oski | 60ab432b7935cea8af65b4d148e305f0650d89415274dba163489af6cd2ce38e

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-25_d4033589956157929738ba378a9f50fb_karagany_mafia.exe
Size

200KB
MD5

d4033589956157929738ba378a9f50fb
SHA1

e85775f7e2faffc66a468f677efaed5006728ff1
SHA256

60ab432b7935cea8af65b4d148e305f0650d89415274dba163489af6cd2ce38e
SHA512

ca90b1bea7bce32e538fafbefed704cbb823e8e7a5dd93afcaa53f9ea0618a0873e73bf35883ea3ce0bc6a3ed898b622e784ddcbe4b6acd66b4c679e32d22a75
SSDEEP

3072:WfUomEuYm98dlSq7gt5q7Dx+XgS6aCEwhOfUbCalNT2pbB3fIS1Xi6FLPo3c:WfUauY68uSWCx+XA7mg2pNH1Ljo3c

Score

10^/10

oski discovery infostealer spyware stealer

Malware Config

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Oski family
oski
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2700	2100	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-25_d4033589956157929738ba378a9f50fb_karagany_mafia.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2700	2100	2024-12-25_d4033589956157929738ba378a9f50fb_karagany_mafia.exe	31
PID 2100 wrote to memory of 2700	2100	2024-12-25_d4033589956157929738ba378a9f50fb_karagany_mafia.exe	31
PID 2100 wrote to memory of 2700	2100	2024-12-25_d4033589956157929738ba378a9f50fb_karagany_mafia.exe	31
PID 2100 wrote to memory of 2700	2100	2024-12-25_d4033589956157929738ba378a9f50fb_karagany_mafia.exe	31

C:\Users\Admin\AppData\Local\Temp\2024-12-25_d4033589956157929738ba378a9f50fb_karagany_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-25_d4033589956157929738ba378a9f50fb_karagany_mafia.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 756
  2⤵
  - Program crash
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\msvcp140.dll

Filesize
196B

MD5
62962daa1b19bbcc2db10b7bfd531ea6

SHA1
d64bae91091eda6a7532ebec06aa70893b79e1f8

SHA256
80c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880

SHA512
9002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7

Download Submit