oski | 403a06f12a91f00f5834250436d0050c6387fee2c74101d0aa9697940a294b56

General

Target

403a06f12a91f00f5834250436d0050c6387fee2c74101d0aa9697940a294b56.exe
Size

491KB
MD5

6800f4c8b2d1326dab120a6ad2b99ff6
SHA1

d45ad1d4567dd41b9676885c1d7c5e5ef8fe5fc0
SHA256

403a06f12a91f00f5834250436d0050c6387fee2c74101d0aa9697940a294b56
SHA512

7bc232c8e430b21a962bc37e094df0a0400a04353f3f776dd851b4c8141caf949076c7537ad995cef536df768225103bb88cb437a9cd14f9218a2572c3f6a54b

Score

10^/10

oski infostealer spyware stealer

Malware Config

Extracted

Family

oski

C2

a343345.me

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1352 svchost.exe

pid	process
1352	svchost.exe

Loads dropped DLL 6 IoCs

Processes:

403a06f12a91f00f5834250436d0050c6387fee2c74101d0aa9697940a294b56.exeWerFault.exe

pid	process
988	403a06f12a91f00f5834250436d0050c6387fee2c74101d0aa9697940a294b56.exe
1156	WerFault.exe
1156	WerFault.exe
1156	WerFault.exe
1156	WerFault.exe
1156	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

403a06f12a91f00f5834250436d0050c6387fee2c74101d0aa9697940a294b56.exe

description	pid	process	target process
PID 988 set thread context of 1352	988	403a06f12a91f00f5834250436d0050c6387fee2c74101d0aa9697940a294b56.exe	svchost.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1156 1352 WerFault.exe svchost.exe

pid	pid_target	process	target process
1156	1352	WerFault.exe	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

403a06f12a91f00f5834250436d0050c6387fee2c74101d0aa9697940a294b56.exesvchost.exe

description	pid	process	target process
PID 988 wrote to memory of 1352	988	403a06f12a91f00f5834250436d0050c6387fee2c74101d0aa9697940a294b56.exe	svchost.exe
PID 988 wrote to memory of 1352	988	403a06f12a91f00f5834250436d0050c6387fee2c74101d0aa9697940a294b56.exe	svchost.exe
PID 988 wrote to memory of 1352	988	403a06f12a91f00f5834250436d0050c6387fee2c74101d0aa9697940a294b56.exe	svchost.exe
PID 988 wrote to memory of 1352	988	403a06f12a91f00f5834250436d0050c6387fee2c74101d0aa9697940a294b56.exe	svchost.exe
PID 988 wrote to memory of 1352	988	403a06f12a91f00f5834250436d0050c6387fee2c74101d0aa9697940a294b56.exe	svchost.exe
PID 988 wrote to memory of 1352	988	403a06f12a91f00f5834250436d0050c6387fee2c74101d0aa9697940a294b56.exe	svchost.exe
PID 988 wrote to memory of 1352	988	403a06f12a91f00f5834250436d0050c6387fee2c74101d0aa9697940a294b56.exe	svchost.exe
PID 988 wrote to memory of 1352	988	403a06f12a91f00f5834250436d0050c6387fee2c74101d0aa9697940a294b56.exe	svchost.exe
PID 988 wrote to memory of 1352	988	403a06f12a91f00f5834250436d0050c6387fee2c74101d0aa9697940a294b56.exe	svchost.exe
PID 988 wrote to memory of 1352	988	403a06f12a91f00f5834250436d0050c6387fee2c74101d0aa9697940a294b56.exe	svchost.exe
PID 1352 wrote to memory of 1156	1352	svchost.exe	WerFault.exe
PID 1352 wrote to memory of 1156	1352	svchost.exe	WerFault.exe
PID 1352 wrote to memory of 1156	1352	svchost.exe	WerFault.exe
PID 1352 wrote to memory of 1156	1352	svchost.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\403a06f12a91f00f5834250436d0050c6387fee2c74101d0aa9697940a294b56.exe
"C:\Users\Admin\AppData\Local\Temp\403a06f12a91f00f5834250436d0050c6387fee2c74101d0aa9697940a294b56.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:988

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 784
3⤵
- Loads dropped DLL
- Program crash
PID:1156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/988-71-0x00000000741E0000-0x000000007478B000-memory.dmp

Filesize
5.7MB

Download
memory/988-54-0x0000000075C71000-0x0000000075C73000-memory.dmp

Filesize
8KB

Download
memory/1156-73-0x0000000000000000-mapping.dmp

Download
memory/1352-66-0x000000000040717B-mapping.dmp

Download
memory/1352-69-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1352-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1352-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1352-63-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1352-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1352-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1352-57-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1352-56-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads