oski | 9099f8ecee77fd796796c8a399a103dd35ad32d0a0c596045e96ec56b1836af2 | Triage

Submit
Reports

Overview

overview

Static

static

RFQ0722.xls

windows7-x64

RFQ0722.xls

windows10-2004-x64

Sharing

General

Target

RFQ0722.xls
Size

457KB
Sample

220725-k4gassbgcm
MD5

77358b120c49a00939b58f530827101b
SHA1

0243ff329e56636195dc9f8e2c7e8e23ce9a4d88
SHA256

9099f8ecee77fd796796c8a399a103dd35ad32d0a0c596045e96ec56b1836af2
SHA512

a39b0c58cb52854f7ce8a9c2840687e9aba86271f8af5e40d416987749b7e5ebecd62ff0d3c1339006bc6bc56fa64ab183c163224c76c9402ef8dd50c2308043

Score

10^/10

oski infostealer persistence suricata

Static task

static1

Behavioral task

behavioral1

Sample

RFQ0722.xls

Resource

win7-20220718-en

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

RFQ0722.xls

Resource

win10v2004-20220721-en

oski infostealer persistence suricata

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

oski

C2

manguerassorna.com

Targets

- Target
  
  RFQ0722.xls
- Size
  
  457KB
- MD5
  
  77358b120c49a00939b58f530827101b
- SHA1
  
  0243ff329e56636195dc9f8e2c7e8e23ce9a4d88
- SHA256
  
  9099f8ecee77fd796796c8a399a103dd35ad32d0a0c596045e96ec56b1836af2
- SHA512
  
  a39b0c58cb52854f7ce8a9c2840687e9aba86271f8af5e40d416987749b7e5ebecd62ff0d3c1339006bc6bc56fa64ab183c163224c76c9402ef8dd50c2308043
Score

10^/10

oski infostealer persistence suricata
- Oski
  Oski is an infostealer targeting browser data, crypto wallets.
  infostealer oski
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

oskiinfostealerpersistencesuricata

© 2018-2024

Terms | Privacy