oski | 99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8

Analysis

Target

99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe
Size

1.1MB
MD5

a0291b1ed41752bc89ab183ad8d77d4f
SHA1

34b27a804f354423978fac88c9b6eea3bdb92cae
SHA256

99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8
SHA512

8dbcc8e05a655f52e4160259133e44c0b6d45788b1d493602c61eeaff6e3d1f71882057f50c5679b573727a3bb98a6b78718c53f8f1519ebe8dc0f3fc9f50e27

Score

10^/10

oski infostealer

Family

oski

45.12.215.204

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 864 set thread context of 1832	864	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe	87

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1832	864	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe	87
PID 864 wrote to memory of 1832	864	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe	87
PID 864 wrote to memory of 1832	864	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe	87
PID 864 wrote to memory of 1832	864	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe	87
PID 864 wrote to memory of 1832	864	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe	87
PID 864 wrote to memory of 1832	864	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe	87
PID 864 wrote to memory of 1832	864	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe	87
PID 864 wrote to memory of 1832	864	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe	87
PID 864 wrote to memory of 1832	864	99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe	87

C:\Users\Admin\AppData\Local\Temp\99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe
"C:\Users\Admin\AppData\Local\Temp\99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:864
- C:\Users\Admin\AppData\Local\Temp\99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe
  "C:\Users\Admin\AppData\Local\Temp\99bb29228fae968289f88e3bcf86089595e9dcb9dacbd6602258650173d173d8.exe"
  2⤵
  PID:1832

memory/864-130-0x00000000002D0000-0x00000000003F6000-memory.dmp

Filesize
1.1MB

Download
memory/864-131-0x0000000004D80000-0x0000000004E1C000-memory.dmp

Filesize
624KB

Download
memory/864-132-0x00000000053D0000-0x0000000005974000-memory.dmp

Filesize
5.6MB

Download
memory/864-133-0x0000000004EC0000-0x0000000004F52000-memory.dmp

Filesize
584KB

Download
memory/864-134-0x0000000004E40000-0x0000000004E4A000-memory.dmp

Filesize
40KB

Download
memory/864-135-0x0000000005090000-0x00000000050E6000-memory.dmp

Filesize
344KB

Download
memory/1832-137-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1832-138-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1832-139-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1832-140-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download