General

  • Target

    E657706B5B6602634BC2BC4BAECDA9A6.exe

  • Size

    1.2MB

  • Sample

    210730-ybgmnk1k9e

  • MD5

    e657706b5b6602634bc2bc4baecda9a6

  • SHA1

    467cc2e9667b8ccfced6641215e616e1312aa379

  • SHA256

    a1ba25ee2a1c2fadb79dcc380df85c269e8034e7d78dbe8aa4067a8afecced38

  • SHA512

    4918ba8d1842d688a9331dd1c77cd6a1f8cfd53284153f36954854cfa8b443a8db7af1cc21819ae4637f1b8373e01b962666239890e54bb67affeb1ff6265b02

Malware Config

Extracted

Family

oski

C2

centarcrkva.rs

Targets

    • Target

      E657706B5B6602634BC2BC4BAECDA9A6.exe

    • Size

      1.2MB

    • MD5

      e657706b5b6602634bc2bc4baecda9a6

    • SHA1

      467cc2e9667b8ccfced6641215e616e1312aa379

    • SHA256

      a1ba25ee2a1c2fadb79dcc380df85c269e8034e7d78dbe8aa4067a8afecced38

    • SHA512

      4918ba8d1842d688a9331dd1c77cd6a1f8cfd53284153f36954854cfa8b443a8db7af1cc21819ae4637f1b8373e01b962666239890e54bb67affeb1ff6265b02

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks