oski | cd986b32c220cc04c9feb5e42a393fb34efc884d176e6d8d266e54ac4840cfa3

Analysis

max time kernel
0s
max time network
28s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Oski Cracked.exe
Size

4.5MB
MD5

a52baa5b64635eec7c7b888bff016aac
SHA1

a86b895b483df3c657553f498ebcd9c97b89415f
SHA256

cd986b32c220cc04c9feb5e42a393fb34efc884d176e6d8d266e54ac4840cfa3
SHA512

bed140ed03ed4b5da82edf1139eced7c84a56fe75f5a8926002414ed0b8f25fbb6cbf9e3111ff6d9b5d942382be331a674f17cf10b2150f171f32276ad4b3980
SSDEEP

98304:iJCbuSMburCaMZh0yEKj+WRvrY1dcZ048HV/bFy8jJ7APB:8mMbuQZlFY7KsZPNA

Score

10^/10

oski quasar vilva v3 infostealer spyware trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

VILVA V3

67.213.221.18:7812

Mutex

VNM_MUTEX_DR6NAzaayWgRGuLNpp

Attributes

encryption_key
izGdDJVzqIzRDlXcooB4
install_name
Windows Defender Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Service
subdirectory
WindowsDir

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Windows Security.exe	disable_win_def
behavioral3/memory/1948-27-0x0000000000F60000-0x0000000000FEC000-memory.dmp	disable_win_def

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Windows Security.exe	family_quasar
behavioral3/memory/1948-27-0x0000000000F60000-0x0000000000FEC000-memory.dmp	family_quasar

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1996 schtasks.exe
5772 schtasks.exe

flow	ioc
6	ip-api.com

pid	process
1996	schtasks.exe
5772	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Oski Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\Oski Cracked.exe"
1⤵
PID:664

C:\Users\Admin\AppData\Roaming\Windows Security.exe
"C:\Users\Admin\AppData\Roaming\Windows Security.exe"
2⤵
PID:1948

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1996

C:\Users\Admin\AppData\Roaming\WindowsDir\Windows Defender Security.exe
"C:\Users\Admin\AppData\Roaming\WindowsDir\Windows Defender Security.exe"
3⤵
PID:2512

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDir\Windows Defender Security.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:5772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
PID:4520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
3⤵
PID:5336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
4⤵
PID:3220

C:\Users\Admin\AppData\Roaming\Oski Cracked.exe
"C:\Users\Admin\AppData\Roaming\Oski Cracked.exe"
2⤵
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_meixfvqi.0ex.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Oski Cracked.exe

Filesize
1.3MB

MD5
ff1d737b2fc98d95286ff7b3a60398ac

SHA1
6b0534f50e7ff18dd560d63577ce6d3b4aeef920

SHA256
6c164f752c05a9ecfd49bb1ee95d41a32506b55598968fe2049f9f98d76ab342

SHA512
7dff7ddbab978504383dea55e79206bf81ae64a52863351925af306f13ea0d95e4acd9f7ff295747d82d4e6e7c6f9a062bc2864cb90f71a71c45a067fdf62456

Download Submit
C:\Users\Admin\AppData\Roaming\Oski Cracked.exe

Filesize
448KB

MD5
d6f3aa7f5a5a24108b03aa05f63c5b45

SHA1
598fa1c97916171f354a5b1b282205d9deeb7bf5

SHA256
18aacee9707f468ec55101a81e2acd7886c14ec52144839472f5cf8c4d409134

SHA512
7e009f48c26c9b0b1b03531d232041392164fee64025692f173f648d02fc511dcf05a8c91c69ac38f1b3e35a12b7fad98c2284d163d469c436b7947016e76738

Download Submit
C:\Users\Admin\AppData\Roaming\Oski Cracked.exe

Filesize
1.5MB

MD5
7c05cfbc906e9a9233cc02699f98f69f

SHA1
05715bf9dc07eea578e330b084b900f118d799de

SHA256
7f0a68f3c73c980b16e04ac8ae43524ab8d83aabc0486b0a8335bb2224b13053

SHA512
ba243ba1a00accaacfbbbf63b317fd938b7c24399d2cea8c2a5546ff53eb29b1ba183a21f4cd36062fc901474d15265b658d97f1efabd49fd239bbd2722b5fa2

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security.exe

Filesize
534KB

MD5
deb0b7c057e00267baf93d2be0fd5e9f

SHA1
0938426efa7763dde948ce903b46bc88c7f8bf04

SHA256
401d7686d9400875f1ee068006e7142c1bdc1108d4ddb3113924dddb312be7d5

SHA512
e9d5986b49339fb99703d34743fec5a6522e4c2d05a81a818d58c9f15a1144d338058ebdb3076f5a683cd5bf03d01ac50156f2063450d4955f7cf854b2d1869e

