MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12bf1af82800824feaa1e3322543c477bda5fb78adb178bda9fc3439f78c22a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 11


Intelligence 11 IOCs 7 YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12bf1af82800824feaa1e3322543c477bda5fb78adb178bda9fc3439f78c22a4
SHA3-384 hash: 7e67e00db86e67aae147067a0b54be42356eae54a52ed28bbaa32613668a5391649936d1809113c5cfcf6e2b9eed3146
SHA1 hash: 0a79f8c5bd035b063f6ec1405b7e536dd0154673
MD5 hash: 1fa31ec68a8c7b2261d965191f863c9b
humanhash: oxygen-freddie-fanta-orange
File name:1FA31EC68A8C7B2261D965191F863C9B.exe
Download: download sample
Signature OskiStealer
Create hunting rule
File size:204'800 bytes
First seen:2021-05-23 15:55:38 UTC
Last seen:2021-05-23 16:00:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7bb9d345a5fec4fbbf5100d6a3ffbb8c (88 x ArkeiStealer, 85 x OskiStealer, 1 x Reconyc)
ssdeep 3072:WfUomEuYm98dlSq7gt5q7Dx+XgS6aCEwhOfUbCalNT2pbB3fIV1Xi6FLPo3c:WfUauY68uSWCx+XA7mg2pNE1Ljo3c
Threatray 157 similar samples on MalwareBazaar
TLSH 9C146D30B690C035E8A310BCDDEE86BEB96C7A301F5950C3A3D45A662F712F27A71657
Reporter abuse_ch
Tags:exe OskiStealer


Avatar
abuse_ch
OskiStealer C2:
http://gimermarkett.de/6.jpg

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://gimermarkett.de/6.jpg https://threatfox.abuse.ch/ioc/57717/
http://gimermarkett.de/1.jpg https://threatfox.abuse.ch/ioc/57718/
http://gimermarkett.de/2.jpg https://threatfox.abuse.ch/ioc/57719/
http://gimermarkett.de/3.jpg https://threatfox.abuse.ch/ioc/57720/
http://gimermarkett.de/4.jpg https://threatfox.abuse.ch/ioc/57721/
http://gimermarkett.de/5.jpg https://threatfox.abuse.ch/ioc/57722/
http://gimermarkett.de/7.jpg https://threatfox.abuse.ch/ioc/57723/

Intelligence

File Origin
# of uploads :
2
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Oski_Cracked_gimermarkett.de.exe
Verdict:
Malicious activity
Analysis date:
2021-05-20 14:47:58 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/70319ec4-b018-4208-834c-5b05e65b776f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/160895/
Detection(s):
Win.Malware.Zusy-9781646-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.Vidar.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Oski Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/789654
Signature
Antivirus / Scanner detection for submitted sample
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Oski Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12bf1af82800824feaa1e3322543c477bda5fb78adb178bda9fc3439f78c22a4/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2021-05-20 21:08:00 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ck7rv6biacbe72vb4mzckq6eo662l63yvwyxrpnj7q2dt54meksa._file
Verdict:
malicious
Similar samples:
2b3f661e6165b5a63130acb2509821a895f0eee94e7af31fdd6abd32db3ab687
OskiStealer
3255c859633f6335ccba93c56513fcc155a66346349ef1508fdee8013a2d34cc
OskiStealer
40afa1e323be151d0d7a38c72f771b0b9e909f49ddade942d4260a5e29e5ec2f
OskiStealer
4802297e2a410305aa78c2fec920bfa3948b9cf43c644768238fd664ca660f02
OskiStealer
606367b05183c5ec1e848241849a990f6b47a3d25f0228da2efd9f6c8a14a8ea
OskiStealer
a29e53d24618766608672bb9d74821104738c939bee4f6baf2b36151b0d1dc07
OskiStealer
a3ef4500e9f5f2447d55de102e2529a62b48f644b03d22199ce5c69c0ca57c88
OskiStealer
d217032899487162688fa6c3855e13040b074de38d9c57c91b47c1190842edc2
OskiStealer
e73a75a27e10ebb5efaa129b0d8163ea8e2d1ba544d297ba7259dcf6019b4ca3
OskiStealer
edb5b2e40ba1596106785ac718cbb576310e3c05674a5db31189f4a1dc753677
OskiStealer
+ 147 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210523-1pbarfaek2/
Behaviour
Checks processor information in registry
Kills process with taskkill
NTFS ADS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Reads user/profile data of web browsers
Oski
Malware Config
C2 Extraction:
gimermarkett.de
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/12bf1af82800824feaa1e3322543c477bda5fb78adb178bda9fc3439f78c22a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/160895/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-23 15:59:57 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.035] Anti-Behavioral Analysis::Process Environment Block BeingDebugged
1) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
2) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
3) [C0019] Data Micro-objective::Check String
4) [C0060] Data Micro-objective::Compression Library
5) [C0026.001] Data Micro-objective::Base64::Encode Data
6) [C0026.002] Data Micro-objective::XOR::Encode Data
8) [C0049] File System Micro-objective::Get File Attributes
9) [C0051] File System Micro-objective::Read File
10) [C0052] File System Micro-objective::Writes File
11) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
12) [C0040] Process Micro-objective::Allocate Thread Local Storage
13) [C0041] Process Micro-objective::Set Thread Local Storage Value
14) [C0018] Process Micro-objective::Terminate Process