Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    053022 BL#6329296080 IMPORTER#3400037 (NEED L.exe

  • Size

    747KB

  • Sample

    220601-1kbh7sbgf2

  • MD5

    7a2babef327a833fb307c31517740e5d

  • SHA1

    9c87a1a547b9e5eddbf146d57d0589095d87b523

  • SHA256

    8d02836e227159df328ccb237413c709acf5683a526ffaedcdd09fd409a76cdb

  • SHA512

    683eba89141d595e6fb9d1ff2345827c59d545b8332fad71bef7f0481d8e257305f2c6ecc87b18e39c16548aae63ddef9560eceff71d45f1e4cb5355837955fa

Malware Config

Extracted

Family

oski

C2

internetstores.co.vu

Targets

    • Target

      053022 BL#6329296080 IMPORTER#3400037 (NEED L.exe

    • Size

      747KB

    • MD5

      7a2babef327a833fb307c31517740e5d

    • SHA1

      9c87a1a547b9e5eddbf146d57d0589095d87b523

    • SHA256

      8d02836e227159df328ccb237413c709acf5683a526ffaedcdd09fd409a76cdb

    • SHA512

      683eba89141d595e6fb9d1ff2345827c59d545b8332fad71bef7f0481d8e257305f2c6ecc87b18e39c16548aae63ddef9560eceff71d45f1e4cb5355837955fa

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks