MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17805cda1591f72ed86901a7408743bd3f3511c4705a52b9b120387e12bfa60b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 12


Intelligence 12 IOCs 7 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17805cda1591f72ed86901a7408743bd3f3511c4705a52b9b120387e12bfa60b
SHA3-384 hash: ad5cceecd127a7bdfd718197c27c8fa2013530e3125737e26966ba161bd5c5b372a8f6d9ed39e627f9b467fdf764c7f9
SHA1 hash: bf62ab1c3684485e12b3e9a6ea5387a7fb7329c0
MD5 hash: c7f1a6e7e78911d10ffb18e61c089905
humanhash: four-cup-california-sweet
File name:Becan 57826190.exe
Download: download sample
Signature OskiStealer
Create hunting rule
File size:329'780 bytes
First seen:2021-10-08 02:35:12 UTC
Last seen:2021-10-08 03:46:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:78LxBrWzUnBA4cBSd+SkdSnaC5plrJCZ4wfeIXvGOje:5UnYUdpkwnpH5JYXw
Threatray 4'003 similar samples on MalwareBazaar
TLSH T11B64CF931DA0F996D829E57721A3A91D98C64CBE7DF6B7030BCC3A18D7375D2A40B087
File icon (PE):PE icon
dhash icon 491779555579134d (2 x NetWire, 1 x OskiStealer, 1 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe OskiStealer


Avatar
abuse_ch
OskiStealer C2:
http://21slg.xyz/6.jpg

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://21slg.xyz/6.jpg https://threatfox.abuse.ch/ioc/231146/
http://21slg.xyz/1.jpg https://threatfox.abuse.ch/ioc/231147/
http://21slg.xyz/2.jpg https://threatfox.abuse.ch/ioc/231148/
http://21slg.xyz/3.jpg https://threatfox.abuse.ch/ioc/231149/
http://21slg.xyz/4.jpg https://threatfox.abuse.ch/ioc/231150/
http://21slg.xyz/5.jpg https://threatfox.abuse.ch/ioc/231151/
http://21slg.xyz/7.jpg https://threatfox.abuse.ch/ioc/231152/

Intelligence

File Origin
# of uploads :
2
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Becan 57826190.exe
Verdict:
Malicious activity
Analysis date:
2021-10-08 02:35:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/acbac401-e4d7-4f17-96e9-aaacd5fa6c21

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/195991/
Detection(s):
SecuriteInfo.com.Zum.Androm.1.12541.21037.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/615fae95e3d213d202bacb35/reports/b784434c-2278-43fc-aa0b-885e67a3edb7/overview
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/55139b55-e3c1-4104-9bfc-e240911dfec1
Result
Threat name:
Oski Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/866778
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Downloads files with wrong headers with respect to MIME Content-Type
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Performs DNS queries to domains with low reputation
Posts data to a JPG file (protocol mismatch)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Oski Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/17805cda1591f72ed86901a7408743bd3f3511c4705a52b9b120387e12bfa60b/
Threat name:
Win32.Trojan.Oskistealer
Create hunting rule
Status:
Malicious
First seen:
2021-10-08 02:36:06 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c6afzwqvsh3s5wdjagtubb2dxu7tkeoeobnffonrea4h4ev7uyfq._file
Verdict:
malicious
Similar samples:
024a5c3d369e1459332682cad7931a426722fdc2ec0950adc598e0227d0ef043
OskiStealer
4c67d6cd8ba22edfa6b568b72b1f0a2095a173154b26ae89a1b50d266055ce44
OskiStealer
70d12ff2197a1f6efc86703837f617d923f83f4d0fb24a669ba7b6e11a4b60fe
OskiStealer
90a9ef1c549a9f2646f6c603e27570832f371d25d2fc4b967c96f55fa034e557
OskiStealer
a54ecc8d83199ee37e9af81592b4b3dbc037aaa14eba989f6dc0504a570bcc9c
OskiStealer
b1b4adb57471b463700ab48f81cd2550270fac73e0c1a95366fdc4380d15a659
OskiStealer
bcecf11dcb821c77cefc134ea271ebbc8a639fabd57492ca016b1acd5c9a97b7
OskiStealer
d83a8f3a3475132ef153741a21858652a2f03a4e62d56f6864c8800fb0a0da45
OskiStealer
+ 3'993 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211008-c3lj5adaf4/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Oski
Malware Config
C2 Extraction:
21slg.xyz
Unpacked files
SH256 hash:
f6223f6083fc13541aebf4bfccafd323c1ceacfad3eeeca0c336b4790904c9ec
MD5 hash:
2ab4a34515f936e8c43e25fe9b28552a
SHA1 hash:
1270c86844adc4d3d026f4ea19a66f276b37ce07
Detections:
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/de61fdd2-71d3-4d91-9cac-ae4f893b11db/
SH256 hash:
17805cda1591f72ed86901a7408743bd3f3511c4705a52b9b120387e12bfa60b
MD5 hash:
c7f1a6e7e78911d10ffb18e61c089905
SHA1 hash:
bf62ab1c3684485e12b3e9a6ea5387a7fb7329c0
Link:
https://www.unpac.me/results/de61fdd2-71d3-4d91-9cac-ae4f893b11db/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/17805cda1591/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.37
Link:
https://yomi.yoroi.company/submissions/17805cda1591f72ed86901a7408743bd3f3511c4705a52b9b120387e12bfa60b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/195991/

Comments