Overview

overview

10

Static

static

10

bb12e61f99...d9.exe

windows7_x64

10

bb12e61f99...d9.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    44s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    04-07-2022 00:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bb12e61f99f6c7b2d4c8702d02dec5d9.exe

  • Size

    200KB

  • MD5

    bb12e61f99f6c7b2d4c8702d02dec5d9

  • SHA1

    3924763176734ee12f708a7f0fdd05f49c473ac4

  • SHA256

    fb0901c0241896831cac8f3e139c461ae327fc884812d3a206d4e0b8b7931a2e

  • SHA512

    49f6e0ac1ffc8638f8116f5e5d5e3a9548ced2f788638f370bba55225184d71bf1e10e9c8a12aff3911a40b228f337a1bfeb20fc3394e2630601d0b2cd709220

Score
10/10
oskiinfostealerspywarestealersuricata

Malware Config

Signatures

  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski
  • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

    suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

    suricata
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb12e61f99f6c7b2d4c8702d02dec5d9.exe
    "C:\Users\Admin\AppData\Local\Temp\bb12e61f99f6c7b2d4c8702d02dec5d9.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 768
      2⤵
      • Program crash
      PID:976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/976-55-0x0000000000000000-mapping.dmp
    Download
  • memory/2040-54-0x0000000076261000-0x0000000076263000-memory.dmp
    Filesize

    8KB

    Download