oski | caf1bf6339d21c8bf3451420e78097bf7c8fa0a6baad42afa9a4f32981864120

Analysis

Target

caf1bf6339d21c8bf3451420e78097bf7c8fa0a6baad42afa9a4f32981864120.exe
Size

293KB
MD5

a0d0319e501904cd74e51782e1ab74f9
SHA1

b8f7c45ecf8aaabccff860356f03ef02b65f12f6
SHA256

caf1bf6339d21c8bf3451420e78097bf7c8fa0a6baad42afa9a4f32981864120
SHA512

3cc308094f4dbacd5f9aabc45d074e0b0af08676a694cb2e2898d1880646b22a0b64bbc0211ebf53fea7e6de34c631df6d5632c834298e432f804f7b8f593f10

Score

10^/10

Family

oski

ivchenkosvetlana.online

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

576 2024 WerFault.exe caf1bf6339d21c8bf3451420e78097bf7c8fa0a6baad42afa9a4f32981864120.exe

pid	pid_target	process	target process
576	2024	WerFault.exe	caf1bf6339d21c8bf3451420e78097bf7c8fa0a6baad42afa9a4f32981864120.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

caf1bf6339d21c8bf3451420e78097bf7c8fa0a6baad42afa9a4f32981864120.exe

description	pid	process	target process
PID 2024 wrote to memory of 576	2024	caf1bf6339d21c8bf3451420e78097bf7c8fa0a6baad42afa9a4f32981864120.exe	WerFault.exe
PID 2024 wrote to memory of 576	2024	caf1bf6339d21c8bf3451420e78097bf7c8fa0a6baad42afa9a4f32981864120.exe	WerFault.exe
PID 2024 wrote to memory of 576	2024	caf1bf6339d21c8bf3451420e78097bf7c8fa0a6baad42afa9a4f32981864120.exe	WerFault.exe
PID 2024 wrote to memory of 576	2024	caf1bf6339d21c8bf3451420e78097bf7c8fa0a6baad42afa9a4f32981864120.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\caf1bf6339d21c8bf3451420e78097bf7c8fa0a6baad42afa9a4f32981864120.exe
"C:\Users\Admin\AppData\Local\Temp\caf1bf6339d21c8bf3451420e78097bf7c8fa0a6baad42afa9a4f32981864120.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 860
2⤵
- Program crash
PID:576

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

memory/576-58-0x0000000000000000-mapping.dmp

Download
memory/2024-54-0x0000000075B71000-0x0000000075B73000-memory.dmp

Filesize
8KB

Download
memory/2024-55-0x000000000028B000-0x00000000002A6000-memory.dmp

Filesize
108KB

Download
memory/2024-56-0x0000000000480000-0x00000000004B0000-memory.dmp

Filesize
192KB

Download
memory/2024-57-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download