General

  • Target

    452E6C334E555629C538C4AA6B2ADC26.exe

  • Size

    792KB

  • Sample

    210809-c6wr6k1nds

  • MD5

    452e6c334e555629c538c4aa6b2adc26

  • SHA1

    f24a31707b2b0037adcc712b0d83541074f909d2

  • SHA256

    44aa270e4c081241057bad8c1d0ea5864087325f8e3209aa10747f108123f718

  • SHA512

    1412c3682f9c0e239743450d7ce86b37e726101f5f1786fe215dfd18c61911f31f13533549c3af2033ce6dbf47dc638466283dca62fd8df062ea2a65e3fd811a

Malware Config

Extracted

Family

oski

C2

185.212.131.198/ww/

Targets

    • Target

      452E6C334E555629C538C4AA6B2ADC26.exe

    • Size

      792KB

    • MD5

      452e6c334e555629c538c4aa6b2adc26

    • SHA1

      f24a31707b2b0037adcc712b0d83541074f909d2

    • SHA256

      44aa270e4c081241057bad8c1d0ea5864087325f8e3209aa10747f108123f718

    • SHA512

      1412c3682f9c0e239743450d7ce86b37e726101f5f1786fe215dfd18c61911f31f13533549c3af2033ce6dbf47dc638466283dca62fd8df062ea2a65e3fd811a

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • Downloads MZ/PE file

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks