General

  • Target

    file.ppam

  • Size

    44KB

  • Sample

    220325-mr62ssegc2

  • MD5

    94db4fee6e903bdb75794aa9f9928a1f

  • SHA1

    f62c886160d338a8516562b2c87bcc0cd22397a5

  • SHA256

    e4850ae4c018e7beb4a588c38acd8922168e843e2d984226ad2370ce0d9ca0cc

  • SHA512

    8fe8c9d6ba4a0019c4ded773289c7c3891a78ee6a958b6af8827404579c078d358f4a2012ea95937cbc24b3e5e1fc3e4fe4a62d3160ac755b0c23130384f96ea

Malware Config

Extracted

Family

oski

C2

72.11.143.125/k/12k/

Targets

    • Target

      file.ppam

    • Size

      44KB

    • MD5

      94db4fee6e903bdb75794aa9f9928a1f

    • SHA1

      f62c886160d338a8516562b2c87bcc0cd22397a5

    • SHA256

      e4850ae4c018e7beb4a588c38acd8922168e843e2d984226ad2370ce0d9ca0cc

    • SHA512

      8fe8c9d6ba4a0019c4ded773289c7c3891a78ee6a958b6af8827404579c078d358f4a2012ea95937cbc24b3e5e1fc3e4fe4a62d3160ac755b0c23130384f96ea

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks