oski | 49c7f9c1a11758309f55b563b54a44b734b39f185d1d5d63436adea38e44a03d

General

Target

DHL PACKAGE DOCUMENT.exe
Size

23KB
MD5

cf65c6f1cb9b6847cf639bd57e8282d1
SHA1

30e4a45690434c04643aa30456191fc78041caf4
SHA256

49c7f9c1a11758309f55b563b54a44b734b39f185d1d5d63436adea38e44a03d
SHA512

b554bd0f76522d5bd33d33481b8a98f37059f87be2cd651c012181c1c776e294831281c4e65b68104de62eae3feaa8f813b3ec8f2c827f5f438f7cfcec9ca7eb

Score

10^/10

oski infostealer persistence spyware suricata

Malware Config

Extracted

Family

oski

C2

unitech.co.vu

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
Downloads MZ/PE file

Loads dropped DLL 3 IoCs

pid	Process
3860	MSBuild.exe
3860	MSBuild.exe
3860	MSBuild.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chrom = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chrom.exe\""	DHL PACKAGE DOCUMENT.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1912 set thread context of 3860	1912	DHL PACKAGE DOCUMENT.exe	82

Checks processor information in registry 2 TTPs 1 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3512	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1912	DHL PACKAGE DOCUMENT.exe
1912	DHL PACKAGE DOCUMENT.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	DHL PACKAGE DOCUMENT.exe
Token: SeDebugPrivilege	3512	taskkill.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 3860	1912	DHL PACKAGE DOCUMENT.exe	82
PID 1912 wrote to memory of 3860	1912	DHL PACKAGE DOCUMENT.exe	82
PID 1912 wrote to memory of 3860	1912	DHL PACKAGE DOCUMENT.exe	82
PID 1912 wrote to memory of 3860	1912	DHL PACKAGE DOCUMENT.exe	82
PID 1912 wrote to memory of 3860	1912	DHL PACKAGE DOCUMENT.exe	82
PID 1912 wrote to memory of 3860	1912	DHL PACKAGE DOCUMENT.exe	82
PID 1912 wrote to memory of 3860	1912	DHL PACKAGE DOCUMENT.exe	82
PID 1912 wrote to memory of 3860	1912	DHL PACKAGE DOCUMENT.exe	82
PID 1912 wrote to memory of 3860	1912	DHL PACKAGE DOCUMENT.exe	82
PID 3860 wrote to memory of 1200	3860	MSBuild.exe	85
PID 3860 wrote to memory of 1200	3860	MSBuild.exe	85
PID 3860 wrote to memory of 1200	3860	MSBuild.exe	85
PID 1200 wrote to memory of 3512	1200	cmd.exe	87
PID 1200 wrote to memory of 3512	1200	cmd.exe	87
PID 1200 wrote to memory of 3512	1200	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\DHL PACKAGE DOCUMENT.exe
"C:\Users\Admin\AppData\Local\Temp\DHL PACKAGE DOCUMENT.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /pid 3860 & erase C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe & RD /S /Q C:\\ProgramData\\813955804164984\\* & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /pid 3860
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\nss3.dll

Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\sqlite3.dll

Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
memory/1912-130-0x0000000000B70000-0x0000000000B7C000-memory.dmp

Filesize
48KB

Download
memory/3860-133-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3860-135-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3860-134-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3860-139-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3860-132-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3860-141-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing