MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4277f535c9ba7220bd853269f0b2b75a702eb6c298240e4439179405072283dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4277f535c9ba7220bd853269f0b2b75a702eb6c298240e4439179405072283dd
SHA3-384 hash: c5a573126db856462480c7058e414d617d08283fb3756c14b491e188a408b02c80f9977d7f0429737b3185e3cb26ce6d
SHA1 hash: aa46ad15bb6fb5d90e139640578fd2bc33d6e6a1
MD5 hash: 5e947ca9bbb479131f613b845c742afb
humanhash: steak-social-tennis-shade
File name:SecuriteInfo.com.Trojan.GenericKD.46209995.12270.16799
Download: download sample
Signature OskiStealer
Create hunting rule
File size:783'672 bytes
First seen:2021-04-30 18:03:48 UTC
Last seen:2021-05-05 10:56:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:r3KGeeAItC66zb7QhdxAjrarTo7skY2XqzB3jn/:+t9I09b7+cJYk5qzB3j/
Threatray 81 similar samples on MalwareBazaar
TLSH 98F47C00A3ECA626D1EE3BB4B9702B1147F5FC06B576D74F99C8B5A99873B404C50BA3
Reporter SecuriteInfoCom
Tags:OskiStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/147719/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46209995.12270.16799.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/705385
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: BlueMashroom DLL Load
Sigma detected: Mustang Panda Dropper
Sigma detected: NotPetya Ransomware Activity
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4277f535c9ba7220bd853269f0b2b75a702eb6c298240e4439179405072283dd/
Threat name:
ByteCode-MSIL.Trojan.Lore
Create hunting rule
Status:
Malicious
First seen:
2021-04-29 16:06:59 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ij37knojxjzcbpmfgju7bmvxljyc5nwctasa4rbzc6kakbzcqpoq._file
Verdict:
unknown
Similar samples:
03ddd7fbc456dfe2408a00727347e029a2b2ad6bd870ff10c324d94baf57dcfa
OskiStealer
0c2e617efd564557bce2248bb25254d7c5a091eba9529e48cadca43517431596
OskiStealer
163dbf95558cd288990fb6e6d84643d879abf23e8a5910cdd592d74c24f7fbd0
OskiStealer
25372a9d5205bae496a358c0d33c9f4f9a6e4f3daa00e693cc1df5721c8227fb
OskiStealer
7c67a475559541ba8fa4f10d6f32f9941cea16cb9e3c8feee665c4129229ffb1
OskiStealer
a9a3bb0f7160512839169fd9095821469bbfd54228b6c4c7dc9da4a53cafffb9
OskiStealer
edc06b40f56182a3097a869414dd97ae1f7d14d6ba5698ae29f1ced7c5c659ec
OskiStealer
ef9cd00bad5ac49401b46b918313e10d1f17d93e8cb4ef409b09158ba21b9144
OskiStealer
eff2bda9797c042cbae44c8aed29b31b853733c0676a687dc62676752197c05d
OskiStealer
fb91f67073fef8d391ccb08c31183ff2ff00e8a8ca0f71fb5bfce17fb0ddbd26
OskiStealer
+ 71 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210430-pe1qhwz6yn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
7be26387388e263403db41956c18acb56c0beff4a0169a5b063b03e0668f60f4
MD5 hash:
9c22e37014b9b3b781c6eb7e30745b8f
SHA1 hash:
ee48ec1b45941f1796d313bd4a573b6a489e76ed
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/8cda5157-72bf-4d75-983d-e3fe170728b0/
Parent samples :
fdd6b649413776c157e7029b545d9e47a62b9decd6b2a11ca1708fd4363945a8
4277f535c9ba7220bd853269f0b2b75a702eb6c298240e4439179405072283dd
SH256 hash:
6186e2e4c158f650c89f90f7c15c2a0c1f7bb7ccdb4f3e76306a0d458af7113a
MD5 hash:
1c0c8177049892e7e561c6bdd3b14582
SHA1 hash:
d46e8a1ca119c02848742cfc19f1b203110e3840
Link:
https://www.unpac.me/results/8cda5157-72bf-4d75-983d-e3fe170728b0/
SH256 hash:
627313c62d851ad8948930eaf1b3e18f7a34f6131e3502a59c357bd39615f07f
MD5 hash:
48a8b4e53668bae5b7ac1c5660a2ef5e
SHA1 hash:
8b776e6fdd9ca11feeca248e11f56c0f69efa682
Link:
https://www.unpac.me/results/8cda5157-72bf-4d75-983d-e3fe170728b0/
SH256 hash:
4277f535c9ba7220bd853269f0b2b75a702eb6c298240e4439179405072283dd
MD5 hash:
5e947ca9bbb479131f613b845c742afb
SHA1 hash:
aa46ad15bb6fb5d90e139640578fd2bc33d6e6a1
Link:
https://www.unpac.me/results/8cda5157-72bf-4d75-983d-e3fe170728b0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4277f535c9ba7220bd853269f0b2b75a702eb6c298240e4439179405072283dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:INDICATOR_KB_CERT_04f131322cc31d92c849fca351d2f141
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_oski_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

OskiStealer

Executable exe 4277f535c9ba7220bd853269f0b2b75a702eb6c298240e4439179405072283dd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1185146/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/147719/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-30 19:00:53 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0023] Execution::Install Additional Program