Overview

overview

10

Static

static

VP83x7B6FV...in.zip

windows7_x64

1

VP83x7B6FV...in.zip

windows10-2004_x64

1

VP83x7B6FVhJrp5.exe

windows7_x64

10

VP83x7B6FVhJrp5.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    VP83x7B6FVhJrp5.bin.zip

  • Size

    613KB

  • Sample

    220610-l8tblaeda7

  • MD5

    1436e09a8089120a94520662a655e7a9

  • SHA1

    9d198860344a0470ce136b049e4c4a0974651105

  • SHA256

    2c57a483839755cc3457059ad20e96d3c6997b452fb85931f17b9bd327472abb

  • SHA512

    106edfa33f64fc160051fc9c356f1dff8615220f311b4dc13334c6559be2e57cbd787909afed3a5707e4722505b0319834c3fddb00e3a89ba2b9f0295eaec31a

Score
10/10
oskiinfostealerspywaresuricata

Malware Config

Extracted

Family

oski

C2

unitech.co.vu

Targets

    • Target

      VP83x7B6FVhJrp5.bin.zip

    • Size

      613KB

    • MD5

      1436e09a8089120a94520662a655e7a9

    • SHA1

      9d198860344a0470ce136b049e4c4a0974651105

    • SHA256

      2c57a483839755cc3457059ad20e96d3c6997b452fb85931f17b9bd327472abb

    • SHA512

      106edfa33f64fc160051fc9c356f1dff8615220f311b4dc13334c6559be2e57cbd787909afed3a5707e4722505b0319834c3fddb00e3a89ba2b9f0295eaec31a

    Score
    1/10
    behavioral1behavioral2

    • Target

      VP83x7B6FVhJrp5.bin

    • Size

      693KB

    • MD5

      c8652278afcddfb2d0819cb20170ec69

    • SHA1

      fbb977552bf08eff8449dfaad9e853b93fb831da

    • SHA256

      96aaaea7fe5ece5fd42282815eb8d1e1d08ed6e167b2a239636f989604397ba4

    • SHA512

      1d8da18faad797876bd0f5efd1531d7e021754e3fee285e04224dbf05e7d82379e8a74b4a24e9680264e55e11cc05c35dd9fc1a71ff977fa6592f148b2b2f260

    Score
    10/10
    oskiinfostealerspywaresuricata

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

      infostealeroski

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2

      suricata

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2

      suricata

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

      suricata

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks