Malware Analysis Report

2025-01-03 04:57

Sample ID 220408-sjlc1sbafl
Target F072-01953382-ESERMUL.IMG
SHA256 17eec24f99a3eb9493e635ade92d45b788eacb5a658de978531b7c33bf4b196b
Tags
oski infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

17eec24f99a3eb9493e635ade92d45b788eacb5a658de978531b7c33bf4b196b

Threat Level: Known bad

The file F072-01953382-ESERMUL.IMG was found to be: Known bad.

Malicious Activity Summary

oski infostealer spyware stealer

Oski

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-08 15:09

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-08 15:09

Reported

2022-04-08 15:12

Platform

win10v2004-20220331-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\F072_019.exe"

Signatures

Oski

infostealer oski

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4564 set thread context of 100 N/A C:\Users\Admin\AppData\Local\Temp\F072_019.exe C:\Users\Admin\AppData\Local\Temp\F072_019.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\F072_019.exe

Processes

C:\Users\Admin\AppData\Local\Temp\F072_019.exe

"C:\Users\Admin\AppData\Local\Temp\F072_019.exe"

C:\Users\Admin\AppData\Local\Temp\F072_019.exe

"C:\Users\Admin\AppData\Local\Temp\F072_019.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 100 -ip 100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 236

Network

Country Destination Domain Proto
RU 23.196.236.146:80 tcp
NL 20.50.201.200:443 tcp
FI 62.115.252.112:80 tcp
FI 62.115.252.112:80 tcp
FI 62.115.252.112:80 tcp
US 8.8.8.8:53 106.89.54.20.in-addr.arpa udp

Files

memory/4564-124-0x0000000000850000-0x00000000008D6000-memory.dmp

memory/4564-125-0x00000000058F0000-0x0000000005E94000-memory.dmp

memory/4564-126-0x0000000005270000-0x0000000005302000-memory.dmp

memory/4564-127-0x0000000005480000-0x000000000551C000-memory.dmp

memory/4564-128-0x0000000005320000-0x000000000532A000-memory.dmp

memory/4564-129-0x0000000007980000-0x00000000079E6000-memory.dmp

memory/100-130-0x0000000000000000-mapping.dmp

memory/100-131-0x0000000000400000-0x0000000000438000-memory.dmp

memory/100-132-0x0000000000400000-0x0000000000438000-memory.dmp

memory/100-133-0x0000000000400000-0x0000000000438000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-08 15:09

Reported

2022-04-08 15:12

Platform

win7-20220310-en

Max time kernel

4294185s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\F072_019.exe"

Signatures

Oski

infostealer oski

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1040 set thread context of 272 N/A C:\Users\Admin\AppData\Local\Temp\F072_019.exe C:\Users\Admin\AppData\Local\Temp\F072_019.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\F072_019.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1040 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\F072_019.exe C:\Users\Admin\AppData\Local\Temp\F072_019.exe
PID 1040 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\F072_019.exe C:\Users\Admin\AppData\Local\Temp\F072_019.exe
PID 1040 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\F072_019.exe C:\Users\Admin\AppData\Local\Temp\F072_019.exe
PID 1040 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\F072_019.exe C:\Users\Admin\AppData\Local\Temp\F072_019.exe
PID 1040 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\F072_019.exe C:\Users\Admin\AppData\Local\Temp\F072_019.exe
PID 1040 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\F072_019.exe C:\Users\Admin\AppData\Local\Temp\F072_019.exe
PID 1040 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\F072_019.exe C:\Users\Admin\AppData\Local\Temp\F072_019.exe
PID 1040 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\F072_019.exe C:\Users\Admin\AppData\Local\Temp\F072_019.exe
PID 1040 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\F072_019.exe C:\Users\Admin\AppData\Local\Temp\F072_019.exe
PID 1040 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\F072_019.exe C:\Users\Admin\AppData\Local\Temp\F072_019.exe
PID 272 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\F072_019.exe C:\Windows\SysWOW64\WerFault.exe
PID 272 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\F072_019.exe C:\Windows\SysWOW64\WerFault.exe
PID 272 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\F072_019.exe C:\Windows\SysWOW64\WerFault.exe
PID 272 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\F072_019.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\F072_019.exe

"C:\Users\Admin\AppData\Local\Temp\F072_019.exe"

C:\Users\Admin\AppData\Local\Temp\F072_019.exe

"C:\Users\Admin\AppData\Local\Temp\F072_019.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 272 -s 776

Network

Country Destination Domain Proto
US 8.8.8.8:53 friktomb.cf udp

Files

memory/1040-54-0x0000000001190000-0x0000000001216000-memory.dmp

memory/1040-55-0x0000000000340000-0x000000000034A000-memory.dmp

memory/1040-56-0x00000000052E0000-0x000000000535A000-memory.dmp

memory/1040-57-0x0000000000CE0000-0x0000000000D18000-memory.dmp

memory/272-58-0x0000000000400000-0x0000000000438000-memory.dmp

memory/272-59-0x0000000000400000-0x0000000000438000-memory.dmp

memory/272-61-0x0000000000400000-0x0000000000438000-memory.dmp

memory/272-63-0x0000000000400000-0x0000000000438000-memory.dmp

memory/272-65-0x0000000000400000-0x0000000000438000-memory.dmp

memory/272-68-0x000000000040717B-mapping.dmp

memory/272-67-0x0000000000400000-0x0000000000438000-memory.dmp

memory/272-70-0x0000000000400000-0x0000000000438000-memory.dmp

memory/272-71-0x0000000000400000-0x0000000000438000-memory.dmp

memory/272-72-0x0000000075691000-0x0000000075693000-memory.dmp

memory/1008-73-0x0000000000000000-mapping.dmp