oski | f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce

General

Target

f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe
Size

767KB
MD5

1e8e6c7b0357b7590f694162733e1f2f
SHA1

fc2ea46d76bc7ab12ada51226b655771422ec343
SHA256

f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce
SHA512

23a2e7544fcf2db2b7f28cefe03c7826d1f575ed6c8f8a5f4a0a1c2ea48f6f0f3e6c7529b04793f6404bdda9b651a090ed8a29277e05665f4547cd23a24177f8

Score

10^/10

oski infostealer spyware stealer

Malware Config

Extracted

Family

oski

C2

levitt.ug

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1220 set thread context of 4952	1220	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3196	4952	WerFault.exe	89

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 4952	1220	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe	89
PID 1220 wrote to memory of 4952	1220	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe	89
PID 1220 wrote to memory of 4952	1220	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe	89
PID 1220 wrote to memory of 4952	1220	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe	89
PID 1220 wrote to memory of 4952	1220	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe	89
PID 1220 wrote to memory of 4952	1220	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe	89
PID 1220 wrote to memory of 4952	1220	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe	89
PID 1220 wrote to memory of 4952	1220	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe	89
PID 1220 wrote to memory of 4952	1220	f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe	89

C:\Users\Admin\AppData\Local\Temp\f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe
"C:\Users\Admin\AppData\Local\Temp\f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe
  "{path}"
  2⤵
  PID:4952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1292
    3⤵
    - Program crash
    PID:3196

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4952 -ip 4952
1⤵
PID:2728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1220-130-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/4952-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing