oski | 6b5481e8e3fda7186ac66ed4abec432e1dbae2c3c08aeb9da6d7e436238c8a4b

Analysis

max time kernel
122s
max time network
136s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-01-2024 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-11_7345bbdbe9233d4609f39e4c6ebdfb2b_karagany_mafia.exe
Size

202KB
MD5

7345bbdbe9233d4609f39e4c6ebdfb2b
SHA1

6c2a4553827dd8c0a57eb7da7710560b1a923a3f
SHA256

6b5481e8e3fda7186ac66ed4abec432e1dbae2c3c08aeb9da6d7e436238c8a4b
SHA512

dae2bcb52adc8d04a43a2f70cde5a1160fee98568c68cdb27ba25441d7360ddc78dd8a22c72e7779d8ba9497f460cafc56ba72a4f22ef4d054d314498257010c
SSDEEP

3072:WfUomEuYm98dlSq7gt5q7Dx+XgS6aCEwhOfUbCalNT2pbB3fIv1Xi6FLPo3cx:WfUauY68uSWCx+XA7mg2pNC1Ljo3cx

Score

10^/10

oski infostealer spyware stealer

Malware Config

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2624	1704	WerFault.exe	14

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2624	1704	2024-01-11_7345bbdbe9233d4609f39e4c6ebdfb2b_karagany_mafia.exe	31
PID 1704 wrote to memory of 2624	1704	2024-01-11_7345bbdbe9233d4609f39e4c6ebdfb2b_karagany_mafia.exe	31
PID 1704 wrote to memory of 2624	1704	2024-01-11_7345bbdbe9233d4609f39e4c6ebdfb2b_karagany_mafia.exe	31
PID 1704 wrote to memory of 2624	1704	2024-01-11_7345bbdbe9233d4609f39e4c6ebdfb2b_karagany_mafia.exe	31

C:\Users\Admin\AppData\Local\Temp\2024-01-11_7345bbdbe9233d4609f39e4c6ebdfb2b_karagany_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-11_7345bbdbe9233d4609f39e4c6ebdfb2b_karagany_mafia.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 608
  2⤵
  - Program crash
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\msvcp140.dll

Filesize
154B

MD5
0e06f2e9352385962e61dd0ad4a4f55d

SHA1
ace9209ddb0ff7eeb739f62b98b5c4c35767fa95

SHA256
ffaff9ca0ad407dfd945db8ae6e8350e13b367583ad4a94ee6c0ff670166d8da

SHA512
741c627a32dfa67f07d600ada072b1ff1888bbcd676b55ba09fc67619b348df02929cf3f09b19f54c54cb0d29c3f8048b2e01d14171500e932bb25e36ff9f329

Download Submit