oski | f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce

General

Target

f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe
Size

767KB
MD5

1e8e6c7b0357b7590f694162733e1f2f
SHA1

fc2ea46d76bc7ab12ada51226b655771422ec343
SHA256

f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce
SHA512

23a2e7544fcf2db2b7f28cefe03c7826d1f575ed6c8f8a5f4a0a1c2ea48f6f0f3e6c7529b04793f6404bdda9b651a090ed8a29277e05665f4547cd23a24177f8

Score

10^/10

oski infostealer spyware stealer

Malware Config

Extracted

Family

oski

C2

levitt.ug

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe

description	pid	process	target process
PID 1120 set thread context of 1380	1120	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1100 1380 WerFault.exe f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe

pid	pid_target	process	target process
1100	1380	WerFault.exe	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exef7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe

description	pid	process	target process
PID 1120 wrote to memory of 1380	1120	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe
PID 1120 wrote to memory of 1380	1120	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe
PID 1120 wrote to memory of 1380	1120	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe
PID 1120 wrote to memory of 1380	1120	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe
PID 1120 wrote to memory of 1380	1120	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe
PID 1120 wrote to memory of 1380	1120	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe
PID 1120 wrote to memory of 1380	1120	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe
PID 1120 wrote to memory of 1380	1120	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe
PID 1120 wrote to memory of 1380	1120	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe
PID 1120 wrote to memory of 1380	1120	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe
PID 1380 wrote to memory of 1100	1380	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe	WerFault.exe
PID 1380 wrote to memory of 1100	1380	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe	WerFault.exe
PID 1380 wrote to memory of 1100	1380	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe	WerFault.exe
PID 1380 wrote to memory of 1100	1380	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe
"C:\Users\Admin\AppData\Local\Temp\f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Local\Temp\f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 804
3⤵
- Program crash
PID:1100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1100-71-0x0000000000000000-mapping.dmp

Download
memory/1120-54-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/1120-55-0x0000000074460000-0x0000000074A0B000-memory.dmp

Filesize
5.7MB

Download
memory/1380-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-66-0x0000000000417A8B-mapping.dmp

Download
memory/1380-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-59-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing