General

  • Target

    Order Confirmation _10001256.xlsx

  • Size

    185KB

  • Sample

    220315-rhadpaagdj

  • MD5

    fde0bfb6b29ad5ab011a731f8804b1b6

  • SHA1

    9a3a446e0c06efd7bcdbfe7816ad9dfc65718f59

  • SHA256

    52453139504bb0f05f9f8bb46d1ac9f1ba94d94311d2065b003fc5ea6dabead7

  • SHA512

    de2069c14fa128502665304ae465f22ed1110ae15288a8aaed56a08d150a46a651f8cf8ee468076de2930fc79f83eb12ce5828f7b4b6f1e491df6835d47d08ab

Malware Config

Extracted

Family

oski

C2

http://64.188.21.227/x/

Targets

    • Target

      Order Confirmation _10001256.xlsx

    • Size

      185KB

    • MD5

      fde0bfb6b29ad5ab011a731f8804b1b6

    • SHA1

      9a3a446e0c06efd7bcdbfe7816ad9dfc65718f59

    • SHA256

      52453139504bb0f05f9f8bb46d1ac9f1ba94d94311d2065b003fc5ea6dabead7

    • SHA512

      de2069c14fa128502665304ae465f22ed1110ae15288a8aaed56a08d150a46a651f8cf8ee468076de2930fc79f83eb12ce5828f7b4b6f1e491df6835d47d08ab

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks