oski

General

Target

Zoom_Team.zip
Size

626KB
Sample

230106-k1cs7sbb8s
MD5

0000840106f9118bc9a6b15cace8805c
SHA1

28a887c5eed446bcd87d8da50115c23d1336834d
SHA256

f1d9c87c7e97db85d31c56b62f33ae71a2869281cf054a1b4f1ce0d891e84f44
SHA512

fc6526e2ea61a2fa8322545aba846e7310a670f82e3637e3d7665334cdccfe5d9706232384a58c29f0b714232337c697f9a1f60af93a162bfe00ca61fbc99aa0
SSDEEP

12288:fNpHUTyrldkos2DjBGhgJvg/jk05RMHxse5Wjg5m2+vQkpAGhgJvg/jk05RMHxsU:fNz/5p8BEHx7WjcmDG8BEHx7F

Score

10^/10

Malware Config

Extracted

Family

oski

C2

spamcxcs.com

Targets

- Target
  
  Zoom_Commercial_setup.exe
- Size
  
  550KB
- MD5
  
  b7af9364e54e733684f2b5ef4bdd550a
- SHA1
  
  0b4a2b89d5373e6e13395753786154e90e803387
- SHA256
  
  37e06231dbbfd682fed877eece815fc8f383f05396495468805d75c94a802e6e
- SHA512
  
  15aafec28acb2862168ee073bd7dc7ea766463e677399f2d6da200f7db9a342c4e8db6f9237e12174fa4c99acf3d3279f686bb11e8a12adc53072492ef828c48
- SSDEEP
  
  6144:7nx1IH1z1RRu8HAx08JgSRxEguHjseJ1Rb/:shvRu8g3dbEjHjselb/
Score

10^/10

oski discovery infostealer persistence spyware stealer
- Oski
  Oski is an infostealer targeting browser data, crypto wallets.
  infostealer oski
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  photo_88093849384983430493483984390-094.exe
- Size
  
  550KB
- MD5
  
  b7af9364e54e733684f2b5ef4bdd550a
- SHA1
  
  0b4a2b89d5373e6e13395753786154e90e803387
- SHA256
  
  37e06231dbbfd682fed877eece815fc8f383f05396495468805d75c94a802e6e
- SHA512
  
  15aafec28acb2862168ee073bd7dc7ea766463e677399f2d6da200f7db9a342c4e8db6f9237e12174fa4c99acf3d3279f686bb11e8a12adc53072492ef828c48
- SSDEEP
  
  6144:7nx1IH1z1RRu8HAx08JgSRxEguHjseJ1Rb/:shvRu8g3dbEjHjselb/
Score

10^/10

oski discovery infostealer persistence spyware stealer
- Oski
  Oski is an infostealer targeting browser data, crypto wallets.
  infostealer oski
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral3 behavioral4