oski | 8a7eedce7576affb0bcb4fad28a5fdb6c5581efa956aaba80193c18b475266c4 | Triage

Submit
Reports

Overview

overview

Static

static

8

HR-Ageing-Report.ppt

windows7_x64

HR-Ageing-Report.ppt

windows10_x64

Sharing

General

Target

HR-Ageing-Report.ppt
Size

82KB
Sample

210731-e725nnlpgn
MD5

e2c84712e1b4ff68b9d85729dbda044a
SHA1

c095064894d2ac8c0864d68d5de14324e49ce010
SHA256

8a7eedce7576affb0bcb4fad28a5fdb6c5581efa956aaba80193c18b475266c4
SHA512

a5af0aae421fdac20de13c008d4f5656f3efcc1d2805c75f467e097687056ea96e6e2981fe71b27dc05c0027904608b673f008ab248686a2a12c938af4ad07f3

Score

10^/10

oski infostealer macro spyware suricata

Static task

static1

Behavioral task

behavioral1

Sample

HR-Ageing-Report.ppt

Resource

win7v20210408

oski infostealer spyware suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

HR-Ageing-Report.ppt

Resource

win10v20210410

oski infostealer spyware suricata

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

oski

C2

103.99.1.60/we/king/

Targets

- Target
  
  HR-Ageing-Report.ppt
- Size
  
  82KB
- MD5
  
  e2c84712e1b4ff68b9d85729dbda044a
- SHA1
  
  c095064894d2ac8c0864d68d5de14324e49ce010
- SHA256
  
  8a7eedce7576affb0bcb4fad28a5fdb6c5581efa956aaba80193c18b475266c4
- SHA512
  
  a5af0aae421fdac20de13c008d4f5656f3efcc1d2805c75f467e097687056ea96e6e2981fe71b27dc05c0027904608b673f008ab248686a2a12c938af4ad07f3
Score

10^/10

oski infostealer spyware suricata
- Oski
  Oski is an infostealer targeting browser data, crypto wallets.
  infostealer oski
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- Blocklisted process makes network request
- Downloads MZ/PE file
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Process spawned suspicious child process
  This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Credentials in Files

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

oskiinfostealerspywaresuricata

behavioral2

oskiinfostealerspywaresuricata

© 2018-2024

Terms | Privacy