MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27bc88fd389ded5b1102d7ef23245aceeb4a516c7291afc954abb876898aa42f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27bc88fd389ded5b1102d7ef23245aceeb4a516c7291afc954abb876898aa42f
SHA3-384 hash: e1c77a0425ae63b158b5317789cfd82bf4b39373afa8e161bcf2310d88fc6a9d438beca2f9d213f0152d8bf41254384c
SHA1 hash: 3587aeb0114b266430edab58df048c8e133950f1
MD5 hash: 06286fa6eceb22ef87f884f93b6277d1
humanhash: yellow-red-bluebird-river
File name:I Ordine di acquisto 49211.ppam
Download: download sample
Signature OskiStealer
Create hunting rule
File size:16'640 bytes
First seen:2021-09-21 09:47:47 UTC
Last seen:Never
File type:PowerPoint file ppam
MIME type:application/vnd.openxmlformats-officedocument.presentationml.presentation
ssdeep 384:dXP/GAPmdxWS7zlPbWdL/u12FdwlmsvCh:VP/kxrNWp/BFSl/vCh
TLSH T14772CFFAAE6D30ABC720177E82364591BD2580E45834E66F359A812C16E8DE74B8F11F
Reporter abuse_ch
Tags:geo ITA OskiStealer ppam

Intelligence

File Origin
# of uploads :
1
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
MiscreantPunch.EvilMacro.PSHELLFromB64w.4.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.WSHCROVARCHRMATHLONGGONE.20200524.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD._IEX.210408B64.9.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.STRINGBUILDERCaliNights.20210823.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Legacy PowerPoint File with Macro
Link:
https://app.docguard.net/27bc88fd389ded5b1102d7ef23245aceeb4a516c7291afc954abb876898aa42f/results/dashboard
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/27bc88fd389ded5b1102d7ef23245aceeb4a516c7291afc954abb876898aa42f
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Result
Threat name:
DBatLoader Oski Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/854734
Signature
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Downloads files with wrong headers with respect to MIME Content-Type
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Posts data to a JPG file (protocol mismatch)
PowerShell case anomaly found
Sigma detected: Microsoft Office Product Spawning Windows Shell
Very long command line found
Yara detected DBatLoader
Yara detected Oski Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 487166 Sample: I Ordine di acquisto 49211.ppam Startdate: 21/09/2021 Architecture: WINDOWS Score: 100 65 cdn.discordapp.com 2->65 71 Found malware configuration 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 Yara detected DBatLoader 2->75 77 12 other signatures 2->77 12 POWERPNT.EXE 501 26 2->12         started        16 Ofwogcg.exe 2->16         started        signatures3 process4 dnsIp5 61 C:\...\~$I Ordine di acquisto 49211.ppam, data 12->61 dropped 87 Obfuscated command line found 12->87 89 Very long command line found 12->89 19 cmd.exe 1 12->19         started        63 cdn.discordapp.com 16->63 file6 signatures7 process8 signatures9 79 Very long command line found 19->79 81 Encrypted powershell cmdline option found 19->81 83 PowerShell case anomaly found 19->83 22 powershell.exe 26 19->22         started        24 conhost.exe 19->24         started        process10 process11 26 tifdo.exe 22->26         started        dnsIp12 67 cdn.discordapp.com 162.159.134.233, 443, 49813, 49814 CLOUDFLARENETUS United States 26->67 59 C:\Users\Public\Libraries\...\Ofwogcg.exe, PE32 26->59 dropped 85 Injects a PE file into a foreign processes 26->85 31 tifdo.exe 26->31         started        35 cmd.exe 26->35         started        37 cmd.exe 26->37         started        file13 signatures14 process15 dnsIp16 69 103.141.138.110, 49826, 49828, 49854 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 31->69 51 C:\ProgramData\sqlite3.dll, PE32 31->51 dropped 53 C:\ProgramData\softokn3.dll, PE32 31->53 dropped 55 C:\ProgramData\mozglue.dll, PE32 31->55 dropped 57 C:\ProgramData\freebl3.dll, PE32 31->57 dropped 39 cmd.exe 35->39         started        41 conhost.exe 35->41         started        43 reg.exe 37->43         started        45 conhost.exe 37->45         started        file17 process18 process19 47 conhost.exe 39->47         started        49 conhost.exe 43->49         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/27bc88fd389ded5b1102d7ef23245aceeb4a516c7291afc954abb876898aa42f/
Threat name:
Document-Excel.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 09:48:06 UTC
AV detection:
18 of 45 (40.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e66ir7jytxwvweic27xsgjc2z3vuuulmoki27skuvo4hncmkuqxq._file
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski infostealer persistence spyware suricata
Link:
https://tria.ge/reports/210921-lsr4labfhn/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies registry key
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Loads dropped DLL
Downloads MZ/PE file
Oski
Process spawned unexpected child process
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
103.141.138.110/p1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/27bc88fd389ded5b1102d7ef23245aceeb4a516c7291afc954abb876898aa42f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments