oski | 72eaa8de39509cc335820bb9220ecf6f08b77f72613c2baac86328fee8d49e05 | Triage

Submit
Reports

Overview

overview

Static

static

RFQ for _R...ls.doc

windows7_x64

RFQ for _R...ls.doc

windows10_x64

1

Sharing

General

Target

RFQ for _RTO system packages product details.doc
Size

436KB
Sample

211026-pq8kcahhgq
MD5

aa8389c34cb620485eb8dd8a85c0f8ab
SHA1

203af430cd573268320c7c696a7731c60f1c6820
SHA256

72eaa8de39509cc335820bb9220ecf6f08b77f72613c2baac86328fee8d49e05
SHA512

2cc198f98767096d5277f5322b73f06b547f417d1512bbfbaf22dfd7f0f5dfbc846a27ce5b5886ed65a9fdda60f4801ff0d7451c6e8e0e0e777c5e276804bde9

Score

10^/10

oski discovery infostealer spyware stealer suricata

Static task

static1

Behavioral task

behavioral1

Sample

RFQ for _RTO system packages product details.doc

Resource

win7-en-20210920

oski discovery infostealer spyware stealer suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

RFQ for _RTO system packages product details.doc

Resource

win10-en-20211014

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

oski

C2

stanelectronics.xyz

Targets

- Target
  
  RFQ for _RTO system packages product details.doc
- Size
  
  436KB
- MD5
  
  aa8389c34cb620485eb8dd8a85c0f8ab
- SHA1
  
  203af430cd573268320c7c696a7731c60f1c6820
- SHA256
  
  72eaa8de39509cc335820bb9220ecf6f08b77f72613c2baac86328fee8d49e05
- SHA512
  
  2cc198f98767096d5277f5322b73f06b547f417d1512bbfbaf22dfd7f0f5dfbc846a27ce5b5886ed65a9fdda60f4801ff0d7451c6e8e0e0e777c5e276804bde9
Score

10^/10

oski discovery infostealer spyware stealer suricata
- Oski
  Oski is an infostealer targeting browser data, crypto wallets.
  infostealer oski
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

oskidiscoveryinfostealerspywarestealersuricata

behavioral2

© 2018-2024

Terms | Privacy