MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0dccd79ade11bf53229a6c4e89487c600a810d2180f3f79eb784917b26462d95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 8


Intelligence 8 IOCs 7 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0dccd79ade11bf53229a6c4e89487c600a810d2180f3f79eb784917b26462d95
SHA3-384 hash: 72ac74292568f3f23ad987578f43c0fc3dca7ca6b5350b46165c6ce73af259bffc917a63e0ada230a727ce187d865865
SHA1 hash: a63a9796145440c771e9c93c00a885a72e5d1472
MD5 hash: 6bf2ef45f0156e5a3b721c127bb416c1
humanhash: pip-five-rugby-alabama
File name:IMG05773060.exe
Download: download sample
Signature OskiStealer
Create hunting rule
File size:275'440 bytes
First seen:2021-06-08 16:13:07 UTC
Last seen:2021-06-08 16:46:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:5wOStfBqHu036OdSV2bE00RD9WGBfkPI8wU1:qJf260Q2j0PWkMP5wU1
Threatray 41 similar samples on MalwareBazaar
TLSH 664412011719915BC59308B9ADB6F118BBB4EE55DE1390EB7DA8F34F0EF97C8918202B
Reporter abuse_ch
Tags:exe OskiStealer


Avatar
abuse_ch
OskiStealer C2:
http://203.159.80.9/6.jpg

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://203.159.80.9/6.jpg https://threatfox.abuse.ch/ioc/75607/
http://203.159.80.9/1.jpg https://threatfox.abuse.ch/ioc/75608/
http://203.159.80.9/2.jpg https://threatfox.abuse.ch/ioc/75609/
http://203.159.80.9/3.jpg https://threatfox.abuse.ch/ioc/75610/
http://203.159.80.9/4.jpg https://threatfox.abuse.ch/ioc/75611/
http://203.159.80.9/5.jpg https://threatfox.abuse.ch/ioc/75612/
http://203.159.80.9/7.jpg https://threatfox.abuse.ch/ioc/75613/

Intelligence

File Origin
# of uploads :
2
# of downloads :
280
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165432/
Detection(s):
SecuriteInfo.com.Variant.Bulz.492775.25483.15585.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Oski Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/799035
Signature
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Downloads files with wrong headers with respect to MIME Content-Type
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Posts data to a JPG file (protocol mismatch)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Oski Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 431431 Sample: IMG05773060.exe Startdate: 08/06/2021 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Yara detected Oski Stealer 2->43 45 Yara detected Vidar stealer 2->45 47 7 other signatures 2->47 8 IMG05773060.exe 20 2->8         started        process3 file4 23 C:\Users\user\AppData\Roaming\...\notpad.exe, PE32 8->23 dropped 25 C:\Users\user\AppData\...\IMG05773060.exe, PE32 8->25 dropped 27 C:\Users\user\...\notpad.exe:Zone.Identifier, ASCII 8->27 dropped 29 2 other malicious files 8->29 dropped 49 Creates an undocumented autostart registry key 8->49 51 Writes to foreign memory regions 8->51 53 Allocates memory in foreign processes 8->53 55 Injects a PE file into a foreign processes 8->55 12 IMG05773060.exe 193 8->12         started        signatures5 process6 dnsIp7 39 203.159.80.9, 49725, 80 LOVESERVERSGB Netherlands 12->39 31 C:\ProgramData\vcruntime140.dll, PE32 12->31 dropped 33 C:\ProgramData\sqlite3.dll, PE32 12->33 dropped 35 C:\ProgramData\softokn3.dll, PE32 12->35 dropped 37 4 other files (none is malicious) 12->37 dropped 57 Machine Learning detection for dropped file 12->57 59 Tries to harvest and steal browser information (history, passwords, etc) 12->59 61 Tries to steal Crypto Currency Wallets 12->61 17 cmd.exe 1 12->17         started        file8 signatures9 process10 process11 19 taskkill.exe 1 17->19         started        21 conhost.exe 17->21         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0dccd79ade11bf53229a6c4e89487c600a810d2180f3f79eb784917b26462d95/
Threat name:
ByteCode-MSIL.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-06-08 16:14:11 UTC
AV detection:
9 of 45 (20.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bxgnpgw6cg7vgiu2nrhissd4maficdjbqdz7phvxqsixwjsgfwkq._file
Verdict:
unknown
Similar samples:
0f9850c44ac5621f9c56ff3e3937edec81c5cc5a21899a5e63f1818008a72b4f
OskiStealer
3163e680a9b1c5c3b4e64b0fe808b79c5090a69bb3a359fbe18bbf9064dc4517
OskiStealer
3b019e395d076e03b3b4a2d9468d3acb36df69115e059119194fbd8dd6d1dd6b
OskiStealer
3e4d51c93e584902549b54e3b22595a4f78a87a9eb4648be7af3b5cc6a682078
OskiStealer
59c8046d5881928e5a24722e97f5fb8a480b6039728c0e31062c62b82eca75bb
OskiStealer
66c4b095722a3fedbc6c0279c57615abc384934fbdf91054d7d382ccd2560890
OskiStealer
96583d4f2a9b9330e5f08230b545a22bc109b7faf8ed0a989a846f861ff3ac9c
OskiStealer
a86d574b0b47c886fa1c8e31a0e4486d53398d58641c4c04ecdbf80e34922e33
OskiStealer
db23d6f5e2123cde47f4e3178bf18063aa3270d13499991200c9074a837eff07
OskiStealer
dc134764bb9eca9818ce764d9a4f04b75e8a99a00df3367b611737c00b4019b1
OskiStealer
+ 31 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210608-76e1m7egys/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Oski
Malware Config
C2 Extraction:
203.159.80.9
Unpacked files
SH256 hash:
fdbaae044a0194711c0415d3baa4b59c2ee9e52ec3129f9ac9ad1c0c2d642b86
MD5 hash:
64713b8b56ee1b5681426ee6ce962601
SHA1 hash:
a589b6574cad56669fc94711d5ade690cf214e42
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/7670556c-7c0c-473f-8f72-c025884f9cb8/
SH256 hash:
a4cbe2073cee7fd83df978f37ab972482113790923786515a32b1ffaa9f11582
MD5 hash:
3ef8a9feb7d097b3c1cfde96bdc0168e
SHA1 hash:
8fee224d2e8f74720b903ced8fc8830678f364d1
Link:
https://www.unpac.me/results/7670556c-7c0c-473f-8f72-c025884f9cb8/
SH256 hash:
ea4ad05672078ca56f9399719f20a6d6a649acf1904b5ab3e2ec0defc7da1d8f
MD5 hash:
a145b19c7b8e408a1b687fd7a0127be8
SHA1 hash:
6f9e25866135fc753a9f17d79c3e6ba412867e90
Link:
https://www.unpac.me/results/7670556c-7c0c-473f-8f72-c025884f9cb8/
SH256 hash:
0dccd79ade11bf53229a6c4e89487c600a810d2180f3f79eb784917b26462d95
MD5 hash:
6bf2ef45f0156e5a3b721c127bb416c1
SHA1 hash:
a63a9796145440c771e9c93c00a885a72e5d1472
Link:
https://www.unpac.me/results/7670556c-7c0c-473f-8f72-c025884f9cb8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0dccd79ade11bf53229a6c4e89487c600a810d2180f3f79eb784917b26462d95

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_KB_CERT_1f3216f428f850be2c66caa056f6d821
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/165432/

Comments