3ab9cafb575b2792bdcc4a836108c2341f6b09ab349dd5630efffd94ef4b68a08520e2d46f60e423b

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Downloads MZ/PE file

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks