Overview

overview

10

Static

static

1

Zoom_Comme...up.exe

windows7-x64

8

Zoom_Comme...up.exe

windows10-2004-x64

10

photo_8809...94.exe

windows7-x64

8

photo_8809...94.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Zoom_Team.zip

  • Size

    626KB

  • Sample

    230106-k1cs7sbb8s

  • MD5

    0000840106f9118bc9a6b15cace8805c

  • SHA1

    28a887c5eed446bcd87d8da50115c23d1336834d

  • SHA256

    f1d9c87c7e97db85d31c56b62f33ae71a2869281cf054a1b4f1ce0d891e84f44

  • SHA512

    fc6526e2ea61a2fa8322545aba846e7310a670f82e3637e3d7665334cdccfe5d9706232384a58c29f0b714232337c697f9a1f60af93a162bfe00ca61fbc99aa0

  • SSDEEP

    12288:fNpHUTyrldkos2DjBGhgJvg/jk05RMHxse5Wjg5m2+vQkpAGhgJvg/jk05RMHxsU:fNz/5p8BEHx7WjcmDG8BEHx7F

Score
10/10
oskidiscoveryinfostealerpersistencespywarestealer

Malware Config

Extracted

Family

oski

C2

spamcxcs.com

Targets

    • Target

      Zoom_Commercial_setup.exe

    • Size

      550KB

    • MD5

      b7af9364e54e733684f2b5ef4bdd550a

    • SHA1

      0b4a2b89d5373e6e13395753786154e90e803387

    • SHA256

      37e06231dbbfd682fed877eece815fc8f383f05396495468805d75c94a802e6e

    • SHA512

      15aafec28acb2862168ee073bd7dc7ea766463e677399f2d6da200f7db9a342c4e8db6f9237e12174fa4c99acf3d3279f686bb11e8a12adc53072492ef828c48

    • SSDEEP

      6144:7nx1IH1z1RRu8HAx08JgSRxEguHjseJ1Rb/:shvRu8g3dbEjHjselb/

    Score
    10/10
    oskidiscoveryinfostealerpersistencespywarestealer

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

      infostealeroski

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      photo_88093849384983430493483984390-094.exe

    • Size

      550KB

    • MD5

      b7af9364e54e733684f2b5ef4bdd550a

    • SHA1

      0b4a2b89d5373e6e13395753786154e90e803387

    • SHA256

      37e06231dbbfd682fed877eece815fc8f383f05396495468805d75c94a802e6e

    • SHA512

      15aafec28acb2862168ee073bd7dc7ea766463e677399f2d6da200f7db9a342c4e8db6f9237e12174fa4c99acf3d3279f686bb11e8a12adc53072492ef828c48

    • SSDEEP

      6144:7nx1IH1z1RRu8HAx08JgSRxEguHjseJ1Rb/:shvRu8g3dbEjHjselb/

    Score
    10/10
    oskidiscoveryinfostealerpersistencespywarestealer

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

      infostealeroski

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks