oski | ce85954189b88a7ad99ba2c31da1b4e0a645db1c746df1f9f5f85e4cc6fdc5e7 | Triage

Sharing

General

Target

RFQ.DOCUMENT.bit.exe
Size

740KB
Sample

220517-lycabsacc3
MD5

cf0a1c704adde7c2c544ec000173cd32
SHA1

164f8a60115206f790c22c54e9826c89571ba12f
SHA256

ce85954189b88a7ad99ba2c31da1b4e0a645db1c746df1f9f5f85e4cc6fdc5e7
SHA512

d64ef6526c0266e95caf47742d772a68b7dab90bbc95897b70ecc363a48bcfb0e28d056c298b3d31b8b7175892e05801fb6a231e4989010f9d20ea3aac1ce551

Score

10^/10

oski infostealer spyware suricata

Malware Config

Extracted

Family

oski

C2

lettingos.co.vu

Targets

- Target
  
  RFQ.DOCUMENT.bit.exe
- Size
  
  740KB
- MD5
  
  cf0a1c704adde7c2c544ec000173cd32
- SHA1
  
  164f8a60115206f790c22c54e9826c89571ba12f
- SHA256
  
  ce85954189b88a7ad99ba2c31da1b4e0a645db1c746df1f9f5f85e4cc6fdc5e7
- SHA512
  
  d64ef6526c0266e95caf47742d772a68b7dab90bbc95897b70ecc363a48bcfb0e28d056c298b3d31b8b7175892e05801fb6a231e4989010f9d20ea3aac1ce551
Score

10^/10

oski infostealer spyware suricata
- Oski
  Oski is an infostealer targeting browser data, crypto wallets.
  infostealer oski
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata
- Downloads MZ/PE file
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

oskiinfostealerspywaresuricata