Overview

overview

10

Static

static

RFQ OM - R...V .exe

windows7_x64

10

RFQ OM - R...V .exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQ OM - RFQ No. OM-1267-V .exe

  • Size

    65KB

  • Sample

    220526-ds2c9sfhd6

  • MD5

    b43530a300febef7443f5d1f24c77299

  • SHA1

    570ac186d2c608e312e4f7297c980f6defedd672

  • SHA256

    41257a21d27bcb773bb43e7b23c918d5ea4135a868b915d0fb738cd5c19af256

  • SHA512

    4268d0bf32f4a8b9693ce1ca331e6e8b089e03cca04ede03e51e89f7f9f11083b2b86a3c82eb144991e8f5b75469025529927c37b92145631cd56602c62f0d89

Score
10/10
oskiinfostealerspywaresuricata

Malware Config

Extracted

Family

oski

C2

yungfang.co.vu

Targets

    • Target

      RFQ OM - RFQ No. OM-1267-V .exe

    • Size

      65KB

    • MD5

      b43530a300febef7443f5d1f24c77299

    • SHA1

      570ac186d2c608e312e4f7297c980f6defedd672

    • SHA256

      41257a21d27bcb773bb43e7b23c918d5ea4135a868b915d0fb738cd5c19af256

    • SHA512

      4268d0bf32f4a8b9693ce1ca331e6e8b089e03cca04ede03e51e89f7f9f11083b2b86a3c82eb144991e8f5b75469025529927c37b92145631cd56602c62f0d89

    Score
    10/10
    oskiinfostealerspywaresuricata

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

      infostealeroski

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2

      suricata

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2

      suricata

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

      suricata

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks