MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44205e4cf223ec528c507423db81ea8dce460b243e4dfa14088c5686b78590b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44205e4cf223ec528c507423db81ea8dce460b243e4dfa14088c5686b78590b3
SHA3-384 hash: 4ac7a540e7a9158512a36478430813921858bf85927617cac4c2749706a818054e17fb9fd296ed49c2665bec58590b0a
SHA1 hash: 2fb8da0b4c7c779d8c63c48729e417d7a0f2e707
MD5 hash: 182d417728e3b8da39249e7691bdef16
humanhash: bluebird-queen-edward-finch
File name:182d417728e3b8da39249e7691bdef16
Download: download sample
Signature OskiStealer
Create hunting rule
File size:812'032 bytes
First seen:2021-06-30 17:25:18 UTC
Last seen:2021-06-30 17:35:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:i4Ta41R+ontJxkMoLsO+Il2nchnvf0zhArjixoZVoTa+nuEiG5+25/d8oDWC:c4P+o7aT+Iwnchnvf0zhC
Threatray 1'616 similar samples on MalwareBazaar
TLSH 4B055CAC325435DEC467C6B9CAA8AC74EA613C6A431BC107909319DFAA0DB97DF105F3
Reporter zbetcheckin
Tags:32 exe OskiStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1f07b4740e8435347ad7dbd456838bd3.exe
Verdict:
Malicious activity
Analysis date:
2021-06-30 14:05:04 UTC
Tags:
loader trojan stealer raccoon rat azorult vidar remcos
Link:
https://app.any.run/tasks/ee1cfaff-fd0e-4941-83e3-aed8f92927b3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168939/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.897.6444.17908.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2825eb65-7f6e-4f4d-a5c6-eb4694352956
Result
Threat name:
AsyncRAT Azorult Clipboard Hijacker Vida
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/810104
Signature
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Executable Used by PlugX in Uncommon Location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Clipboard Hijacker
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 442515 Sample: yKz3gtwWvN Startdate: 30/06/2021 Architecture: WINDOWS Score: 100 108 icando.ug 2->108 110 icacxndo.ac.ug 2->110 112 3 other IPs or domains 2->112 130 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->130 132 Found malware configuration 2->132 134 Malicious sample detected (through community Yara rule) 2->134 136 13 other signatures 2->136 11 yKz3gtwWvN.exe 15 5 2->11         started        16 Qsahttm.exe 2->16         started        18 sqlcmd.exe 2->18         started        signatures3 process4 dnsIp5 116 lizzzqua.ac.ug 185.215.113.77, 49721, 49722, 49723 WHOLESALECONNECTIONSNL Portugal 11->116 118 192.168.2.1 unknown unknown 11->118 90 C:\Users\user\AppData\...\ojhvxcgdfsd.exe, PE32 11->90 dropped 92 C:\Users\user\AppData\...\yKz3gtwWvN.exe.log, ASCII 11->92 dropped 148 Injects a PE file into a foreign processes 11->148 20 yKz3gtwWvN.exe 72 11->20         started        25 ojhvxcgdfsd.exe 3 11->25         started        150 Machine Learning detection for dropped file 16->150 file6 signatures7 process8 dnsIp9 114 lizzzqua.ac.ug 20->114 78 C:\Users\user\AppData\Local\Temp\rc.exe, PE32 20->78 dropped 80 C:\Users\user\AppData\Local\Temp\ds2.exe, PE32 20->80 dropped 82 C:\Users\user\AppData\Local\Temp\ds1.exe, PE32 20->82 dropped 84 50 other files (2 malicious) 20->84 dropped 138 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->138 140 Tries to steal Instant Messenger accounts or passwords 20->140 142 Tries to steal Mail credentials (via file access) 20->142 146 4 other signatures 20->146 27 cc.exe 20->27         started        32 rc.exe 20->32         started        34 ac.exe 6 20->34         started        38 3 other processes 20->38 144 Injects a PE file into a foreign processes 25->144 36 ojhvxcgdfsd.exe 25->36         started        file10 signatures11 process12 dnsIp13 120 162.159.133.233, 443, 49728, 49729 CLOUDFLARENETUS United States 27->120 94 C:\Users\Public\Libraries\...\Qsahttm.exe, PE32 27->94 dropped 152 Detected unpacking (changes PE section rights) 27->152 154 Detected unpacking (overwrites its own PE header) 27->154 156 Creates multiple autostart registry keys 27->156 158 Uses schtasks.exe or at.exe to add and modify task schedules 27->158 40 cc.exe 27->40         started        43 cmd.exe 27->43         started        45 cmd.exe 27->45         started        122 cdn.discordapp.com 162.159.135.233, 443, 49725, 49726 CLOUDFLARENETUS United States 32->122 96 C:\Users\Public\Libraries\...\Acmfpxn.exe, PE32 32->96 dropped 160 Injects a PE file into a foreign processes 32->160 47 rc.exe 32->47         started        98 C:\Users\user\AppData\Roaming\lOkQCnw.exe, PE32 34->98 dropped 50 schtasks.exe 34->50         started        124 lizzard.ac.ug 36->124 100 C:\ProgramData\vcruntime140.dll, PE32 36->100 dropped 102 C:\ProgramData\sqlite3.dll, PE32 36->102 dropped 104 C:\ProgramData\softokn3.dll, PE32 36->104 dropped 106 4 other files (none is malicious) 36->106 dropped 162 Tries to harvest and steal browser information (history, passwords, etc) 36->162 164 Tries to steal Crypto Currency Wallets 36->164 52 cmd.exe 36->52         started        54 ds1.exe 38->54         started        56 conhost.exe 38->56         started        58 timeout.exe 38->58         started        file14 signatures15 process16 dnsIp17 86 C:\Users\user\AppData\Roaming\...\sqlcmd.exe, PE32 40->86 dropped 60 schtasks.exe 40->60         started        62 cmd.exe 43->62         started        64 conhost.exe 43->64         started        66 conhost.exe 45->66         started        126 brudfascaqezd.ac.ug 47->126 128 nothinglike.ac.ug 79.134.225.25, 49737, 49738, 49739 FINK-TELECOM-SERVICESCH Switzerland 47->128 68 conhost.exe 50->68         started        70 conhost.exe 52->70         started        72 taskkill.exe 52->72         started        88 C:\Windows\Temp\rf53qa5d.exe, PE32 54->88 dropped file18 process19 process20 74 conhost.exe 60->74         started        76 conhost.exe 62->76         started       
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/44205e4cf223ec528c507423db81ea8dce460b243e4dfa14088c5686b78590b3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-30 14:49:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
2df27f1a3505dbd0995188d49c253f5bc53c0e994954c4143da6d13efbba126e
OskiStealer
308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e
OskiStealer
4be1e912f4b6f65dd938f0a6fa1f1d9b8d4c20fc25ac3c3189e10013c29e4dea
OskiStealer
5a4f75c16948eb90210b50a2af901dad431a231d5a4406ce55dad0cd943d5cd0
OskiStealer
69e75e57bc4a09c9a3d7726b28423d10df5b0224177ebfa43930668efd0af5da
OskiStealer
c09ced50c5dacaf28676dfaa0abff8f4b53fb4516c93fa5acd000e481841dd7b
OskiStealer
d1621aa8dd1273a4b6e4f3e6b83188044af80c6ffe9aba2e7e191f159ce9b1eb
OskiStealer
ed9d96725b88ce0a3caee6d98c11369fb84a1d7eca3847db66abe63c49955f73
OskiStealer
f353dc700a77a88665e2d6cb4f73396ba3b4437cc3ee9a6a7e095de5f77277c5
OskiStealer
fe69416ea50c8316791d7de7da893f9189c3d5f34cb9c64026206d19325ef5c5
OskiStealer
+ 1'606 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/210630-85zhtra3g2/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Azorult
Oski
Malware Config
C2 Extraction:
lizzard.ac.ug
http://195.245.112.115/index.php
Unpacked files
SH256 hash:
5bede9eedf6ae6df5a9d587c116c9583b31474c159c2b53486b000093cb3fde6
MD5 hash:
072eeac61b35d3f09edee4ff4f80f52d
SHA1 hash:
696fd9905a47e526470c2e234fef32f1ec1b74ad
Link:
https://www.unpac.me/results/271e0b4d-8f6e-41da-b251-d17759c6bb15/
SH256 hash:
68554ff09d2b12f68285625e6993201bff58172ab9a6ce2b11c424f4d1d8e1a5
MD5 hash:
5e22018e45038058cb33d4d2f51576c9
SHA1 hash:
1992f59d2a774e45ec83d8fb1ec651f87e07b18d
Link:
https://www.unpac.me/results/271e0b4d-8f6e-41da-b251-d17759c6bb15/
SH256 hash:
84c459fbbaa51053cc13f675ee86f949adf52828bb45187c238233a2e44835d8
MD5 hash:
49c2ceec4134c713808bfe35d9b50662
SHA1 hash:
11573af45248b8db4a15ec07fdd4637cc6db36ef
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/271e0b4d-8f6e-41da-b251-d17759c6bb15/
SH256 hash:
44205e4cf223ec528c507423db81ea8dce460b243e4dfa14088c5686b78590b3
MD5 hash:
182d417728e3b8da39249e7691bdef16
SHA1 hash:
2fb8da0b4c7c779d8c63c48729e417d7a0f2e707
Link:
https://www.unpac.me/results/271e0b4d-8f6e-41da-b251-d17759c6bb15/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/44205e4cf223ec528c507423db81ea8dce460b243e4dfa14088c5686b78590b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

OskiStealer

Executable exe 44205e4cf223ec528c507423db81ea8dce460b243e4dfa14088c5686b78590b3

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168939/
  
URLhaus
https://urlhaus.abuse.ch/url/1414038/

Comments