MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14a2149ffb9dc7a2bfa96e92ee4d7052222d5550431ffebc471b31859b397024. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

OskiStealer

Vendor detections: 12

Intelligence 12 IOCs 7 YARA 2 File information Comments

SHA256 hash:	14a2149ffb9dc7a2bfa96e92ee4d7052222d5550431ffebc471b31859b397024
SHA3-384 hash:	88c0d157dc73d25fcd9ea515edd6cddb753851ce33a4cecb0d271ec95205173c33de73bd302f0c9b9f9a8fd430a912be
SHA1 hash:	8f96d2cd29ee2b7730245737547b7b67867bdd41
MD5 hash:	e9e7e3bdd64069d3b36e5362bbdcd155
humanhash:	emma-johnny-berlin-california
File name:	fatura comercial - Indaco EX20858 - OC00015.e.exe
Download:	download sample
Signature	OskiStealer Create hunting rule
File size:	862'208 bytes
First seen:	2022-04-04 10:51:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:dnC2iNf0uyCoVeU/Bmzo6CB+t+rUmTR1aGnTxT16JAx8DeGKkfjI9xQihPWiBi00:U1GuyRf/b9pwQRpVTD8D1wxQiJRBimk
Threatray	3'895 similar samples on MalwareBazaar
TLSH	T10F052314729026EFDE7BEBB018FA5862277D6971B17CD31E7DB100C9A6943C2A185B33
Reporter	abuse_ch
Tags:	exe OskiStealer

abuse_ch

OskiStealer C2:
http://zubroxmack.cf/2.jpg

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://zubroxmack.cf/2.jpg	https://threatfox.abuse.ch/ioc/488662/
http://zubroxmack.cf/1.jpg	https://threatfox.abuse.ch/ioc/488664/
http://zubroxmack.cf/3.jpg	https://threatfox.abuse.ch/ioc/488665/
http://zubroxmack.cf/5.jpg	https://threatfox.abuse.ch/ioc/488666/
http://zubroxmack.cf/4.jpg	https://threatfox.abuse.ch/ioc/488667/
http://zubroxmack.cf/6.jpg	https://threatfox.abuse.ch/ioc/488668/
http://zubroxmack.cf/7.jpg	https://threatfox.abuse.ch/ioc/488669/

Intelligence

File Origin

# of uploads :

# of downloads :

220

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/260518/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

DNS request

Running batch commands

Creating a process with a hidden window

Launching a tool to kill processes

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed update.exe

Link:

https://www.filescan.io/uploads/624acdd440ce5db9f401f7ed/reports/88294a7b-8d72-4d16-98c7-66b65508c633/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Oski Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f9413acc-802d-4ad3-be70-85987b2ef40b

Result

Threat name:

Oski Stealer Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/969930

Signature

C2 URLs / IPs found in malware configuration

Downloads files with wrong headers with respect to MIME Content-Type

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Posts data to a JPG file (protocol mismatch)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected AntiVM3

Yara detected Oski Stealer

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/14a2149ffb9dc7a2bfa96e92ee4d7052222d5550431ffebc471b31859b397024/

Threat name:

ByteCode-MSIL.Trojan.Oskistealer

Status:

Malicious

First seen:

2022-04-04 10:52:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=csrbjh73txd2fp5jn2jo4tlqkirc2vkqimp75pchdmyylgzzoasa._file

Verdict:

malicious

OskiStealer

6849e65e9ac20880fa99583b202ae710e0a3885cd72692a0c1b4d72aae109adf

OskiStealer

8399c97b606bb6613f99006964a47064e402e6489574b85db7a9872f601886b2

OskiStealer

be52ba286982ecb2bda4033824ce2fb1147300af2c5106cfed27cf3fb6022b1f

OskiStealer

d8454e6022d16c264f078c2a0b925dc70d08edd251dc6e86f1af4b24afd46bde

OskiStealer

+ 3'885 additional samples on MalwareBazaar

Result

Malware family:

oski

Score:

10/10

Tags:

family:oski infostealer

Link:

https://tria.ge/reports/220404-mydntsdfg9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Oski

Malware Config

C2 Extraction:

zubroxmack.cf

Unpacked files

SH256 hash:

3cb49cfe6c1aa40f3fbd5b6009c4d011bde9f19c9897685779188b22f38a55b7

MD5 hash:

d87273fc3440cd9f870f5ae6b68c24d2

SHA1 hash:

d92462b868c370841d39190c81d765414f43708b

Link:

https://www.unpac.me/results/0f1337fd-dfe3-4f46-9252-d976ff81b2b7/

SH256 hash:

4dc1a70f8b6224547927f1f305ead1263cac13cfb68aff4d40e027996eee083d

MD5 hash:

ca1fb830b3f77f223561978963dfc8d0

SHA1 hash:

818369c7d6301672c147dbccb2ae50e9adccae93

Link:

https://www.unpac.me/results/0f1337fd-dfe3-4f46-9252-d976ff81b2b7/

SH256 hash:

575aaff312a8b96976e3f0dcbe88b18dd1fef80f6310f08aab64f94b7b40a890

MD5 hash:

48a8fac48e8c2aba44cf029e2c5b4c86

SHA1 hash:

3c17a805c498a7a56ff45f9665372b0ab47be616

Detections:

win_oski_g0

win_oski_auto

Link:

https://www.unpac.me/results/0f1337fd-dfe3-4f46-9252-d976ff81b2b7/

SH256 hash:

71764eb60a83a17343af4a26bf3ec546c5ee08454722233fd5cf59693327b1a4

MD5 hash:

bfcf754fb9acba752f79f44817b7be23

SHA1 hash:

01af19456b6f97790973d0d67a97ecc362ab7aed

Link:

https://www.unpac.me/results/0f1337fd-dfe3-4f46-9252-d976ff81b2b7/

SH256 hash:

14a2149ffb9dc7a2bfa96e92ee4d7052222d5550431ffebc471b31859b397024

MD5 hash:

e9e7e3bdd64069d3b36e5362bbdcd155

SHA1 hash:

8f96d2cd29ee2b7730245737547b7b67867bdd41

Link:

https://www.unpac.me/results/0f1337fd-dfe3-4f46-9252-d976ff81b2b7/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/14a2149ffb9d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/14a2149ffb9dc7a2bfa96e92ee4d7052222d5550431ffebc471b31859b397024

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/260518/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample