oski | a96d0e16ff2f1bb99d82f6232b48e8d40d879906a0dd2870985359d19e82ff6e | Triage

Submit
Reports

Overview

overview

Static

static

42601ff8d4...8c.exe

windows7-x64

42601ff8d4...8c.exe

windows10-2004-x64

Sharing

General

Target

42601ff8d41599bb0a61bed4bddc468c.exe
Size

882KB
Sample

220725-ta25vahbbk
MD5

42601ff8d41599bb0a61bed4bddc468c
SHA1

73ca2dd8e1a2d000447dfc3ea6cd3c84eb7f3490
SHA256

a96d0e16ff2f1bb99d82f6232b48e8d40d879906a0dd2870985359d19e82ff6e
SHA512

011e2c2c5fee106c35cd9a764b37da79f459b6488c5d1ca12f9001666e8d0547d08948f4a7dec219ae5090644f3db87b9817939976e002a55cbf7c4b9665834c

Score

10^/10

oski discovery infostealer spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

42601ff8d41599bb0a61bed4bddc468c.exe

Resource

win7-20220715-en

oski discovery infostealer spyware stealer

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

42601ff8d41599bb0a61bed4bddc468c.exe

Resource

win10v2004-20220721-en

oski discovery infostealer spyware stealer

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

oski

C2

ra.adriansbruce.com

Targets

- Target
  
  42601ff8d41599bb0a61bed4bddc468c.exe
- Size
  
  882KB
- MD5
  
  42601ff8d41599bb0a61bed4bddc468c
- SHA1
  
  73ca2dd8e1a2d000447dfc3ea6cd3c84eb7f3490
- SHA256
  
  a96d0e16ff2f1bb99d82f6232b48e8d40d879906a0dd2870985359d19e82ff6e
- SHA512
  
  011e2c2c5fee106c35cd9a764b37da79f459b6488c5d1ca12f9001666e8d0547d08948f4a7dec219ae5090644f3db87b9817939976e002a55cbf7c4b9665834c
Score

10^/10

oski discovery infostealer spyware stealer
- Oski
  Oski is an infostealer targeting browser data, crypto wallets.
  infostealer oski
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

oskidiscoveryinfostealerspywarestealer

behavioral2

oskidiscoveryinfostealerspywarestealer

© 2018-2024

Terms | Privacy