oski | ae672a54491d01385af7932cc9524889f6314dd4b4b8b9a846dfa1ffedaa8c61 | Triage

Submit
Reports

Overview

overview

Static

static

payment advice.exe

windows7_x64

payment advice.exe

windows10-2004_x64

Sharing

General

Target

payment advice.exe
Size

273KB
Sample

220513-j8zghadgb2
MD5

f6383fce1ab0d6597440259f9a1e9ddc
SHA1

247a6817bb354c0784f7a112c953646d509bd120
SHA256

ae672a54491d01385af7932cc9524889f6314dd4b4b8b9a846dfa1ffedaa8c61
SHA512

be90fef64aa2343a93456e6879465c3a5c1855490fd472b8f5a25e6c1db558798fc6fd727f00bc79d4b2e97bb91c57024e8f5178adb94ab4e72dcad83753e959

Score

10^/10

oski discovery infostealer spyware stealer suricata

Static task

static1

Behavioral task

behavioral1

Sample

payment advice.exe

Resource

win7-20220414-en

oski infostealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

payment advice.exe

Resource

win10v2004-20220414-en

oski discovery infostealer spyware stealer suricata

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

oski

C2

spetralnet2.com

Targets

- Target
  
  payment advice.exe
- Size
  
  273KB
- MD5
  
  f6383fce1ab0d6597440259f9a1e9ddc
- SHA1
  
  247a6817bb354c0784f7a112c953646d509bd120
- SHA256
  
  ae672a54491d01385af7932cc9524889f6314dd4b4b8b9a846dfa1ffedaa8c61
- SHA512
  
  be90fef64aa2343a93456e6879465c3a5c1855490fd472b8f5a25e6c1db558798fc6fd727f00bc79d4b2e97bb91c57024e8f5178adb94ab4e72dcad83753e959
Score

10^/10

oski infostealer discovery spyware stealer suricata
- Oski
  Oski is an infostealer targeting browser data, crypto wallets.
  infostealer oski
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

oskiinfostealer

behavioral2

oskidiscoveryinfostealerspywarestealersuricata

© 2018-2025

Terms | Privacy