General

  • Target

    os.exe

  • Size

    469KB

  • Sample

    220721-qz8gdafgg2

  • MD5

    3e0559f907c481442d53ac625c3d98b0

  • SHA1

    acad6550d0d9a43d791cd5aaf78237053ab2e9e2

  • SHA256

    b7bf04a5d5d14c38358fb28f8e2453bf45926684769ad6a79a4bf110d8587af5

  • SHA512

    1b05ea5c49483b68b420a0beb62039445288ac8325bb52b3ffa2a1de6a4241b261d2329db9d49df19fb909e042b199091c878c0b49a477cede7b4229ff548567

Malware Config

Extracted

Family

oski

C2

raslack.axwebsite.com

Targets

    • Target

      os.exe

    • Size

      469KB

    • MD5

      3e0559f907c481442d53ac625c3d98b0

    • SHA1

      acad6550d0d9a43d791cd5aaf78237053ab2e9e2

    • SHA256

      b7bf04a5d5d14c38358fb28f8e2453bf45926684769ad6a79a4bf110d8587af5

    • SHA512

      1b05ea5c49483b68b420a0beb62039445288ac8325bb52b3ffa2a1de6a4241b261d2329db9d49df19fb909e042b199091c878c0b49a477cede7b4229ff548567

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Tasks