oski | 29cd5901e6099a6423ee9762e817060deaf43b9668447dd8b5cc327c1425521d

General

Target

Sucwelxt vv.exe
Size

525KB
MD5

082bd91b649aa37460d4ec595878e8b4
SHA1

0613f565d1f0f6a5acbea226bccb5ab99bbe8c9c
SHA256

f26018f63848edfc0e7a83dbdc502a710bfafa968eacf658ce8a13915a42e783
SHA512

d5a0722b50e6c2a62b007537b2fda7f64e21d41f29dcf07f104dbdc80e331d454805c97d0eb553236f4dae57ccfb76a1a3273e78891a85d53369f40adc20ed84

Score

10^/10

oski infostealer spyware stealer

Malware Config

Extracted

Family

oski

C2

http://bsig99.xyz

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1260 set thread context of 764	1260	Sucwelxt vv.exe	27

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1952	764	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1260	Sucwelxt vv.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1260	Sucwelxt vv.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 764	1260	Sucwelxt vv.exe	27
PID 1260 wrote to memory of 764	1260	Sucwelxt vv.exe	27
PID 1260 wrote to memory of 764	1260	Sucwelxt vv.exe	27
PID 1260 wrote to memory of 764	1260	Sucwelxt vv.exe	27
PID 1260 wrote to memory of 764	1260	Sucwelxt vv.exe	27
PID 1260 wrote to memory of 764	1260	Sucwelxt vv.exe	27
PID 1260 wrote to memory of 764	1260	Sucwelxt vv.exe	27
PID 1260 wrote to memory of 764	1260	Sucwelxt vv.exe	27
PID 1260 wrote to memory of 764	1260	Sucwelxt vv.exe	27
PID 1260 wrote to memory of 764	1260	Sucwelxt vv.exe	27
PID 764 wrote to memory of 1952	764	Sucwelxt vv.exe	31
PID 764 wrote to memory of 1952	764	Sucwelxt vv.exe	31
PID 764 wrote to memory of 1952	764	Sucwelxt vv.exe	31
PID 764 wrote to memory of 1952	764	Sucwelxt vv.exe	31

C:\Users\Admin\AppData\Local\Temp\Sucwelxt vv.exe
"C:\Users\Admin\AppData\Local\Temp\Sucwelxt vv.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\Sucwelxt vv.exe
  "C:\Users\Admin\AppData\Local\Temp\Sucwelxt vv.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 772
    3⤵
    - Program crash
    PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/764-73-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/764-88-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/764-85-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/764-82-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/764-80-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/764-78-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/764-76-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/764-74-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1260-62-0x0000000000BC0000-0x0000000000C04000-memory.dmp

Filesize
272KB

Download
memory/1260-54-0x0000000001110000-0x0000000001198000-memory.dmp

Filesize
544KB

Download
memory/1260-65-0x00000000729C0000-0x0000000073D4F000-memory.dmp

Filesize
19.6MB

Download
memory/1260-66-0x0000000071000000-0x00000000710CF000-memory.dmp

Filesize
828KB

Download
memory/1260-67-0x0000000070E60000-0x0000000070FF4000-memory.dmp

Filesize
1.6MB

Download
memory/1260-68-0x0000000070140000-0x0000000070E5D000-memory.dmp

Filesize
13.1MB

Download
memory/1260-69-0x0000000071FB0000-0x00000000729C0000-memory.dmp

Filesize
10.1MB

Download
memory/1260-70-0x0000000074080000-0x00000000747BE000-memory.dmp

Filesize
7.2MB

Download
memory/1260-71-0x00000000717D0000-0x0000000071FB0000-memory.dmp

Filesize
7.9MB

Download
memory/1260-72-0x00000000716D0000-0x00000000717CC000-memory.dmp

Filesize
1008KB

Download
memory/1260-63-0x0000000000FF0000-0x000000000103C000-memory.dmp

Filesize
304KB

Download
memory/1260-64-0x00000000710D0000-0x000000007134A000-memory.dmp

Filesize
2.5MB

Download
memory/1260-61-0x0000000000540000-0x000000000059C000-memory.dmp

Filesize
368KB

Download
memory/1260-60-0x00000000716D0000-0x00000000717CC000-memory.dmp

Filesize
1008KB

Download
memory/1260-59-0x00000000717D0000-0x0000000071FB0000-memory.dmp

Filesize
7.9MB

Download
memory/1260-58-0x0000000074080000-0x00000000747BE000-memory.dmp

Filesize
7.2MB

Download
memory/1260-57-0x0000000071FB0000-0x00000000729C0000-memory.dmp

Filesize
10.1MB

Download
memory/1260-56-0x00000000729C0000-0x0000000073D4F000-memory.dmp

Filesize
19.6MB

Download
memory/1260-87-0x0000000071FB0000-0x00000000729C0000-memory.dmp

Filesize
10.1MB

Download
memory/1260-55-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1260-89-0x00000000717D0000-0x0000000071FB0000-memory.dmp

Filesize
7.9MB

Download
memory/1260-90-0x00000000729C0000-0x0000000073D4F000-memory.dmp

Filesize
19.6MB

Download

Analysis

Sharing