General

  • Target

    5c40517b3b632caf07cb45afa5aa1140

  • Size

    1.0MB

  • Sample

    211207-p74byscbg9

  • MD5

    5c40517b3b632caf07cb45afa5aa1140

  • SHA1

    767c28385881fdc01b43b730aa50168f23d934f9

  • SHA256

    2e6bebcaaa746b7ab28bf74c49dc0b92b88f564f5b05d6cc414ea1d4aa5f10d4

  • SHA512

    049ad3a0c2b806a6ce30e64bf4fb8d0f77adf208b7eca9c80579e9d25faa464981eb2c6631ca93955962c36a3c6f40cb1f20d3ed542f994d02ce85d3d3af4713

Malware Config

Extracted

Family

oski

C2

oilproduce.xyz

Targets

    • Target

      5c40517b3b632caf07cb45afa5aa1140

    • Size

      1.0MB

    • MD5

      5c40517b3b632caf07cb45afa5aa1140

    • SHA1

      767c28385881fdc01b43b730aa50168f23d934f9

    • SHA256

      2e6bebcaaa746b7ab28bf74c49dc0b92b88f564f5b05d6cc414ea1d4aa5f10d4

    • SHA512

      049ad3a0c2b806a6ce30e64bf4fb8d0f77adf208b7eca9c80579e9d25faa464981eb2c6631ca93955962c36a3c6f40cb1f20d3ed542f994d02ce85d3d3af4713

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Downloads MZ/PE file

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Tasks