MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0231aa0cf3686c184fb9dd21492fe6f5a7615719a74fb341d7369283f559a2c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0231aa0cf3686c184fb9dd21492fe6f5a7615719a74fb341d7369283f559a2c7
SHA3-384 hash: 449f716d0360254f0a7f29f3543fa18ced397d09b2126744d10f718f2d3434539da6a20b93dbf76f76b7bf879d8fafab
SHA1 hash: cf5decb3634809e4b8235cd3d7ae1e7f5a89937b
MD5 hash: 41c7582c480287b17b913476b83cfe5d
humanhash: lion-magazine-montana-echo
File name:Detalles de devolución de pago.xlsx
Download: download sample
Signature OskiStealer
Create hunting rule
File size:691'567 bytes
First seen:2021-08-24 22:44:35 UTC
Last seen:2021-08-25 05:45:56 UTC
File type:Excel file xlsx
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 12288:x0NkSqa1Lo6MQVmmUXnuI0DC7YY/1I0ezrsiRYo0KLVElCBW:x1SZC6MDLuI027rdI0ezYiJ0dlC4
TLSH T1D8E4232CC1E90AF349A92570F94E93EDE4D832EEC374074991388A6D67C4DEFD84A749
Reporter AndreGironda
Tags:CVE-2017-11882 OskiStealer xlsx


Avatar
AndreGironda
MITRE T1566.001
Date: Tue, 24 Aug 2021 21:00-22:00 +0100
Received: from srvk111.controlvps.com (srvk111.allytech.com [190.210.196.111])
From: PAGOS <pagogtiaspep@cnhmexico.com.mx>
Subject: DEVOLUCIÓN DE PAGO TT (Ref 0180066743)
Message-ID: <67050414e3a5137a7fb7262297c1468f@cnhmexico.com.mx>
User-Agent: Roundcube Webmail/1.4.2

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Detalles de devolución de pago.xlsx
Verdict:
No threats detected
Analysis date:
2021-08-24 22:46:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/15de53ce-327d-424d-a12d-c4d4e45057d6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Malware.XML.Autoload-1.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.EQAndMisCasedOleNativeWasTheCaseThatTheyGaveMe.20200215.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.EQEditorFBShellzLetMeBlowYourMind.20210218.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% directory
Sending a UDP request
Creating a file
Connection attempt
Deleting a recently created file
Replacing files
Connection attempt by exploiting the app vulnerability
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Creating a process from a recently created file
Result
Verdict:
Malicious
File Type:
OOXML Excel File with Embedding Objects
Link:
https://app.docguard.net/0231aa0cf3686c184fb9dd21492fe6f5a7615719a74fb341d7369283f559a2c7/results/dashboard
Payload URLs
URL
File name
https://www.iconomi.net/
sharedStrings.xml
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/0231aa0cf3686c184fb9dd21492fe6f5a7615719a74fb341d7369283f559a2c7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/838635
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0231aa0cf3686c184fb9dd21492fe6f5a7615719a74fb341d7369283f559a2c7/
Threat name:
Document-Office.Exploit.CVE-2017-11882
Create hunting rule
Status:
Malicious
First seen:
2021-08-24 22:45:12 UTC
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware stealer suricata
Link:
https://tria.ge/reports/210824-m8gxkd2whs/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Launches Equation Editor
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Oski
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
ck7.mooo.com
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0231aa0cf3686c184fb9dd21492fe6f5a7615719a74fb341d7369283f559a2c7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

OskiStealer

Excel file xlsx 0231aa0cf3686c184fb9dd21492fe6f5a7615719a74fb341d7369283f559a2c7

(this sample)

7b82ef67319cf926fedd28e2f74ffba0eb32a04ee4ab630c9500bf78bda18b20

OskiStealer

Executable exe d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9

OskiStealer

Executable exe 2d308933203744252691fb15fb6c02fa50bed49da96c68d8159ff8b911f5e235

Cape
Cape
https://capesandbox.com/analysis/182026/
  
Link
https://tria.ge/210824-b4gq37316a/behavioral1
  
Link
https://www.unpac.me/results/355d6d00-f792-4884-92c8-3ae121f5e773
  
Dropping
SHA256 2d308933203744252691fb15fb6c02fa50bed49da96c68d8159ff8b911f5e235
  
Delivery method
Distributed via e-mail attachment

Comments