Download Submit
memory/664-29-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/664-2-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/664-1-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/664-0-0x0000000075212000-0x0000000075213000-memory.dmp

Filesize
4KB

Download
memory/1948-27-0x0000000000F60000-0x0000000000FEC000-memory.dmp

Filesize
560KB

Download
memory/1948-37-0x0000000006C10000-0x0000000006C4C000-memory.dmp

Filesize
240KB

Download
memory/1948-34-0x00000000059C0000-0x00000000059D0000-memory.dmp

Filesize
64KB

Download
memory/1948-32-0x0000000005A50000-0x0000000005AE2000-memory.dmp

Filesize
584KB

Download
memory/1948-31-0x0000000006000000-0x00000000065A4000-memory.dmp

Filesize
5.6MB

Download
memory/1948-87-0x00000000723EE000-0x00000000723EF000-memory.dmp

Filesize
4KB

Download
memory/1948-35-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/1948-36-0x00000000066D0000-0x00000000066E2000-memory.dmp

Filesize
72KB

Download
memory/1948-22-0x00000000723EE000-0x00000000723EF000-memory.dmp

Filesize
4KB

Download
memory/1948-90-0x00000000059C0000-0x00000000059D0000-memory.dmp

Filesize
64KB

Download
memory/2512-78-0x0000000006860000-0x000000000686A000-memory.dmp

Filesize
40KB

Download
memory/2676-91-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2676-30-0x0000000000560000-0x0000000000956000-memory.dmp

Filesize
4.0MB

Download
memory/2676-89-0x00007FFC53070000-0x00007FFC53B31000-memory.dmp

Filesize
10.8MB

Download
memory/2676-88-0x00007FFC53073000-0x00007FFC53075000-memory.dmp

Filesize
8KB

Download
memory/2676-60-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/2676-28-0x00007FFC53073000-0x00007FFC53075000-memory.dmp

Filesize
8KB

Download
memory/2676-33-0x00007FFC53070000-0x00007FFC53B31000-memory.dmp

Filesize
10.8MB

Download
memory/2676-59-0x000000001B6A0000-0x000000001BABC000-memory.dmp

Filesize
4.1MB

Download
memory/4520-44-0x00000000057A0000-0x0000000005DC8000-memory.dmp

Filesize
6.2MB

Download
memory/4520-79-0x0000000007C30000-0x0000000007CC6000-memory.dmp

Filesize
600KB

Download
memory/4520-73-0x0000000007840000-0x00000000078E3000-memory.dmp

Filesize
652KB

Download
memory/4520-72-0x0000000006C10000-0x0000000006C2E000-memory.dmp

Filesize
120KB

Download
memory/4520-61-0x0000000006C50000-0x0000000006C82000-memory.dmp

Filesize
200KB

Download
memory/4520-75-0x0000000007990000-0x00000000079AA000-memory.dmp

Filesize
104KB

Download
memory/4520-74-0x0000000007FE0000-0x000000000865A000-memory.dmp

Filesize
6.5MB

Download
memory/4520-76-0x0000000007A30000-0x0000000007A3A000-memory.dmp

Filesize
40KB

Download
memory/4520-58-0x00000000066A0000-0x00000000066EC000-memory.dmp

Filesize
304KB

Download
memory/4520-62-0x00000000704C0000-0x000000007050C000-memory.dmp

Filesize
304KB

Download
memory/4520-80-0x0000000007BB0000-0x0000000007BC1000-memory.dmp

Filesize
68KB

Download
memory/4520-82-0x0000000007BF0000-0x0000000007C04000-memory.dmp

Filesize
80KB

Download
memory/4520-84-0x0000000007CD0000-0x0000000007CD8000-memory.dmp

Filesize
32KB

Download
memory/4520-83-0x0000000007CF0000-0x0000000007D0A000-memory.dmp

Filesize
104KB

Download
memory/4520-81-0x0000000007BE0000-0x0000000007BEE000-memory.dmp

Filesize
56KB

Download
memory/4520-57-0x0000000006670000-0x000000000668E000-memory.dmp

Filesize
120KB

Download
memory/4520-52-0x00000000060D0000-0x0000000006424000-memory.dmp

Filesize
3.3MB

Download
memory/4520-46-0x0000000005F40000-0x0000000005FA6000-memory.dmp

Filesize
408KB

Download
memory/4520-45-0x00000000056C0000-0x00000000056E2000-memory.dmp

Filesize
136KB

Download
memory/4520-43-0x0000000002DE0000-0x0000000002E16000-memory.dmp

Filesize
216KB

Download