oski | dd77e09b528cd9572298122d059a6041f3d4e91921a11bdbfaf57fe0c8339aef

Analysis

Target

DOCSX.scr.exe
Size

1006KB
MD5

87c8dfadd09d783b4ecb103cb755f968
SHA1

bd6bc7e116af16697416d9ac98c74d8ecda00a82
SHA256

dd77e09b528cd9572298122d059a6041f3d4e91921a11bdbfaf57fe0c8339aef
SHA512

450941b7e54eca008cdca29f96a8aaf55fc59c76f4e808a2f706d30783c0efc7e0834d561379edc7580b4dfda92a4acb3d2ccae1ec19aaa2fc80c616538f90e7

Score

10^/10

Family

oski

lettingos.co.vu

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
Downloads MZ/PE file

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1852 set thread context of 3868	1852	DOCSX.scr.exe	83

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4756	3868	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 14 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1852	DOCSX.scr.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 4316	1852	DOCSX.scr.exe	82
PID 1852 wrote to memory of 4316	1852	DOCSX.scr.exe	82
PID 1852 wrote to memory of 4316	1852	DOCSX.scr.exe	82
PID 1852 wrote to memory of 3868	1852	DOCSX.scr.exe	83
PID 1852 wrote to memory of 3868	1852	DOCSX.scr.exe	83
PID 1852 wrote to memory of 3868	1852	DOCSX.scr.exe	83
PID 1852 wrote to memory of 3868	1852	DOCSX.scr.exe	83
PID 1852 wrote to memory of 3868	1852	DOCSX.scr.exe	83
PID 1852 wrote to memory of 3868	1852	DOCSX.scr.exe	83
PID 1852 wrote to memory of 3868	1852	DOCSX.scr.exe	83
PID 1852 wrote to memory of 3868	1852	DOCSX.scr.exe	83
PID 1852 wrote to memory of 3868	1852	DOCSX.scr.exe	83
PID 1852 wrote to memory of 3868	1852	DOCSX.scr.exe	83

C:\Users\Admin\AppData\Local\Temp\DOCSX.scr.exe
"C:\Users\Admin\AppData\Local\Temp\DOCSX.scr.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\SysWOW64\extrac32.exe
  "C:\Windows\SysWOW64\extrac32.exe"
  2⤵
  PID:4316
- C:\Windows\SysWOW64\EhStorAuthn.exe
  "C:\Windows\SysWOW64\EhStorAuthn.exe"
  2⤵
  PID:3868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1308
    3⤵
    - Program crash
    PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 3868 -ip 3868
1⤵
PID:3160

memory/1852-130-0x0000000000FD0000-0x00000000010D2000-memory.dmp

Filesize
1.0MB

Download
memory/1852-131-0x0000000004BE0000-0x0000000004C56000-memory.dmp

Filesize
472KB

Download
memory/1852-132-0x0000000005210000-0x00000000057B4000-memory.dmp

Filesize
5.6MB

Download
memory/1852-133-0x0000000004D00000-0x0000000004D92000-memory.dmp

Filesize
584KB

Download
memory/1852-134-0x0000000002740000-0x000000000275E000-memory.dmp

Filesize
120KB

Download
memory/3868-137-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3868-138-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3868-139-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3868-140-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download