General
-
Target
RFQ for _RTO system packages product details.doc
-
Size
436KB
-
Sample
211026-pq8kcahhgq
-
MD5
aa8389c34cb620485eb8dd8a85c0f8ab
-
SHA1
203af430cd573268320c7c696a7731c60f1c6820
-
SHA256
72eaa8de39509cc335820bb9220ecf6f08b77f72613c2baac86328fee8d49e05
-
SHA512
2cc198f98767096d5277f5322b73f06b547f417d1512bbfbaf22dfd7f0f5dfbc846a27ce5b5886ed65a9fdda60f4801ff0d7451c6e8e0e0e777c5e276804bde9
Static task
static1
Behavioral task
behavioral1
Sample
RFQ for _RTO system packages product details.doc
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
RFQ for _RTO system packages product details.doc
Resource
win10-en-20211014
Malware Config
Extracted
oski
stanelectronics.xyz
Targets
-
-
Target
RFQ for _RTO system packages product details.doc
-
Size
436KB
-
MD5
aa8389c34cb620485eb8dd8a85c0f8ab
-
SHA1
203af430cd573268320c7c696a7731c60f1c6820
-
SHA256
72eaa8de39509cc335820bb9220ecf6f08b77f72613c2baac86328fee8d49e05
-
SHA512
2cc198f98767096d5277f5322b73f06b547f417d1512bbfbaf22dfd7f0f5dfbc846a27ce5b5886ed65a9fdda60f4801ff0d7451c6e8e0e0e777c5e276804bde9
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-