General

  • Target

    4.ppam.zip

  • Size

    38KB

  • Sample

    220324-m8n8bacgfj

  • MD5

    fb9645bf9fd5e69816713ede73072328

  • SHA1

    78c4c9b664572e4cb1f76f353ebf949c792226d2

  • SHA256

    68184c299903904b8f9cf8df7856c9f20936749d14586aac71ebb5aa8ac43de5

  • SHA512

    395a5e0853198058ff56cca5bf6f393cca1a0afaf58331d52503866f4d99b6a486dfc648f593252a512e767cf16afbd32a79069c2167cbbcf02c195088655ab0

Malware Config

Extracted

Family

oski

C2

72.11.143.125/k/4k/

Targets

    • Target

      4.ppam

    • Size

      44KB

    • MD5

      b8bc3f064e7f371dc92600c9f0830f11

    • SHA1

      1c399b13f2e0b195442246dce999702895d2139a

    • SHA256

      6929d3f0dd7ea4faa504412afbcd802797a4dd40ad71fa658cfc72040e75cd83

    • SHA512

      19d1785dcea779192f78518ed0ae8d128758a2ea1209b0c37648152d882a8688f251744f15cc0c8492154f195ce756a4b9fab610776b8d02dcfd6b4e6e406f82

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks