oski | db348dc69788f96c6ccdaedb34b150fa21ac9d275a523e063b794c463d1f93a6

Analysis

max time kernel
42s
max time network
72s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-10-2022 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DB348DC69788F96C6CCDAEDB34B150FA21AC9D275A523.exe
Size

200KB
MD5

092557d071b1aed5fc6340068e5dbfba
SHA1

6742f81d03cbd4fa5c2263e1711fa1cf10ca2aa9
SHA256

db348dc69788f96c6ccdaedb34b150fa21ac9d275a523e063b794c463d1f93a6
SHA512

f06c1d075bd863deb6a4eb9d41f58db42398caf5122a96028d7fd0ba84e0636719b53a9ca4b6282d1355ff335255cf90acd2f0315c16942296fc6c8c2cf894d6
SSDEEP

3072:WfUomEuYm98dlSq7gt5q7Dx+XgS6aCEwhOfUbCalNT2pbB3fIb1Xi6FLPo3c:WfUauY68uSWCx+XA7mg2pNW1Ljo3c

Score

10^/10

oski infostealer spyware stealer

Malware Config

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1256	1960	WerFault.exe	27

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1256	1960	DB348DC69788F96C6CCDAEDB34B150FA21AC9D275A523.exe	30
PID 1960 wrote to memory of 1256	1960	DB348DC69788F96C6CCDAEDB34B150FA21AC9D275A523.exe	30
PID 1960 wrote to memory of 1256	1960	DB348DC69788F96C6CCDAEDB34B150FA21AC9D275A523.exe	30
PID 1960 wrote to memory of 1256	1960	DB348DC69788F96C6CCDAEDB34B150FA21AC9D275A523.exe	30

C:\Users\Admin\AppData\Local\Temp\DB348DC69788F96C6CCDAEDB34B150FA21AC9D275A523.exe
"C:\Users\Admin\AppData\Local\Temp\DB348DC69788F96C6CCDAEDB34B150FA21AC9D275A523.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 780
  2⤵
  - Program crash
  PID:1256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1960-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download