MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 245f962fa8ec09944b413f41836d81d8fbc961c34f43e3d8f76cc6324eefe11e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 8


Intelligence 8 IOCs 7 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 245f962fa8ec09944b413f41836d81d8fbc961c34f43e3d8f76cc6324eefe11e
SHA3-384 hash: 829ca5d47b9993a4a604bca87f98d58263e3968c55508922a24569eafaf97435720274cd464be6ce8977ca4d445c4028
SHA1 hash: e083da95c8870158a2bdde3a94571904ca514f39
MD5 hash: bae1820a589c3c2a3d76bb6984e155ef
humanhash: bulldog-seventeen-oregon-delaware
File name:bae1820a589c3c2a3d76bb6984e155ef.exe
Download: download sample
Signature OskiStealer
Create hunting rule
File size:315'904 bytes
First seen:2021-06-07 08:32:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:wfL0D1ZQKi596gqdZR5PnmxA8u4bS4YgG+NHgzg7HpsS3wRmxy2YPtQkeX2lMJzu:wfL0D1ZDi5KbR9eA8Ikig7Hp70mYTe2
Threatray 1 similar samples on MalwareBazaar
TLSH B664BE62030DC9D9F29A0778442CEB630D523F660CD55DCD9A5DBEB02CB26EE529E07E
Reporter abuse_ch
Tags:exe OskiStealer


Avatar
abuse_ch
OskiStealer C2:
http://212.192.241.220/6.jpg

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://212.192.241.220/6.jpg https://threatfox.abuse.ch/ioc/72296/
http://212.192.241.220/1.jpg https://threatfox.abuse.ch/ioc/72297/
http://212.192.241.220/2.jpg https://threatfox.abuse.ch/ioc/72298/
http://212.192.241.220/3.jpg https://threatfox.abuse.ch/ioc/72299/
http://212.192.241.220/4.jpg https://threatfox.abuse.ch/ioc/72300/
http://212.192.241.220/5.jpg https://threatfox.abuse.ch/ioc/72301/
http://212.192.241.220/7.jpg https://threatfox.abuse.ch/ioc/72302/

Intelligence

File Origin
# of uploads :
1
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bae1820a589c3c2a3d76bb6984e155ef.exe
Verdict:
No threats detected
Analysis date:
2021-06-07 08:36:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7e17db59-60c6-45d6-8cfe-cfeb90363509

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/164937/
Detection(s):
SecuriteInfo.com.Variant.Ursu.782508.5109.17300.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Oski Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/797937
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Downloads files with wrong headers with respect to MIME Content-Type
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Oski Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 430335 Sample: xhfhi2UBvv.exe Startdate: 07/06/2021 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected Oski Stealer 2->47 49 7 other signatures 2->49 8 xhfhi2UBvv.exe 10 2->8         started        process3 file4 25 C:\Users\user\AppData\Roaming\...\firef0x.exe, PE32 8->25 dropped 27 C:\Users\user\AppData\...\xhfhi2UBvv.exe, PE32 8->27 dropped 29 C:\Users\user\...\firef0x.exe:Zone.Identifier, ASCII 8->29 dropped 31 2 other malicious files 8->31 dropped 51 Creates an undocumented autostart registry key 8->51 53 Writes to foreign memory regions 8->53 55 Allocates memory in foreign processes 8->55 57 Injects a PE file into a foreign processes 8->57 12 xhfhi2UBvv.exe 193 8->12         started        17 xhfhi2UBvv.exe 8->17         started        signatures5 process6 dnsIp7 41 212.192.241.220, 49725, 80 RAPMSB-ASRU Russian Federation 12->41 33 C:\ProgramData\vcruntime140.dll, PE32 12->33 dropped 35 C:\ProgramData\sqlite3.dll, PE32 12->35 dropped 37 C:\ProgramData\softokn3.dll, PE32 12->37 dropped 39 4 other files (none is malicious) 12->39 dropped 59 Tries to harvest and steal browser information (history, passwords, etc) 12->59 61 Tries to steal Crypto Currency Wallets 12->61 19 cmd.exe 1 12->19         started        63 Machine Learning detection for dropped file 17->63 file8 signatures9 process10 process11 21 taskkill.exe 1 19->21         started        23 conhost.exe 19->23         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/245f962fa8ec09944b413f41836d81d8fbc961c34f43e3d8f76cc6324eefe11e/
Threat name:
ByteCode-MSIL.Trojan.Ursu
Create hunting rule
Status:
Malicious
First seen:
2021-06-07 08:32:11 UTC
AV detection:
12 of 46 (26.09%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=erpzml5i5qezis2bh5ayg3mb3d54syodj5b6hwhxntddetxp4epa._file
Verdict:
unknown
Similar samples:
3f2cba483eead01ce5217afd98d8308007cf4b4b5e81bd658d27b9f31abc4b77
OskiStealer
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210607-mkqcw4wtre/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Oski
Malware Config
C2 Extraction:
212.192.241.220
Unpacked files
SH256 hash:
122204f30fc3f88cd8ed82d827072e52584a678507f6a8573a0e79863807888d
MD5 hash:
eedf4474eb726aff472a23c4d13487f2
SHA1 hash:
1a14d16faa1ddd9a11d1244c5d226b39fa746b0f
Link:
https://www.unpac.me/results/bd4ce8d9-1d34-4f87-abbc-36fafa1e8b66/
SH256 hash:
f53132ed3a5882ae5fb5916f973040345c1ad699fdd4007ea6f9a75f06dcdb31
MD5 hash:
ae6e094cc656c33a2e6954707d4bbf4b
SHA1 hash:
22430ebe7344918e7ae6d02e688a8e4b2b9d3d1d
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/bd4ce8d9-1d34-4f87-abbc-36fafa1e8b66/
SH256 hash:
123543c18b8fc104594fcf9b50f564af4de6857e77170b53179d70996f4cd77f
MD5 hash:
d0018e5e2d7bfcbe2369a3fb0468d30a
SHA1 hash:
97d81b8f20eb6a804a21020682ca7c46b141a029
Link:
https://www.unpac.me/results/bd4ce8d9-1d34-4f87-abbc-36fafa1e8b66/
SH256 hash:
245f962fa8ec09944b413f41836d81d8fbc961c34f43e3d8f76cc6324eefe11e
MD5 hash:
bae1820a589c3c2a3d76bb6984e155ef
SHA1 hash:
e083da95c8870158a2bdde3a94571904ca514f39
Link:
https://www.unpac.me/results/bd4ce8d9-1d34-4f87-abbc-36fafa1e8b66/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/245f962fa8ec09944b413f41836d81d8fbc961c34f43e3d8f76cc6324eefe11e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

OskiStealer

Executable exe 245f962fa8ec09944b413f41836d81d8fbc961c34f43e3d8f76cc6324eefe11e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1335658/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/164937/

Comments