oski | d94c8028fa7fd7062dc2cd8c78b458d68bc7c8e8e260afc827bef217aeeac693

General

Target

e4086615e3011d916a50689cef433c77.exe
Size

5.4MB
MD5

e4086615e3011d916a50689cef433c77
SHA1

24c38d07046c2781f01d98ae3d7b1d9a80ea69e0
SHA256

d94c8028fa7fd7062dc2cd8c78b458d68bc7c8e8e260afc827bef217aeeac693
SHA512

06ed1a259f5d6f668508399e61a4465eabd642f966ea0903746ac6b4981f5df7bdaef2de231d1b50f5d271b357435aed21b81b66ed2fca78e219ea72d8db7966
SSDEEP

98304:3EAKCzqdfS72BW2WLASB3MgsESIXaM3dm8j6o8DQDvALRmn6BKVq:0LNS7tASVMgdR3sWx5LALonQK4

Score

10^/10

oski stormkitty infostealer spyware stealer

Malware Config

Extracted

Family

oski

C2

web24host.com/a/a/www/

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000400000001f45f-6.dat	family_stormkitty
behavioral2/memory/5092-22-0x0000000000B90000-0x0000000000BE0000-memory.dmp	family_stormkitty
behavioral2/memory/5092-28-0x0000000003680000-0x00000000036F4000-memory.dmp	family_stormkitty

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	e4086615e3011d916a50689cef433c77.exe

Executes dropped EXE 3 IoCs

pid	Process
5092	Microsoft Update.exe
208	Cliper.exe
3924	MACGen.v1.7.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3812	208	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5092	Microsoft Update.exe
5092	Microsoft Update.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5092	Microsoft Update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3924	MACGen.v1.7.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 5092	4712	e4086615e3011d916a50689cef433c77.exe	90
PID 4712 wrote to memory of 5092	4712	e4086615e3011d916a50689cef433c77.exe	90
PID 4712 wrote to memory of 208	4712	e4086615e3011d916a50689cef433c77.exe	91
PID 4712 wrote to memory of 208	4712	e4086615e3011d916a50689cef433c77.exe	91
PID 4712 wrote to memory of 208	4712	e4086615e3011d916a50689cef433c77.exe	91
PID 4712 wrote to memory of 3924	4712	e4086615e3011d916a50689cef433c77.exe	94
PID 4712 wrote to memory of 3924	4712	e4086615e3011d916a50689cef433c77.exe	94
PID 4712 wrote to memory of 3924	4712	e4086615e3011d916a50689cef433c77.exe	94

C:\Users\Admin\AppData\Local\Temp\e4086615e3011d916a50689cef433c77.exe
"C:\Users\Admin\AppData\Local\Temp\e4086615e3011d916a50689cef433c77.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5092
- C:\Users\Admin\AppData\Local\Temp\Cliper.exe
  "C:\Users\Admin\AppData\Local\Temp\Cliper.exe"
  2⤵
  - Executes dropped EXE
  PID:208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 1332
    3⤵
    - Program crash
    PID:3812
- C:\Users\Admin\AppData\Local\Temp\MACGen.v1.7.exe
  "C:\Users\Admin\AppData\Local\Temp\MACGen.v1.7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 208 -ip 208
1⤵
PID:696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cliper.exe

Filesize
200KB

MD5
94835b6d4af91fc977e840d64adaa485

SHA1
77635f373780022f21f74ade8ee80d0e652248ed

SHA256
9e2455642e046af82e21bdc6bc8659a5acc10796e383dcd7064227b0e8c6675b

SHA512
c1ff6e810d1f3476e635a206ef7b9e762230e29a0608cb961df6931d415315e1661277f2cebb2bdd15ef8291c5adae7311f97f0690aefea8fc4a3af1665d779a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cliper.exe

Filesize
116KB

MD5
2349d645473211c3df963a9361beba11

SHA1
346979eaeca281d0c0934caafe93bfd646d49f08

SHA256
3547fa946349d4b36040db585784d9f9f7bc57693c6891f4f503a1d8c161a8c1

SHA512
b4748cb3dc593d857bffcf56570bcd35c9deee4765d232d880f8fd84eb0d7922b5143353a4ab7c7af019d161e54a94c8026a6ac8f9dc6f325170c5abb0b1b83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MACGen.v1.7.exe

Filesize
375KB

MD5
91ba2a9793b8a640943c31b27a24c6dc

SHA1
fa70888303662b06dfa41fe31a8400bd19df3e0d

SHA256
5f180614e2148352ed3d432f07bb0a31ad0a7bab981ae4e4b58f54b0572b19c0

SHA512
282fc241b2692568ac2fbadf26cb513cd34bd0fff683fbb35beede1968fb9e2e422eda5e719dd91aba920e55a469a393571ae814febe17df177dcf74c44e2dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\MACGen.v1.7.exe

Filesize
896KB

MD5
4b4cd2d175448a5888d07d1222c3d876

SHA1
e8929346ecc23647a2c66f6e68a8554c091fbeef

SHA256
1bc274a3e47d802bcb0839b53d15119b7d1dd2568643374bfcf4639fe4e2e0cf

SHA512
fb0a0ad9b259404b85daa1931b2162fef4080e051298a785b53b408d132ecbb9b64bf67ae64401a7695ce104d2c674016997c2a4b93d9d61ce75a73a874a702b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe

Filesize
310KB

MD5
56b988f42827cff418d61f5738beb321

SHA1
d1440332895941edfa037d425eff00c109cfc15a

SHA256
43f322f83191d6990afee7dc4b5528e217e162b434afe06478f191d76b64d939

SHA512
2792bd3e0a1750fce7f33a06f78bb23df20ab6c841b5228d0cd3709afe578fc0af0596e9e9d7ec958a3a3b103df014b7db8fd7fe323e993e32971b3460af1506

Download Submit
memory/3924-48-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/3924-46-0x0000000000400000-0x0000000001415000-memory.dmp

Filesize
16.1MB

Download
memory/3924-42-0x0000000000400000-0x0000000001415000-memory.dmp

Filesize
16.1MB

Download
memory/3924-34-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/5092-28-0x0000000003680000-0x00000000036F4000-memory.dmp

Filesize
464KB

Download
memory/5092-29-0x00007FFE596D0000-0x00007FFE5A191000-memory.dmp

Filesize
10.8MB

Download
memory/5092-33-0x0000000003640000-0x0000000003650000-memory.dmp

Filesize
64KB

Download
memory/5092-45-0x00007FFE596D0000-0x00007FFE5A191000-memory.dmp

Filesize
10.8MB

Download
memory/5092-47-0x0000000003640000-0x0000000003650000-memory.dmp

Filesize
64KB

Download
memory/5092-30-0x0000000003650000-0x0000000003656000-memory.dmp

Filesize
24KB

Download
memory/5092-22-0x0000000000B90000-0x0000000000BE0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing