oski | b5a1a2fbb4786f68248ba11b8780b8c8294ed881fed3c362c54b0560e1cb2018

General

Target

b3344d57c132a4ea95c92fd21c597590.exe
Size

441KB
MD5

b3344d57c132a4ea95c92fd21c597590
SHA1

26f255504c86d3ee652c88450ac8ef9d49651d11
SHA256

b5a1a2fbb4786f68248ba11b8780b8c8294ed881fed3c362c54b0560e1cb2018
SHA512

483b50f0b49555065e2b395246567f2f8a925ed13df43dd96438aac4a6aacae37ab25af61ce85d21de3d9e9ff23ef24f37eccae69d377a2ad5ae44a4acedf370
SSDEEP

12288:EAodPtkt4pss2IBgWbtAZPSNvg4JQLIGcmq9W:EAgVziIBgW5Ax2g4+7cv8

Score

10^/10

oski infostealer spyware stealer

Malware Config

Extracted

Family

oski

C2

robbmaterials.xyz

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2896 set thread context of 3060	2896	b3344d57c132a4ea95c92fd21c597590.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1664	3060	WerFault.exe	32

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2664	schtasks.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2664	2896	b3344d57c132a4ea95c92fd21c597590.exe	30
PID 2896 wrote to memory of 2664	2896	b3344d57c132a4ea95c92fd21c597590.exe	30
PID 2896 wrote to memory of 2664	2896	b3344d57c132a4ea95c92fd21c597590.exe	30
PID 2896 wrote to memory of 2664	2896	b3344d57c132a4ea95c92fd21c597590.exe	30
PID 2896 wrote to memory of 3060	2896	b3344d57c132a4ea95c92fd21c597590.exe	32
PID 2896 wrote to memory of 3060	2896	b3344d57c132a4ea95c92fd21c597590.exe	32
PID 2896 wrote to memory of 3060	2896	b3344d57c132a4ea95c92fd21c597590.exe	32
PID 2896 wrote to memory of 3060	2896	b3344d57c132a4ea95c92fd21c597590.exe	32
PID 2896 wrote to memory of 3060	2896	b3344d57c132a4ea95c92fd21c597590.exe	32
PID 2896 wrote to memory of 3060	2896	b3344d57c132a4ea95c92fd21c597590.exe	32
PID 2896 wrote to memory of 3060	2896	b3344d57c132a4ea95c92fd21c597590.exe	32
PID 2896 wrote to memory of 3060	2896	b3344d57c132a4ea95c92fd21c597590.exe	32
PID 2896 wrote to memory of 3060	2896	b3344d57c132a4ea95c92fd21c597590.exe	32
PID 2896 wrote to memory of 3060	2896	b3344d57c132a4ea95c92fd21c597590.exe	32
PID 2896 wrote to memory of 3060	2896	b3344d57c132a4ea95c92fd21c597590.exe	32
PID 2896 wrote to memory of 3060	2896	b3344d57c132a4ea95c92fd21c597590.exe	32
PID 2896 wrote to memory of 3060	2896	b3344d57c132a4ea95c92fd21c597590.exe	32
PID 3060 wrote to memory of 1664	3060	b3344d57c132a4ea95c92fd21c597590.exe	34
PID 3060 wrote to memory of 1664	3060	b3344d57c132a4ea95c92fd21c597590.exe	34
PID 3060 wrote to memory of 1664	3060	b3344d57c132a4ea95c92fd21c597590.exe	34
PID 3060 wrote to memory of 1664	3060	b3344d57c132a4ea95c92fd21c597590.exe	34

C:\Users\Admin\AppData\Local\Temp\b3344d57c132a4ea95c92fd21c597590.exe
"C:\Users\Admin\AppData\Local\Temp\b3344d57c132a4ea95c92fd21c597590.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YajFFkFQFAik" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA5D.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2664
- C:\Users\Admin\AppData\Local\Temp\b3344d57c132a4ea95c92fd21c597590.exe
  "C:\Users\Admin\AppData\Local\Temp\b3344d57c132a4ea95c92fd21c597590.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 868
    3⤵
    - Program crash
    PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2896-1-0x0000000074E30000-0x000000007551E000-memory.dmp

Filesize
6.9MB

Download
memory/2896-0-0x0000000000960000-0x00000000009D4000-memory.dmp

Filesize
464KB

Download
memory/2896-2-0x00000000049F0000-0x0000000004A30000-memory.dmp

Filesize
256KB

Download
memory/2896-3-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download
memory/2896-4-0x0000000074E30000-0x000000007551E000-memory.dmp

Filesize
6.9MB

Download
memory/2896-5-0x00000000049F0000-0x0000000004A30000-memory.dmp

Filesize
256KB

Download
memory/2896-6-0x00000000050C0000-0x000000000511C000-memory.dmp

Filesize
368KB

Download
memory/2896-22-0x0000000074E30000-0x000000007551E000-memory.dmp

Filesize
6.9MB

Download
memory/3060-13-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3060-14-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3060-16-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3060-15-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3060-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3060-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3060-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3060-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3060-23-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3060-25-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads