General

  • Target

    196eeeeda9dd440d09c600d48eeb0e0d.exe

  • Size

    200KB

  • Sample

    221125-ejwxvsde6v

  • MD5

    196eeeeda9dd440d09c600d48eeb0e0d

  • SHA1

    3ba43dc1d037f7f066c607beadc53b820ded6fbf

  • SHA256

    6308facc6996963ce6e55469026b6bbc3b43b4b873ffadbe52cbac7ab044ec6a

  • SHA512

    7b1795ef97afc1dc44283d1ee5a39c72546128a0ac1fe2301c13645fabc8620895c3ddc387135e1557aa059e866484f52171b8a57d8b69c08dfd62d1a479992b

  • SSDEEP

    3072:WfUomEuYm98dlSq7gt5q7Dx+XgS6aCEwhOfUbCalNT2pbB3fIS1Xi6FLPo3c:WfUauY68uSWCx+XA7mg2pNj1Ljo3c

Malware Config

Extracted

Family

oski

C2

amazon3.serveuser.com

Targets

    • Target

      196eeeeda9dd440d09c600d48eeb0e0d.exe

    • Size

      200KB

    • MD5

      196eeeeda9dd440d09c600d48eeb0e0d

    • SHA1

      3ba43dc1d037f7f066c607beadc53b820ded6fbf

    • SHA256

      6308facc6996963ce6e55469026b6bbc3b43b4b873ffadbe52cbac7ab044ec6a

    • SHA512

      7b1795ef97afc1dc44283d1ee5a39c72546128a0ac1fe2301c13645fabc8620895c3ddc387135e1557aa059e866484f52171b8a57d8b69c08dfd62d1a479992b

    • SSDEEP

      3072:WfUomEuYm98dlSq7gt5q7Dx+XgS6aCEwhOfUbCalNT2pbB3fIS1Xi6FLPo3c:WfUauY68uSWCx+XA7mg2pNj1Ljo3c

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

2
T1005

Tasks