oski | 4ac4190585ef636ef707459413641fcd87fc6e4f3b112b72b564554e16d9fa2f | Triage

Submit
Reports

Overview

overview

Static

static

4ac4190585...2f.exe

windows7-x64

6

4ac4190585...2f.exe

windows10-2004-x64

Sharing

General

Target

4ac4190585ef636ef707459413641fcd87fc6e4f3b112b72b564554e16d9fa2f
Size

264KB
Sample

230124-nx5llaaf72
MD5

17b3383a638c8e71894afdab1a2a5663
SHA1

4c26ddeab4ae5bc78bfd9002e021311c80ea0396
SHA256

4ac4190585ef636ef707459413641fcd87fc6e4f3b112b72b564554e16d9fa2f
SHA512

265a8dd85bc1c3e456e38734818f08faf4c71451082dca9dd7182c348284158ff31771eb4d2ebf6ee157640ee91825c90e57a326d17af7d72efae030af23fb5c
SSDEEP

3072:8S8RUOa/qrXc/5YDuSrtJxQMOGcNZUKFLYhlBOGov1DsHMchNvHVial6Px7QeZkC:92A/UuSfxrZcrjLYvBBovi7JgP

Score

10^/10

oski discovery infostealer persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

4ac4190585ef636ef707459413641fcd87fc6e4f3b112b72b564554e16d9fa2f.exe

Resource

win7-20221111-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

4ac4190585ef636ef707459413641fcd87fc6e4f3b112b72b564554e16d9fa2f.exe

Resource

win10v2004-20220901-en

oski discovery infostealer persistence spyware stealer

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

oski

C2

anstransport.com

Targets

- Target
  
  4ac4190585ef636ef707459413641fcd87fc6e4f3b112b72b564554e16d9fa2f
- Size
  
  264KB
- MD5
  
  17b3383a638c8e71894afdab1a2a5663
- SHA1
  
  4c26ddeab4ae5bc78bfd9002e021311c80ea0396
- SHA256
  
  4ac4190585ef636ef707459413641fcd87fc6e4f3b112b72b564554e16d9fa2f
- SHA512
  
  265a8dd85bc1c3e456e38734818f08faf4c71451082dca9dd7182c348284158ff31771eb4d2ebf6ee157640ee91825c90e57a326d17af7d72efae030af23fb5c
- SSDEEP
  
  3072:8S8RUOa/qrXc/5YDuSrtJxQMOGcNZUKFLYhlBOGov1DsHMchNvHVial6Px7QeZkC:92A/UuSfxrZcrjLYvBBovi7JgP
Score

10^/10

persistence oski discovery infostealer spyware stealer
- Oski
  Oski is an infostealer targeting browser data, crypto wallets.
  infostealer oski
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

oskidiscoveryinfostealerpersistencespywarestealer

© 2018-2024

Terms | Privacy