MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31768ba567580677ef466b1451e012d1fd35341ca7ec9692c56ecfc09c4e13fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 7


Intelligence 7 IOCs 7 YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31768ba567580677ef466b1451e012d1fd35341ca7ec9692c56ecfc09c4e13fc
SHA3-384 hash: d23cbfa4da92f2473c9b9b94e742e742b4e2a056653bec4cb80add8435d6c47a4ba4c776b74251bb1497100aaa5a570e
SHA1 hash: a6400f400c885021eccb97028d1e19d1923da3cd
MD5 hash: 45d91b01836e65febaad4e83ca45839d
humanhash: coffee-one-pip-network
File name:31768ba567580677ef466b1451e012d1fd35341ca7ec9.exe
Download: download sample
Signature OskiStealer
Create hunting rule
File size:227'640 bytes
First seen:2021-04-28 12:16:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 3072:Vt6sh+dfB5aovPtfzoeAWRfS8ypYAxBWA3VcuVdxVoEYs8yZWKpJKVpKgEsyYN5r:V4dfemPtfUeAIQHuA36cdg5GWSKfKOk
Threatray 8 similar samples on MalwareBazaar
TLSH 3C2401025B8CC651EAF23E36BE72F3154A75BD00B92296EF18DCF35BC674A40C5A4762
Reporter abuse_ch
Tags:exe OskiStealer


Avatar
abuse_ch
OskiStealer C2:
http://178.175.148.83/6.jpg

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://178.175.148.83/6.jpg https://threatfox.abuse.ch/ioc/19660/
http://178.175.148.83/1.jpg https://threatfox.abuse.ch/ioc/19661/
http://178.175.148.83/2.jpg https://threatfox.abuse.ch/ioc/19662/
http://178.175.148.83/3.jpg https://threatfox.abuse.ch/ioc/19663/
http://178.175.148.83/4.jpg https://threatfox.abuse.ch/ioc/19664/
http://178.175.148.83/5.jpg https://threatfox.abuse.ch/ioc/19665/
http://178.175.148.83/7.jpg https://threatfox.abuse.ch/ioc/19666/

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
31768ba567580677ef466b1451e012d1fd35341ca7ec9.exe
Verdict:
No threats detected
Analysis date:
2021-04-28 12:20:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c05daed3-646c-4225-a54b-fc3d6c56fdee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144956/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.27073.14548.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a file
Deleting a recently created file
Replacing files
Creating a window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/700531
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Downloads files with wrong headers with respect to MIME Content-Type
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 399184 Sample: 31768ba567580677ef466b1451e... Startdate: 28/04/2021 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for dropped file 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected Vidar stealer 2->45 47 7 other signatures 2->47 8 31768ba567580677ef466b1451e012d1fd35341ca7ec9.exe 8 2->8         started        process3 file4 23 C:\Users\user\AppData\Roaming\...\notpad.exe, PE32 8->23 dropped 25 31768ba567580677ef...d1fd35341ca7ec9.exe, PE32 8->25 dropped 27 C:\Users\user\...\notpad.exe:Zone.Identifier, ASCII 8->27 dropped 29 2 other malicious files 8->29 dropped 49 Creates an undocumented autostart registry key 8->49 12 31768ba567580677ef466b1451e012d1fd35341ca7ec9.exe 193 8->12         started        signatures5 process6 dnsIp7 39 178.175.148.83, 49741, 80 TRABIAMD Moldova Republic of 12->39 31 C:\ProgramData\vcruntime140.dll, PE32 12->31 dropped 33 C:\ProgramData\sqlite3.dll, PE32 12->33 dropped 35 C:\ProgramData\softokn3.dll, PE32 12->35 dropped 37 4 other files (none is malicious) 12->37 dropped 51 Multi AV Scanner detection for dropped file 12->51 53 Machine Learning detection for dropped file 12->53 55 Tries to harvest and steal browser information (history, passwords, etc) 12->55 57 Tries to steal Crypto Currency Wallets 12->57 17 cmd.exe 1 12->17         started        file8 signatures9 process10 process11 19 taskkill.exe 1 17->19         started        21 conhost.exe 17->21         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/31768ba567580677ef466b1451e012d1fd35341ca7ec9692c56ecfc09c4e13fc/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-28 12:17:14 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gf3ixjlhladhp32gnmkfdyas2h6tkna4u7wjnewfn3h4bhcocp6a._file
Verdict:
unknown
Similar samples:
023fb24e4591fcbbff6096a61e7cbfb79bc1bade9236dd0db6ede7ab1e00bf9f
OskiStealer
06b7205ba6898b1f45883d5a313c1e3e39d8c226eec0ae289f42106af070e8db
OskiStealer
0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1
OskiStealer
312c1e6a195ca210070f9fdc8e2ed8a6363bd8386047ad48ff20e36d60dae6e4
OskiStealer
bd95c8709b9a82ab2af9d1454996fbdbd3a7da4e8335bf8481bd567430130184
OskiStealer
d1d245f4d408bf9dbaed6c59f68c995e427d95bd8316cc358377ec7ee43fb2f2
OskiStealer
fdd6b649413776c157e7029b545d9e47a62b9decd6b2a11ca1708fd4363945a8
OskiStealer
fe2853104646e2bd3446a2965268b953f728d3cdc941e8add4760975e2d12e86
OskiStealer
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210428-4x1fy9q3ne/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Oski
Unpacked files
SH256 hash:
c0ce2cf58bbfebb58d003bb17a189e96a376b69a89242a19e34e625f32bb78ab
MD5 hash:
d1076d69ad47c02a6baeacd06b13eccd
SHA1 hash:
e08d7460fba61eba7cad811aa0aed4ce6d52efe7
Link:
https://www.unpac.me/results/799ff41e-ab0e-4dc9-a83d-0c770e0eea92/
SH256 hash:
51a7700f906cbfd5f70efcadc32e0d4066ad16ce6a5e87f71c3d8fc79a254317
MD5 hash:
95e779c8fdcb4f9f40d36f0a80e67e22
SHA1 hash:
8f01f1f851258f682e768935273f963db379a497
Link:
https://www.unpac.me/results/799ff41e-ab0e-4dc9-a83d-0c770e0eea92/
SH256 hash:
476ce6ed2da0cd7c05700c1a655961ca7cafa95d3a3d98622300233c997a1569
MD5 hash:
90b1f4ac915dd61fca710bd244e23486
SHA1 hash:
53fa0eb4eb7819a8c0111c4705e08f5706b5ff89
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/799ff41e-ab0e-4dc9-a83d-0c770e0eea92/
SH256 hash:
31768ba567580677ef466b1451e012d1fd35341ca7ec9692c56ecfc09c4e13fc
MD5 hash:
45d91b01836e65febaad4e83ca45839d
SHA1 hash:
a6400f400c885021eccb97028d1e19d1923da3cd
Link:
https://www.unpac.me/results/799ff41e-ab0e-4dc9-a83d-0c770e0eea92/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/31768ba567580677ef466b1451e012d1fd35341ca7ec9692c56ecfc09c4e13fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:INDICATOR_KB_CERT_04f131322cc31d92c849fca351d2f141
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_oski_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144956/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-28 13:10:22 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0023] Execution::Install Additional Program