General

  • Target

    IMG_578_60_28_61XLS.ex

  • Size

    560KB

  • Sample

    211116-xbgr3sfab5

  • MD5

    5ea03c09bf25d3d79ca5a936a18c0ae9

  • SHA1

    13806150e3063f266b2fa752a517a4dff3bea533

  • SHA256

    18cfa8c68fe25199694faf0d2e9fe0fe86e872b1c20620098a68309ade161000

  • SHA512

    2c15022a942ba5dc97425c614972fda775645bf01c9b9a063b0aae5f3dda5da16304016c9e4598aff70af887ecadd1946f34b18d43d82fa08ab31c8ab9ae2ab3

Malware Config

Extracted

Family

oski

C2

novget.com

Targets

    • Target

      IMG_578_60_28_61XLS.ex

    • Size

      560KB

    • MD5

      5ea03c09bf25d3d79ca5a936a18c0ae9

    • SHA1

      13806150e3063f266b2fa752a517a4dff3bea533

    • SHA256

      18cfa8c68fe25199694faf0d2e9fe0fe86e872b1c20620098a68309ade161000

    • SHA512

      2c15022a942ba5dc97425c614972fda775645bf01c9b9a063b0aae5f3dda5da16304016c9e4598aff70af887ecadd1946f34b18d43d82fa08ab31c8ab9ae2ab3

    • Modifies WinLogon for persistence

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Tasks