General

  • Target

    ExeFile (339).exe

  • Size

    861KB

  • Sample

    240820-rjp6jazeqr

  • MD5

    c20ef4961ce6eb9dd5654242ec1b418c

  • SHA1

    076cb25979115c1a5baa95807f993c90f629c524

  • SHA256

    80199402b66d52742db427b0a59c869d3629e2b503c8e84b0d17789db414c352

  • SHA512

    e518cd58bcab49e1359d6e60fe71a12c40d6c3f3e8dcfbf974848edb901231b8bd70271fc64f55c0cd8777e975ffee08b17607e4c4bd9744a4193b2a5739a9a2

  • SSDEEP

    24576:ZQqPByJzhAfD7MjzlR7m8Sdu3ar3kxggWq:ZQqZ0z0MjHy8mxrgl

Malware Config

Extracted

Family

oski

C2

45.141.84.184

Targets

    • Target

      ExeFile (339).exe

    • Size

      861KB

    • MD5

      c20ef4961ce6eb9dd5654242ec1b418c

    • SHA1

      076cb25979115c1a5baa95807f993c90f629c524

    • SHA256

      80199402b66d52742db427b0a59c869d3629e2b503c8e84b0d17789db414c352

    • SHA512

      e518cd58bcab49e1359d6e60fe71a12c40d6c3f3e8dcfbf974848edb901231b8bd70271fc64f55c0cd8777e975ffee08b17607e4c4bd9744a4193b2a5739a9a2

    • SSDEEP

      24576:ZQqPByJzhAfD7MjzlR7m8Sdu3ar3kxggWq:ZQqZ0z0MjHy8mxrgl

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Deobfuscate/Decode Files or Information

      Payload decoded via CertUtil.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Modify Registry

1
T1112

Deobfuscate/Decode Files or Information

1
T1140

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Discovery

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Remote System Discovery

1
T1018

Tasks