oski | b29df81720ce329eaa0f4304025431f95e2160b2d2c88c86ac37a33d030d54f4

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 02:08

Target

23f2e867ddbbe2e6c9e7959bae0df84e.ps1
Size

485KB
MD5

23f2e867ddbbe2e6c9e7959bae0df84e
SHA1

7a9568574654f6207804900ca0bb75c5413c363b
SHA256

b29df81720ce329eaa0f4304025431f95e2160b2d2c88c86ac37a33d030d54f4
SHA512

3eae942ac2b0e40179422058bd47813a1f9b8406dc961978b31c501d25aac743a6e7a4bb5068bb32293497c0ea37ec46aafeb856af1aa59505ad029b840b83bf
SSDEEP

12288:+Zjw0RJ9u5ILYDxD3fxYehza/tw64oigu:q31u

Score

10^/10

oski infostealer

Family

oski

103.114.107.28/l5/

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4736 set thread context of 4856	4736	powershell.exe	23

Suspicious behavior: EnumeratesProcesses 8 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4736	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 3348	4736	powershell.exe	22
PID 4736 wrote to memory of 3348	4736	powershell.exe	22
PID 4736 wrote to memory of 3348	4736	powershell.exe	22
PID 4736 wrote to memory of 1876	4736	powershell.exe	25
PID 4736 wrote to memory of 1876	4736	powershell.exe	25
PID 4736 wrote to memory of 1876	4736	powershell.exe	25
PID 4736 wrote to memory of 3236	4736	powershell.exe	24
PID 4736 wrote to memory of 3236	4736	powershell.exe	24
PID 4736 wrote to memory of 3236	4736	powershell.exe	24
PID 4736 wrote to memory of 4856	4736	powershell.exe	23
PID 4736 wrote to memory of 4856	4736	powershell.exe	23
PID 4736 wrote to memory of 4856	4736	powershell.exe	23
PID 4736 wrote to memory of 4856	4736	powershell.exe	23
PID 4736 wrote to memory of 4856	4736	powershell.exe	23
PID 4736 wrote to memory of 4856	4736	powershell.exe	23
PID 4736 wrote to memory of 4856	4736	powershell.exe	23
PID 4736 wrote to memory of 4856	4736	powershell.exe	23
PID 4736 wrote to memory of 4856	4736	powershell.exe	23

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\23f2e867ddbbe2e6c9e7959bae0df84e.ps1
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:3348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:4856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:3236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  #cmd
  2⤵
  PID:1876

memory/4736-9-0x0000028127C10000-0x0000028127C32000-memory.dmp

Filesize
136KB

Download
memory/4736-10-0x00007FF9CC9B0000-0x00007FF9CD471000-memory.dmp

Filesize
10.8MB

Download
memory/4736-12-0x0000028140280000-0x0000028140290000-memory.dmp

Filesize
64KB

Download
memory/4736-11-0x0000028140280000-0x0000028140290000-memory.dmp

Filesize
64KB

Download
memory/4736-18-0x00007FF9CC9B0000-0x00007FF9CD471000-memory.dmp

Filesize
10.8MB

Download
memory/4736-13-0x0000028127C40000-0x0000028127C52000-memory.dmp

Filesize
72KB

Download
memory/4856-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4856-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4856-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4856-14-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4856-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download