MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 064ac9ba6695cc56f687e0a0a6bc06c30f4c8f5276e52630e7aa27b02ce8feab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 064ac9ba6695cc56f687e0a0a6bc06c30f4c8f5276e52630e7aa27b02ce8feab
SHA3-384 hash: 834398b9fda680a8ad0ccd2070267a31acdf3f02fc1595bf3e9f480dd2d3fb24e60e405ade6af53466dd8fe62f4056e2
SHA1 hash: 06a45e360bacea4a0e4ccb833986cb78bd40709a
MD5 hash: 0f1616761218cc9712dcd268f4bb2d3f
humanhash: green-video-bulldog-football
File name:SecuriteInfo.com.Trojan.GenericKD.46209179.14691.15796
Download: download sample
Signature OskiStealer
Create hunting rule
File size:807'224 bytes
First seen:2021-05-03 12:15:29 UTC
Last seen:2021-05-03 13:05:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:0BnThatC66gwoRAsAjrarTo7skY2XqzB3jn/:2Tha0STRCJYk5qzB3j/
Threatray 6 similar samples on MalwareBazaar
TLSH BE056B04A3EC9626D1EE3B75B9702B1047F5FD02B176D74F99C8B5A998B3B814C40BA3
Reporter SecuriteInfoCom
Tags:OskiStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/148462/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46209179.14691.15796.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/707806
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/064ac9ba6695cc56f687e0a0a6bc06c30f4c8f5276e52630e7aa27b02ce8feab/
Threat name:
ByteCode-MSIL.Hacktool.Lore
Create hunting rule
Status:
Malicious
First seen:
2021-04-29 16:06:17 UTC
AV detection:
27 of 47 (57.45%)
Threat level:
  1/5
Verdict:
unknown
Similar samples:
0728fd4058762cdab5e5366f0e353fc86437707048e0a5a915a1d2c433a67c7c
OskiStealer
230105e9e7579165b1cfa4088219f9b16723242873b5167f55e639b0b2376b49
OskiStealer
2afd183ed90b0d240dad19c417fa762da0295aa0614dd20809b406e33ff2304f
OskiStealer
6e6132e3f3bc119adac878ba65475b581698e8dd7d2169f984bb5eb232f6b3c6
OskiStealer
aa8387d7f0ca4dd4df76445ce68a9851356a9407084c999190baf887ff617bfe
OskiStealer
c28d812d61b0fd0a86fce89b6ad22f29c8ad6c6b37bc88a944a968e35649d766
OskiStealer
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210503-vj3djwec1j/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Oski
Unpacked files
SH256 hash:
627313c62d851ad8948930eaf1b3e18f7a34f6131e3502a59c357bd39615f07f
MD5 hash:
48a8b4e53668bae5b7ac1c5660a2ef5e
SHA1 hash:
8b776e6fdd9ca11feeca248e11f56c0f69efa682
Link:
https://www.unpac.me/results/2fa7f798-ff2b-408a-b4d0-0c710169cc15/
SH256 hash:
11b21a35d0dcdf39cd34458455f6f6668dc6d57379b1385a2c402e840e131d5f
MD5 hash:
82fa4787f4bf874ca08f365aaf796f81
SHA1 hash:
76f8d7004dadc7a65198a775ddf53b2c6ee4800d
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/2fa7f798-ff2b-408a-b4d0-0c710169cc15/
Parent samples :
7376932014797e4b7f5a1c4776d865e1ba03cba69d9811f11a449c188157c918
25372a9d5205bae496a358c0d33c9f4f9a6e4f3daa00e693cc1df5721c8227fb
064ac9ba6695cc56f687e0a0a6bc06c30f4c8f5276e52630e7aa27b02ce8feab
SH256 hash:
70868e19d8d77bb5a338516a6187df2c8e49db17b47e54d2f16c9dc6479773c6
MD5 hash:
14e9ede1a84be38da1ee2b0de276a597
SHA1 hash:
35db88930ee1e16ada8b3d52e23657ec00c17291
Link:
https://www.unpac.me/results/2fa7f798-ff2b-408a-b4d0-0c710169cc15/
SH256 hash:
064ac9ba6695cc56f687e0a0a6bc06c30f4c8f5276e52630e7aa27b02ce8feab
MD5 hash:
0f1616761218cc9712dcd268f4bb2d3f
SHA1 hash:
06a45e360bacea4a0e4ccb833986cb78bd40709a
Link:
https://www.unpac.me/results/2fa7f798-ff2b-408a-b4d0-0c710169cc15/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/064ac9ba6695cc56f687e0a0a6bc06c30f4c8f5276e52630e7aa27b02ce8feab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:INDICATOR_KB_CERT_04f131322cc31d92c849fca351d2f141
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

OskiStealer

Executable exe 064ac9ba6695cc56f687e0a0a6bc06c30f4c8f5276e52630e7aa27b02ce8feab

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1187826/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/148462/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-03 13:03:53 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0023] Execution::Install Additional Program