oski | 89ec309c384717284199d66d01669738ce37d9fb445a8f7f2259dfd6ca888f5d | Triage

Submit
Reports

Overview

overview

Static

static

invoice fo...nt.exe

windows7_x64

invoice fo...nt.exe

windows10-2004_x64

Resubmissions

08-06-2022 14:06

220608-regzcsaebr 10

08-06-2022 13:56

220608-q8y93adhf6 10

Sharing

General

Target

invoice for payment.exe
Size

65KB
Sample

220608-q8y93adhf6
MD5

197043d984533ac65f82611414d32792
SHA1

799b97ec3adc652ff5cf89df6852e6c535e833d9
SHA256

89ec309c384717284199d66d01669738ce37d9fb445a8f7f2259dfd6ca888f5d
SHA512

94c19f18c3aaa0bcb4f37f07aad2ab92863d303fe1e9083c4f73a6b71d47f001701a81aa111c3646cc1c33a21b9d00f883a654b1e3ccdbb39fd5764d30d6cab1

Score

10^/10

oski infostealer spyware suricata

Static task

static1

Behavioral task

behavioral1

Sample

invoice for payment.exe

Resource

win7-20220414-en

oski infostealer spyware suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

invoice for payment.exe

Resource

win10v2004-20220414-en

oski infostealer spyware suricata

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

oski

C2

yungfang.co.vu

Targets

- Target
  
  invoice for payment.exe
- Size
  
  65KB
- MD5
  
  197043d984533ac65f82611414d32792
- SHA1
  
  799b97ec3adc652ff5cf89df6852e6c535e833d9
- SHA256
  
  89ec309c384717284199d66d01669738ce37d9fb445a8f7f2259dfd6ca888f5d
- SHA512
  
  94c19f18c3aaa0bcb4f37f07aad2ab92863d303fe1e9083c4f73a6b71d47f001701a81aa111c3646cc1c33a21b9d00f883a654b1e3ccdbb39fd5764d30d6cab1
Score

10^/10

oski infostealer spyware suricata
- Oski
  Oski is an infostealer targeting browser data, crypto wallets.
  infostealer oski
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

oskiinfostealerspywaresuricata

behavioral2

oskiinfostealerspywaresuricata

© 2018-2024

Terms | Privacy