MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1542d5aa55d35e7da824209239affc1abc90777b93c7bdb256eb736639bfd38d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

OskiStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	1542d5aa55d35e7da824209239affc1abc90777b93c7bdb256eb736639bfd38d
SHA3-384 hash:	8124a8431d4ee8eb01277e4284e2ad8d8a1ba73589dc6842df1951ee770414b579f8716a634e5cb75a86082545606a62
SHA1 hash:	77076a158907890d77cdc2f32f3bdd0ddfbf7cd6
MD5 hash:	9fa82e3cc59d17f17340fc6ad6e2de30
humanhash:	mississippi-foxtrot-lithium-kentucky
File name:	Picture_356.exe
Download:	download sample
Signature	OskiStealer Create hunting rule
File size:	1'176'880 bytes
First seen:	2021-09-07 06:24:20 UTC
Last seen:	2021-09-07 06:28:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	24576:4MXD6D+Xq6Hy1Tl99QQdt7eq7XrN7xoeizky+Vr8:zXD6D+6Z1Tri4r7o9aVo
Threatray	747 similar samples on MalwareBazaar
TLSH	T118450183B6C44385DBA99A71D2FF0C2103E2ED575B75A25E3E48761508F3372AA13B4E
dhash icon	009ac1cd91810181 (1 x OskiStealer)
Reporter	JAMESWT_WT
Tags:	bitbucket.org exe OskiStealer

Intelligence

File Origin

# of uploads :

# of downloads :

101

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Picture_356.exe

Verdict:

Malicious activity

Analysis date:

2021-09-07 07:05:01 UTC

Tags:

trojan stealer vidar

Link:

https://app.any.run/tasks/5923a02c-54b6-43ea-ac30-bd856fc17246

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/185895/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Connection attempt

Malware family:

Oski Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b0599958-f34d-4dde-b4f4-e51df11607b8

Result

Threat name:

Oski Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/846424

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected Oski Stealer

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1542d5aa55d35e7da824209239affc1abc90777b93c7bdb256eb736639bfd38d/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2020-08-18 18:57:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 43 (53.49%)

Threat level:

5/5

Verdict:

malicious

OskiStealer

3c47f8bdb6cb223b1b28ad2401962949c90f1780028be03d775b7d4322aef6f0

OskiStealer

40afa1e323be151d0d7a38c72f771b0b9e909f49ddade942d4260a5e29e5ec2f

OskiStealer

5389a958986f6ceccaa9e44006852becbccabfb07f126d69e6b031227fb0b487

OskiStealer

6fb172bb9c23b3a8067a40f09264c3fa8ecb4f081c659de59560c5d52364d9e9

OskiStealer

89b9fae297db7b35a1749f0a6c6e322ab31ae7dfc8e877cd48ee9f0119fe94c2

OskiStealer

8b94c5e08aae309d279d90699957b12e670587ce168ac7b86596e1d7d0e2047e

OskiStealer

9ab06dad5958032d92be8b54abfd84e4a7828df3accffca30a459ad3a87ff4ec

OskiStealer

d217032899487162688fa6c3855e13040b074de38d9c57c91b47c1190842edc2

OskiStealer

d4e27b8e7e1fd965522468bdc3eaf06513dd3a3e7402d9b441ab002dfc892adc

OskiStealer

+ 737 additional samples on MalwareBazaar

Result

Malware family:

oski

Score:

10/10

Tags:

family:oski infostealer

Link:

https://tria.ge/reports/210907-g6ps6scad2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Oski

Malware Config

C2 Extraction:

176.113.82.180

Unpacked files

SH256 hash:

46e719094fffcc31fc04026dbb6e0a8b41f24f003c9076adef7d13a352351154

MD5 hash:

d66a633174288a69c886381ace61bc42

SHA1 hash:

a625103c7a47d30c256d8aa65a80803136e6a474

Link:

https://www.unpac.me/results/95315106-156a-464f-97ec-601847e849a1/

SH256 hash:

3796a5118cbee90c7f8b10f49395e86d2d594542632b777e69c82cf1845f18c0

MD5 hash:

490f02ff12fdd778cfe81f8bdef75fe4

SHA1 hash:

a61d94edaef581abe8d22c7f402e3ed159d8b283

Link:

https://www.unpac.me/results/95315106-156a-464f-97ec-601847e849a1/

SH256 hash:

701dd583641f97bbb29080dae38a99da57d126cd0a42a9872793de60aa3547f5

MD5 hash:

0ddbdfcdd3ffc4d885c7e11ac74d08ca

SHA1 hash:

83df894338c402efb6db199cd7da287087cd4768

Detections:

win_oski_g0

win_oski_auto

Link:

https://www.unpac.me/results/95315106-156a-464f-97ec-601847e849a1/

SH256 hash:

734837177c33399f5dbdb87b3589c2171a094d4913b0e5b32c4a6edb8132ae4b

MD5 hash:

2dd178c70c8889b30f34edcb197846b1

SHA1 hash:

271f1261a2e2d6b07b288dab8ce0311191c00054

Link:

https://www.unpac.me/results/95315106-156a-464f-97ec-601847e849a1/

SH256 hash:

1542d5aa55d35e7da824209239affc1abc90777b93c7bdb256eb736639bfd38d

MD5 hash:

9fa82e3cc59d17f17340fc6ad6e2de30

SHA1 hash:

77076a158907890d77cdc2f32f3bdd0ddfbf7cd6

Link:

https://www.unpac.me/results/95315106-156a-464f-97ec-601847e849a1/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/1542d5aa55d3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/1542d5aa55d35e7da824209239affc1abc90777b93c7bdb256eb736639bfd38d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/185895/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample