Analysis
-
max time kernel
45s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220331-en -
submitted
04-04-2022 10:52
Static task
static1
Behavioral task
behavioral1
Sample
fatura comercial - Indaco EX20858 - OC00015.e.exe
Resource
win7-20220331-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
fatura comercial - Indaco EX20858 - OC00015.e.exe
Resource
win10v2004-20220331-en
0 signatures
0 seconds
General
-
Target
fatura comercial - Indaco EX20858 - OC00015.e.exe
-
Size
842KB
-
MD5
e9e7e3bdd64069d3b36e5362bbdcd155
-
SHA1
8f96d2cd29ee2b7730245737547b7b67867bdd41
-
SHA256
14a2149ffb9dc7a2bfa96e92ee4d7052222d5550431ffebc471b31859b397024
-
SHA512
6449ad0e4adf50532336cf7ed7b7c9fa05d74548dc209097fcda50adf2351586ec77a17b4fac2a053599593552368dc8cf82756d300813b4dcc31814cca29174
Score
10/10
Malware Config
Extracted
Family
oski
C2
zubroxmack.cf
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1164 set thread context of 1532 1164 fatura comercial - Indaco EX20858 - OC00015.e.exe 28 -
Program crash 1 IoCs
pid pid_target Process procid_target 1248 1532 WerFault.exe 28 -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1164 wrote to memory of 1532 1164 fatura comercial - Indaco EX20858 - OC00015.e.exe 28 PID 1164 wrote to memory of 1532 1164 fatura comercial - Indaco EX20858 - OC00015.e.exe 28 PID 1164 wrote to memory of 1532 1164 fatura comercial - Indaco EX20858 - OC00015.e.exe 28 PID 1164 wrote to memory of 1532 1164 fatura comercial - Indaco EX20858 - OC00015.e.exe 28 PID 1164 wrote to memory of 1532 1164 fatura comercial - Indaco EX20858 - OC00015.e.exe 28 PID 1164 wrote to memory of 1532 1164 fatura comercial - Indaco EX20858 - OC00015.e.exe 28 PID 1164 wrote to memory of 1532 1164 fatura comercial - Indaco EX20858 - OC00015.e.exe 28 PID 1164 wrote to memory of 1532 1164 fatura comercial - Indaco EX20858 - OC00015.e.exe 28 PID 1164 wrote to memory of 1532 1164 fatura comercial - Indaco EX20858 - OC00015.e.exe 28 PID 1164 wrote to memory of 1532 1164 fatura comercial - Indaco EX20858 - OC00015.e.exe 28 PID 1532 wrote to memory of 1248 1532 fatura comercial - Indaco EX20858 - OC00015.e.exe 29 PID 1532 wrote to memory of 1248 1532 fatura comercial - Indaco EX20858 - OC00015.e.exe 29 PID 1532 wrote to memory of 1248 1532 fatura comercial - Indaco EX20858 - OC00015.e.exe 29 PID 1532 wrote to memory of 1248 1532 fatura comercial - Indaco EX20858 - OC00015.e.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\fatura comercial - Indaco EX20858 - OC00015.e.exe"C:\Users\Admin\AppData\Local\Temp\fatura comercial - Indaco EX20858 - OC00015.e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\fatura comercial - Indaco EX20858 - OC00015.e.exe"C:\Users\Admin\AppData\Local\Temp\fatura comercial - Indaco EX20858 - OC00015.e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 1123⤵
- Program crash
PID:1248
-
-