MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18719d6856a09a622001f1c325067d56afa63bd21fbad25fd23c01b2c0c67472. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



OskiStealer


Vendor detections: 15


Intelligence 15 IOCs 7 YARA 3 File information Comments

SHA256 hash: 18719d6856a09a622001f1c325067d56afa63bd21fbad25fd23c01b2c0c67472
SHA3-384 hash: 854f527d430fc53137506b8e22644a098c9d7e19a98e7a06771f03d0485ec18e9251a4c59f3b6812299e871594c896b6
SHA1 hash: 9d0df13ef8de579a2bbfba88e938a836ffab1069
MD5 hash: 39bfd2ce7cffeafc8f4d85d89fd6f072
humanhash: montana-bulldog-six-high
File name:18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
Download: download sample
Signature OskiStealer
File size:888'320 bytes
First seen:2022-01-14 12:46:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (28'879 x AgentTesla, 8'705 x Formbook, 4'202 x Loki)
ssdeep 24576:C8SHUGk70TrcOOxVga3D3XQzuQm2xmZj:OPkQTAzzD3DQzuQxYZ
Threatray 4'085 similar samples on MalwareBazaar
TLSH T1B015F102B5D1C3B1CBB6053247DB95BE47A5B4731772A2F73A883B9A4F112D1ED2138A
File icon (PE):PE icon
dhash icon 71f0ecccc8d8f031 (1 x OskiStealer)
Reporter @abuse_ch
Tags:exe OskiStealer


Twitter
@abuse_ch
OskiStealer C2:
http://pplonline.org/Cgi//6.jpg

Intelligence


File Origin
# of uploads :
1
# of downloads :
266
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
upload.exe
Verdict:
Malicious activity
Analysis date:
2021-11-23 20:58:22 UTC
Tags:
trojan stealer vidar loader limerat rat evasion

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
–°reating synchronization primitives
Creating a process from a recently created file
Creating a file
Enabling the 'hidden' option for recently created files
DNS request
Searching for synchronization primitives
Creating a window
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Searching for the window
Sending an HTTP GET request
Running batch commands
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer control.exe greyware greyware obfuscated obfuscated packed replace.exe vobfus
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Oski Stealer
Verdict:
Malicious
Result
Threat name:
AveMaria Oski Stealer Redline Clipper St
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected VMProtect packer
Downloads files with wrong headers with respect to MIME Content-Type
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Yara detected AveMaria stealer
Yara detected Oski Stealer
Yara detected Redline Clipper
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Yara detected Vidar stealer
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553216 Sample: 18719D6856A09A622001F1C3250... Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 96 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->96 98 Found malware configuration 2->98 100 Antivirus detection for URL or domain 2->100 102 22 other signatures 2->102 9 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe 5 2->9         started        13 taskshell.exe 2->13         started        15 taskshell.exe 2->15         started        17 msiexec.exe 2->17         started        process3 file4 76 C:\Users\user\AppData\Local\...\svchoste.exe, PE32 9->76 dropped 78 C:\Users\user\AppData\Local\Temp\dll.exe, PE32 9->78 dropped 80 C:\Users\user\AppData\...\chormuimii.exe, PE32 9->80 dropped 82 18719D6856A09A6220...A63BD21FBAD.exe.log, ASCII 9->82 dropped 116 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->116 19 chormuimii.exe 3 9->19         started        23 dll.exe 1 3 9->23         started        25 svchoste.exe 196 9->25         started        signatures5 process6 dnsIp7 64 C:\Users\user\AppData\Local\...\chormuim.exe, PE32 19->64 dropped 104 Antivirus detection for dropped file 19->104 106 Machine Learning detection for dropped file 19->106 108 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->108 28 chormuim.exe 14 41 19->28         started        66 C:\ProgramData\AMD Driver\taskshell.exe, PE32 23->66 dropped 33 taskshell.exe 2 23->33         started        88 pplonline.org 108.167.165.140, 49743, 80 UNIFIEDLAYER-AS-1US United States 25->88 68 C:\ProgramData\vcruntime140.dll, PE32 25->68 dropped 70 C:\ProgramData\sqlite3.dll, PE32 25->70 dropped 72 C:\ProgramData\softokn3.dll, PE32 25->72 dropped 74 4 other files (none is malicious) 25->74 dropped 110 Tries to steal Crypto Currency Wallets 25->110 35 cmd.exe 25->35         started        file8 signatures9 process10 dnsIp11 90 ip-api.com 208.95.112.1, 49744, 49751, 80 TUT-ASUS United States 28->90 92 api.telegram.org 149.154.167.220, 443, 49747 TELEGRAMRU United Kingdom 28->92 94 3 other IPs or domains 28->94 84 C:\Users\user\AppData\...\AnonFileApi.dll, PE32 28->84 dropped 86 C:\Users\user\AppData\Local\...\DotNetZip.dll, PE32 28->86 dropped 118 Antivirus detection for dropped file 28->118 120 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->120 122 May check the online IP address of the machine 28->122 124 5 other signatures 28->124 37 cmd.exe 28->37         started        40 cmd.exe 28->40         started        42 WerFault.exe 28->42         started        44 WerFault.exe 28->44         started        46 conhost.exe 35->46         started        48 taskkill.exe 35->48         started        file12 signatures13 process14 signatures15 112 Uses netsh to modify the Windows network and firewall settings 37->112 114 Tries to harvest and steal WLAN passwords 37->114 50 conhost.exe 37->50         started        52 chcp.com 37->52         started        54 netsh.exe 37->54         started        56 findstr.exe 37->56         started        58 conhost.exe 40->58         started        60 chcp.com 40->60         started        62 netsh.exe 40->62         started        process16
Threat name:
ByteCode-MSIL.Spyware.AveMaria
Status:
Malicious
First seen:
2021-11-01 12:31:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
32 of 43 (74.42%)
Threat level:
  2/5
Result
Malware family:
stormkitty
Score:
  10/10
Tags:
family:oski family:stormkitty collection infostealer persistence spyware stealer vmprotect
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Looks up geolocation information via web service
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Oski
StormKitty
StormKitty Payload
Malware Config
C2 Extraction:
pplonline.org/Cgi/
Unpacked files
SH256 hash:
8891ddbbd05d22138f7492ffff1cda2a5279889ed27621b1392a1a144489479c
MD5 hash:
f464c498340440add95c8df35f979102
SHA1 hash:
eff4027b4cf29e8c560a2207166548e473dcccc3
SH256 hash:
a40a4dd5b5a4fd50309235f51fd07988f17646db175586e614963d3d12830ba4
MD5 hash:
5457a7ce7404a41e9dd40ab6315d2d66
SHA1 hash:
277a416713b48e027e796dd884652bb2a0fe050e
SH256 hash:
cea0db5a660a044bb65b88d3a6ae3cb9f18c26ed83830d1c86d7fdf20aed747b
MD5 hash:
f9ef76caf4a24dc7d09e40c3efe80b05
SHA1 hash:
cb67c668f7f13523ad27d56ca6ae4e031a0f2c66
Detections:
win_oski_g0
SH256 hash:
3db996974129a4f5257131b449e70e7aa7ca8ece347c9d174553a9a923f8cf11
MD5 hash:
8ccfdcdba319b1c452ad0878a0c03bc0
SHA1 hash:
aa6b59ad56e9fac39c639c1dc048d1b2a067b93e
Detections:
win_oski_g0
SH256 hash:
5d67a694351d9bdb571ef7b9217e7e05ef88b0f650bbd539217d3a686c077586
MD5 hash:
b335eeb40d0443dadcdefc578a23b5da
SHA1 hash:
67af99514e1230182e4dc463f1c6ba42047ad213
SH256 hash:
37d460cea9227867807e21051990ed580d9bafc35746dd1f6ea48e424438ec2d
MD5 hash:
535bd46107780dbb3425e23c175e85f9
SHA1 hash:
f2ef993fabd5fb2172dccc6f20033b0565c04fa0
SH256 hash:
76488918853ce10b808bd2fad4f8c37ff9ca59f321c03c7700e0771f922113d3
MD5 hash:
9f209b4720986407a79bd4c598087587
SHA1 hash:
ba52f693587ef169d590351639b4c810dccd8427
Detections:
win_oski_g0 win_oski_auto
SH256 hash:
9eb507b9bff383e0c96f4d535352978a801b02e4c00c8416882a3f4f7a625595
MD5 hash:
461cbdd5b0d2801a736e21aef6c7ced3
SHA1 hash:
62ac275945407dc00402eeb2272fe1e47fb6d7e0
SH256 hash:
18719d6856a09a622001f1c325067d56afa63bd21fbad25fd23c01b2c0c67472
MD5 hash:
39bfd2ce7cffeafc8f4d85d89fd6f072
SHA1 hash:
9d0df13ef8de579a2bbfba88e938a836ffab1069

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:MALWARE_Win_RedLine
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://pplonline.org/Cgi//6.jpg https://threatfox.abuse.ch/ioc/295225
http://pplonline.org/Cgi//1.jpg https://threatfox.abuse.ch/ioc/295226
http://pplonline.org/Cgi//2.jpg https://threatfox.abuse.ch/ioc/295227
http://pplonline.org/Cgi//3.jpg https://threatfox.abuse.ch/ioc/295228
http://pplonline.org/Cgi//4.jpg https://threatfox.abuse.ch/ioc/295229
http://pplonline.org/Cgi//5.jpg https://threatfox.abuse.ch/ioc/295230
http://pplonline.org/Cgi//7.jpg https://threatfox.abuse.ch/ioc/295231

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments