General

  • Target

    delphi.exe

  • Size

    240KB

  • Sample

    220801-na4qsaffg3

  • MD5

    dccb52f53448142fab5718a6bd7e5a6b

  • SHA1

    01a9487c037ab9e32709355254932e881d3cc444

  • SHA256

    19c9f9cbfe761001bd796973fb4f72e35175e477b7d5677b2e15ec7d223e5834

  • SHA512

    906174c88655825323700ce234bfd6679f9b13ddfc0b6d0b3e2bd4f5efdd6295cd18d9a347de8b85fbdc6bc83d5832bb7ebcbee83dea2c0e20f03117f0f5a1df

Malware Config

Extracted

Family

oski

C2

cybersd.axfree.com

Targets

    • Target

      delphi.exe

    • Size

      240KB

    • MD5

      dccb52f53448142fab5718a6bd7e5a6b

    • SHA1

      01a9487c037ab9e32709355254932e881d3cc444

    • SHA256

      19c9f9cbfe761001bd796973fb4f72e35175e477b7d5677b2e15ec7d223e5834

    • SHA512

      906174c88655825323700ce234bfd6679f9b13ddfc0b6d0b3e2bd4f5efdd6295cd18d9a347de8b85fbdc6bc83d5832bb7ebcbee83dea2c0e20f03117f0f5a1df

    • Detect Neshta payload

    • Modifies system executable filetype association

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks