General

  • Target

    Rfq Proforma Invoice 865678.ppam

  • Size

    21KB

  • Sample

    210810-4gr7jesxxa

  • MD5

    2377c2fb68272650616d78bd7a3ed3f9

  • SHA1

    20eaa630d4eb06ae9385b5d46ab0d54180dc43e4

  • SHA256

    258a576bd9abba2c1366f3124d808529a0232f61619f455d2277546172dec5d2

  • SHA512

    eafa5c07af843aeab33462dbe4171113eb6b6eec78e30997fc15409a180171b91292d02f74f5dd8c707cae58c6a9e9d2df4d4795621ee3e108686fc94f90b1e7

Malware Config

Extracted

Family

oski

C2

tunqyuindia.com/mar3/

Targets

    • Target

      Rfq Proforma Invoice 865678.ppam

    • Size

      21KB

    • MD5

      2377c2fb68272650616d78bd7a3ed3f9

    • SHA1

      20eaa630d4eb06ae9385b5d46ab0d54180dc43e4

    • SHA256

      258a576bd9abba2c1366f3124d808529a0232f61619f455d2277546172dec5d2

    • SHA512

      eafa5c07af843aeab33462dbe4171113eb6b6eec78e30997fc15409a180171b91292d02f74f5dd8c707cae58c6a9e9d2df4d4795621ee3e108686fc94f90b1e7

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks