MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33b2e62e08629bd097db93a9307d133cfc2fb8732c10a75c2bce199f56408e9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 11


Intelligence 11 IOCs 7 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33b2e62e08629bd097db93a9307d133cfc2fb8732c10a75c2bce199f56408e9c
SHA3-384 hash: 5267bdda0fdc8f75e45027b842f01dd13039a6c77d05a64b8833abceb2d6249b77f19b396a422a8a3c2b0a4629fc14e3
SHA1 hash: d31f22ba31d8d108dada9335f379dfc822218859
MD5 hash: a84105bfa3ed6c607cce2e1e7bcd7383
humanhash: item-berlin-three-island
File name:A84105BFA3ED6C607CCE2E1E7BCD7383.exe
Download: download sample
Signature OskiStealer
Create hunting rule
File size:221'184 bytes
First seen:2021-04-28 05:36:02 UTC
Last seen:2021-04-28 06:02:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:2Ifu/b38OcRzJjh+GgTzL+2yw0Jc+fq61:fQMfRhhoHL+2Z0Jc+fq6
Threatray 113 similar samples on MalwareBazaar
TLSH 87245A037B999742D56819B9C1EF553443E2AEC71232E3CA3F98768E0D027B3DE41B99
Reporter abuse_ch
Tags:exe OskiStealer


Avatar
abuse_ch
OskiStealer C2:
http://trafficbadassery.com/a//6.jpg

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://trafficbadassery.com/a//6.jpg https://threatfox.abuse.ch/ioc/19604/
http://trafficbadassery.com/a//1.jpg https://threatfox.abuse.ch/ioc/19605/
http://trafficbadassery.com/a//2.jpg https://threatfox.abuse.ch/ioc/19606/
http://trafficbadassery.com/a//3.jpg https://threatfox.abuse.ch/ioc/19607/
http://trafficbadassery.com/a//4.jpg https://threatfox.abuse.ch/ioc/19608/
http://trafficbadassery.com/a//5.jpg https://threatfox.abuse.ch/ioc/19609/
http://trafficbadassery.com/a//7.jpg https://threatfox.abuse.ch/ioc/19610/

Intelligence

File Origin
# of uploads :
2
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
A84105BFA3ED6C607CCE2E1E7BCD7383.exe
Verdict:
Malicious activity
Analysis date:
2021-04-28 05:38:17 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/e4394be2-6fc0-4374-9a79-051174d2df29

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144800/
Detection(s):
SecuriteInfo.com.Heur.MSIL.Bladabindi.1.23377.20621.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/700011
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 398926 Sample: 5ye5EA4o8s.exe Startdate: 28/04/2021 Architecture: WINDOWS Score: 100 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected Vidar stealer 2->39 41 .NET source code contains method to dynamically call methods (often used by packers) 2->41 43 5 other signatures 2->43 8 5ye5EA4o8s.exe 5 2->8         started        process3 file4 23 C:\Users\user\AppData\Local\Temp\dll.com, PE32 8->23 dropped 25 C:\Users\user\AppData\...\5ye5EA4o8s.exe.log, ASCII 8->25 dropped 45 Drops PE files with a suspicious file extension 8->45 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->47 12 dll.com 193 8->12         started        signatures5 process6 dnsIp7 35 trafficbadassery.com 72.52.168.184, 49713, 80 LIQUIDWEBUS United States 12->35 27 C:\ProgramData\vcruntime140.dll, PE32 12->27 dropped 29 C:\ProgramData\sqlite3.dll, PE32 12->29 dropped 31 C:\ProgramData\softokn3.dll, PE32 12->31 dropped 33 4 other files (none is malicious) 12->33 dropped 49 Antivirus detection for dropped file 12->49 51 Multi AV Scanner detection for dropped file 12->51 53 Tries to harvest and steal browser information (history, passwords, etc) 12->53 55 Tries to steal Crypto Currency Wallets 12->55 17 cmd.exe 1 12->17         started        file8 signatures9 process10 process11 19 taskkill.exe 1 17->19         started        21 conhost.exe 17->21         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/33b2e62e08629bd097db93a9307d133cfc2fb8732c10a75c2bce199f56408e9c/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-04-25 09:31:05 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gozomlqimkn5bf63souta7itht6c7odtfqikoxblzymz6vsar2oa._file
Verdict:
malicious
Similar samples:
0294e5e38373123aacb7dc64aef0e353277e1f11edb3ff6f711e0080e5e6516c
OskiStealer
3b9f555888df6326a6a0c7dd2c2c1c2d78bbb969c1b7d40ea0d0e9679a06bbc5
OskiStealer
5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27
OskiStealer
61097d05c78d0654fa42c1a404e96526b06c657df602a8a7a2ac58e1a60b52db
OskiStealer
70da4cb906561579f992801bfce2c3f1daf01833b292a9bd04545b7e0ee49fbd
OskiStealer
713984a9d714e58c92b1338df4c54b55da27753d18c09d6a45427fd85c145454
OskiStealer
777a1b5eb79e751f4684f825ef2a5df80433a2d4e20f921d4f747e904793f3d2
OskiStealer
cd91b0fbaabf19d178f3a221c517418378913af82ca88856a07cbf0df506f117
OskiStealer
d2d9b66c9aad0e6cc20a786a89299a8b4a65a5a344db369dfd7bfbad3fb40b55
OskiStealer
fda270ad50aed906730605ca93ecaa3e24792dd070bb443f94d2d6c23124ad61
OskiStealer
+ 103 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski infostealer spyware stealer
Link:
https://tria.ge/reports/210428-stj1ssex7a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Reads user/profile data of web browsers
Executes dropped EXE
Oski
Unpacked files
SH256 hash:
c87705574f7a6f5e0b66db5c873abdaf4954bc0a65d71900b615ac04be8b257d
MD5 hash:
3ab955561862746dea3bac9fc25de7e1
SHA1 hash:
04afb99faf0603d154e63865f409118bd0468efc
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/c54b09ee-a7b2-4ab5-8372-df938ec0b428/
Parent samples :
3d2bd69871c0a443d1e4c2a5ec37833dbcbce929aba368745f10d7b981a5264c
989f403c14fe2ab86cb51cb4232ed7a3fc8f623ad8025e674acfa3bf45a0d917
33b2e62e08629bd097db93a9307d133cfc2fb8732c10a75c2bce199f56408e9c
SH256 hash:
33b2e62e08629bd097db93a9307d133cfc2fb8732c10a75c2bce199f56408e9c
MD5 hash:
a84105bfa3ed6c607cce2e1e7bcd7383
SHA1 hash:
d31f22ba31d8d108dada9335f379dfc822218859
Link:
https://www.unpac.me/results/c54b09ee-a7b2-4ab5-8372-df938ec0b428/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/33b2e62e08629bd097db93a9307d133cfc2fb8732c10a75c2bce199f56408e9c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144800/

Comments