General
-
Target
SecuriteInfo.com.IL.Trojan.MSILMamut.3044.28554.19954
-
Size
743KB
-
Sample
220602-gbpvpadda3
-
MD5
6bc672d5f96b14084c561a217731c5a4
-
SHA1
7ff84c9fe7594826d2c8689279979bdc75f0b561
-
SHA256
cd238eae8acd5aaece92a1c264437fedea2fd7088df8353d81cdfd6af037e69b
-
SHA512
6c06111139ff6f35ceb302cb7f0d1e960134d1a46fee4fe2727310a416b36c35e6c10372cbdd5107b01af833d3e3f3ec5bf0186a7fdd62b02e9d86ea2184fd7a
Malware Config
Extracted
oski
unitech.co.vu
Targets
-
-
Target
SecuriteInfo.com.IL.Trojan.MSILMamut.3044.28554.19954
-
Size
743KB
-
MD5
6bc672d5f96b14084c561a217731c5a4
-
SHA1
7ff84c9fe7594826d2c8689279979bdc75f0b561
-
SHA256
cd238eae8acd5aaece92a1c264437fedea2fd7088df8353d81cdfd6af037e69b
-
SHA512
6c06111139ff6f35ceb302cb7f0d1e960134d1a46fee4fe2727310a416b36c35e6c10372cbdd5107b01af833d3e3f3ec5bf0186a7fdd62b02e9d86ea2184fd7a
Score10/10-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Suspicious use of SetThreadContext
-