oski | 8d35a509c8341803a0e7f804817f4870c68274bb47523018b8842e759252d9ea | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

dhl.exe

windows7_x64

dhl.exe

windows10-2004_x64

Sharing

General

Target

dhl.exe
Size

4.9MB
Sample

220711-kmklwsffak
MD5

28c49dff3e6cce47ac148f844d5f657f
SHA1

fb5c3e86cf44dc8c627d4d78bcbb56e0d06ceaa9
SHA256

8d35a509c8341803a0e7f804817f4870c68274bb47523018b8842e759252d9ea
SHA512

0e68853476ccc6670ad27b5be2da6dbd465954b1a3a045c5426dc5cd038985138b3f387ec77c9a3a4fa04a3212763efe95baf48981438350600c6d7349cac7c3

Score

10^/10

oski discovery infostealer spyware stealer suricata

Static task

static1

Behavioral task

behavioral1

Sample

dhl.exe

Resource

win7-20220414-en

oski discovery infostealer spyware stealer suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

dhl.exe

Resource

win10v2004-20220414-en

oski infostealer

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

oski

C2

domazy.ga

Targets

- Target
  
  dhl.exe
- Size
  
  4.9MB
- MD5
  
  28c49dff3e6cce47ac148f844d5f657f
- SHA1
  
  fb5c3e86cf44dc8c627d4d78bcbb56e0d06ceaa9
- SHA256
  
  8d35a509c8341803a0e7f804817f4870c68274bb47523018b8842e759252d9ea
- SHA512
  
  0e68853476ccc6670ad27b5be2da6dbd465954b1a3a045c5426dc5cd038985138b3f387ec77c9a3a4fa04a3212763efe95baf48981438350600c6d7349cac7c3
Score

10^/10

oski discovery infostealer spyware stealer suricata
- Oski
  Oski is an infostealer targeting browser data, crypto wallets.
  infostealer oski
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata
- Downloads MZ/PE file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

oskidiscoveryinfostealerspywarestealersuricata

behavioral2

oskiinfostealer

© 2018-2025

Terms | Privacy