oski | 99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8

General

Target

99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe
Size

1.1MB
MD5

a0291b1ed41752bc89ab183ad8d77d4f
SHA1

34b27a804f354423978fac88c9b6eea3bdb92cae
SHA256

99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8
SHA512

8dbcc8e05a655f52e4160259133e44c0b6d45788b1d493602c61eeaff6e3d1f71882057f50c5679b573727a3bb98a6b78718c53f8f1519ebe8dc0f3fc9f50e27

Score

10^/10

oski infostealer

Malware Config

Extracted

Family

oski

C2

45.12.215.204

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski

Suspicious use of SetThreadContext 1 IoCs

Processes:

99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe

description	pid	process	target process
PID 864 set thread context of 1832	864	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe

description	pid	process	target process
PID 864 wrote to memory of 1832	864	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe
PID 864 wrote to memory of 1832	864	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe
PID 864 wrote to memory of 1832	864	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe
PID 864 wrote to memory of 1832	864	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe
PID 864 wrote to memory of 1832	864	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe
PID 864 wrote to memory of 1832	864	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe
PID 864 wrote to memory of 1832	864	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe
PID 864 wrote to memory of 1832	864	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe
PID 864 wrote to memory of 1832	864	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe

C:\Users\Admin\AppData\Local\Temp\99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe
"C:\Users\Admin\AppData\Local\Temp\99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:864

C:\Users\Admin\AppData\Local\Temp\99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe
"C:\Users\Admin\AppData\Local\Temp\99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe"
2⤵
PID:1832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/864-130-0x00000000002D0000-0x00000000003F6000-memory.dmp

Filesize
1.1MB

Download
memory/864-131-0x0000000004D80000-0x0000000004E1C000-memory.dmp

Filesize
624KB

Download
memory/864-132-0x00000000053D0000-0x0000000005974000-memory.dmp

Filesize
5.6MB

Download
memory/864-133-0x0000000004EC0000-0x0000000004F52000-memory.dmp

Filesize
584KB

Download
memory/864-134-0x0000000004E40000-0x0000000004E4A000-memory.dmp

Filesize
40KB

Download
memory/864-135-0x0000000005090000-0x00000000050E6000-memory.dmp

Filesize
344KB

Download
memory/1832-136-0x0000000000000000-mapping.dmp

Download
memory/1832-137-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1832-138-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1832-139-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1832-140-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing