MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 259a1e3d537f6e61c1683fe558a87e48da3ec44420cc0285da89c88bbf45375b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 11


Intelligence 11 IOCs 7 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 259a1e3d537f6e61c1683fe558a87e48da3ec44420cc0285da89c88bbf45375b
SHA3-384 hash: 198814ef6e53f83fec42d868df21c96f586983e7e675a688c113660b97caf9285eb1cda166b816ab54271f9698773fd0
SHA1 hash: b6afa4b4b2540b89e48b1468a9e3e347ac567056
MD5 hash: 528c56717b32a20c42b98eaf3f26cff5
humanhash: salami-quebec-avocado-massachusetts
File name:RFQ-32986.exe
Download: download sample
Signature OskiStealer
Create hunting rule
File size:294'794 bytes
First seen:2021-07-23 06:41:49 UTC
Last seen:2021-08-10 12:36:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b89f3af6e8726c625cba8a18b46cbaf3 (2 x AgentTesla, 2 x Formbook, 1 x OskiStealer)
ssdeep 6144:PQBdjfLqTeInCsRXzm3z667uu2hj1W93l2ykFiJk9E:Ze2Dguu2h5W93fkFiJk9E
Threatray 2'030 similar samples on MalwareBazaar
TLSH T1DF54F19D3A0CF311E5818DF574C9F1EF0A917232704F61A3BBD52F9A5CBB6A88940C5A
dhash icon 4f4f090d0d094f4f (1 x OskiStealer, 1 x AgentTesla)
Reporter abuse_ch
Tags:exe OskiStealer


Avatar
abuse_ch
OskiStealer C2:
http://irkark.xyz/6.jpg

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://irkark.xyz/6.jpg https://threatfox.abuse.ch/ioc/162244/
http://irkark.xyz/1.jpg https://threatfox.abuse.ch/ioc/162245/
http://irkark.xyz/2.jpg https://threatfox.abuse.ch/ioc/162246/
http://irkark.xyz/3.jpg https://threatfox.abuse.ch/ioc/162247/
http://irkark.xyz/4.jpg https://threatfox.abuse.ch/ioc/162248/
http://irkark.xyz/5.jpg https://threatfox.abuse.ch/ioc/162249/
http://irkark.xyz/7.jpg https://threatfox.abuse.ch/ioc/162250/

Intelligence

File Origin
# of uploads :
2
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ-32986.exe
Verdict:
Malicious activity
Analysis date:
2021-07-23 06:44:38 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/69672fdc-efa2-4898-a160-bc72cdfc66b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173545/
Detection(s):
Win.Trojan.Filerepmalware-9872268-0
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/34bb1ac6-a03e-477f-a6ac-fae33c563059
Result
Threat name:
Oski Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820576
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Downloads files with wrong headers with respect to MIME Content-Type
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Posts data to a JPG file (protocol mismatch)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Oski Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/259a1e3d537f6e61c1683fe558a87e48da3ec44420cc0285da89c88bbf45375b/
Threat name:
Win32.Infostealer.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-07-23 05:40:11 UTC
AV detection:
13 of 46 (28.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ewnb4pktp5xgdqlih7svrkd6jdnd5rceedgafbo2rheixp2fg5nq._file
Verdict:
malicious
Similar samples:
2efb273760c5f443d4fc9269ba66f258debf0d9c68ca5172a2d947a39fefe148
OskiStealer
3c66ae164f1823585301787debf4ac1a78eeff71ce7dd70f5b6e3ff8b50e7555
OskiStealer
42ca09428f55c746db7b893f0ae4abdd56343e6aa37e59b482d82039841ab4c3
OskiStealer
4f1bded2f0d6d077f672506e9a3ab5f4021a0a1a579e0b00d2773cd44199b813
OskiStealer
827a8b72cc614c417de4dadb9afcc2f89999c38774ae808b8297929aeaf5aa97
OskiStealer
841a9afb39d8f6d7262af9e44b8f94910c4b219d7b8353e3e10d869dc3fb62f0
OskiStealer
a880e6f25d99f5bebe3ef7becdc1d1c0496c4dbd5502233bd4d1f173f753e00f
OskiStealer
b77cc5e7045b42da624e017d2d542cc8165e920671cff068c86ea481350dff17
OskiStealer
d0d9b227fbb62d92ca026a3464966a1442d55a30cb11ed498c89b8e625bf2aac
OskiStealer
f6f2b14b4718e2397a9a7ce398ab4fc416a58afc8dc777ee928a325f715232dc
OskiStealer
+ 2'020 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210723-2h4fc2xmnn/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Oski
Malware Config
C2 Extraction:
irkark.xyz
Unpacked files
SH256 hash:
5932dfa4f7a62cc46aa5264542267aa491c6c0caa090307f83550f1932ecbd2d
MD5 hash:
76aae79f8b5423de99ebc41fa7009368
SHA1 hash:
26034682913fe7a17a764a9db926f17061c73bc5
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/f500cf62-939c-47be-8b68-e293743ea874/
SH256 hash:
259a1e3d537f6e61c1683fe558a87e48da3ec44420cc0285da89c88bbf45375b
MD5 hash:
528c56717b32a20c42b98eaf3f26cff5
SHA1 hash:
b6afa4b4b2540b89e48b1468a9e3e347ac567056
Link:
https://www.unpac.me/results/f500cf62-939c-47be-8b68-e293743ea874/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/259a1e3d537f6e61c1683fe558a87e48da3ec44420cc0285da89c88bbf45375b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/173545/

Comments