oski | 8d35a509c8341803a0e7f804817f4870c68274bb47523018b8842e759252d9ea

Analysis

Target

dhl.exe
Size

4.9MB
MD5

28c49dff3e6cce47ac148f844d5f657f
SHA1

fb5c3e86cf44dc8c627d4d78bcbb56e0d06ceaa9
SHA256

8d35a509c8341803a0e7f804817f4870c68274bb47523018b8842e759252d9ea
SHA512

0e68853476ccc6670ad27b5be2da6dbd465954b1a3a045c5426dc5cd038985138b3f387ec77c9a3a4fa04a3212763efe95baf48981438350600c6d7349cac7c3

Score

10^/10

oski infostealer

Family

oski

domazy.ga

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Suspicious use of SetThreadContext 1 IoCs

Processes:

dhl.exe

description pid process target process

PID 1572 set thread context of 1276 1572 dhl.exe RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3768 1276 WerFault.exe RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dhl.exe

description pid process

Token: SeDebugPrivilege 1572 dhl.exe

description	pid	process	target process
PID 1572 set thread context of 1276	1572	dhl.exe	RegAsm.exe

pid	pid_target	process	target process
3768	1276	WerFault.exe	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1572	dhl.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

dhl.exe

description	pid	process	target process
PID 1572 wrote to memory of 1276	1572	dhl.exe	RegAsm.exe
PID 1572 wrote to memory of 1276	1572	dhl.exe	RegAsm.exe
PID 1572 wrote to memory of 1276	1572	dhl.exe	RegAsm.exe
PID 1572 wrote to memory of 1276	1572	dhl.exe	RegAsm.exe
PID 1572 wrote to memory of 1276	1572	dhl.exe	RegAsm.exe
PID 1572 wrote to memory of 1276	1572	dhl.exe	RegAsm.exe
PID 1572 wrote to memory of 1276	1572	dhl.exe	RegAsm.exe
PID 1572 wrote to memory of 1276	1572	dhl.exe	RegAsm.exe
PID 1572 wrote to memory of 1276	1572	dhl.exe	RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
2⤵
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 544
3⤵
- Program crash
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1276 -ip 1276
1⤵
PID:3764

memory/1276-134-0x0000000000000000-mapping.dmp

Download
memory/1276-136-0x0000000000700000-0x0000000000738000-memory.dmp

Filesize
224KB

Download
memory/1276-139-0x0000000000700000-0x0000000000738000-memory.dmp

Filesize
224KB

Download
memory/1276-142-0x0000000000700000-0x0000000000738000-memory.dmp

Filesize
224KB

Download
memory/1276-143-0x0000000000700000-0x0000000000738000-memory.dmp

Filesize
224KB

Download
memory/1572-130-0x0000000000730000-0x0000000000C18000-memory.dmp

Filesize
4.9MB

Download
memory/1572-131-0x0000000005A70000-0x0000000006014000-memory.dmp

Filesize
5.6MB

Download
memory/1572-132-0x00000000059B0000-0x0000000005A42000-memory.dmp

Filesize
584KB

Download
memory/1572-133-0x0000000007190000-0x000000000722C000-memory.dmp

Filesize
624KB

Download