MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47efe12c67f3d5bad06207b057f006f8f40e53bc042561f7c0884d52144a5790. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

OskiStealer

Vendor detections: 10

Intelligence 10 IOCs 7 YARA 3 File information Comments 1

SHA256 hash:	47efe12c67f3d5bad06207b057f006f8f40e53bc042561f7c0884d52144a5790
SHA3-384 hash:	11ab8aaef41d845c72d8b95fe85bae6a6abc68817941966d39e5fb9c3c192ec2711b11976c3374c0ea09092f0042f0a7
SHA1 hash:	5aa04eef18a62192cc8996d2fca6f5f319232832
MD5 hash:	ed1b37aed728e905e85ac4082f55f7f5
humanhash:	north-helium-ohio-solar
File name:	P.O# 70058629.exe
Download:	download sample
Signature	OskiStealer Create hunting rule
File size:	442'576 bytes
First seen:	2021-05-11 15:05:23 UTC
Last seen:	2021-05-11 15:51:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep	12288:M05Mwzc6pO0ZywAy3vVnNA95jZCaRMcRo3t++t2i4Hwc3X2QbM5Aah1hEA1MMC:TMwzc6pO0ZywAy3v8CaRG3t++LA3X2Y1
Threatray	159 similar samples on MalwareBazaar
TLSH	5F94BF279B429AF9E72E98316477597FBAB17E22A2842157434EB34F0CB2931C43F057
Reporter	abuse_ch
Tags:	exe OskiStealer

abuse_ch

OskiStealer C2:
http://31.210.21.193/6.jpg

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://31.210.21.193/6.jpg	https://threatfox.abuse.ch/ioc/35058/
http://31.210.21.193/1.jpg	https://threatfox.abuse.ch/ioc/35059/
http://31.210.21.193/2.jpg	https://threatfox.abuse.ch/ioc/35060/
http://31.210.21.193/3.jpg	https://threatfox.abuse.ch/ioc/35061/
http://31.210.21.193/4.jpg	https://threatfox.abuse.ch/ioc/35062/
http://31.210.21.193/5.jpg	https://threatfox.abuse.ch/ioc/35063/
http://31.210.21.193/7.jpg	https://threatfox.abuse.ch/ioc/35064/

Intelligence

File Origin

# of uploads :

# of downloads :

196

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/155150/

Detection(s):

SecuriteInfo.com.Gen.Variant.Androm.29.18605.30091.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a file

Sending a UDP request

Unauthorized injection to a recently created process

Connection attempt

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Oski Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/778763

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Yara detected Oski Stealer

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/47efe12c67f3d5bad06207b057f006f8f40e53bc042561f7c0884d52144a5790/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2021-05-11 15:06:14 UTC

AV detection:

17 of 47 (36.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=i7x6cldh6pk3vudca6yfp4ag7d2a4u54aqswd56arbgvefckk6ia._file

Verdict:

malicious

OskiStealer

3be583104ac2df031993b4f1bcbca40c01cefc5282050bc70b74e6e428291aba

OskiStealer

604e8bce3d31f5e04fe9622cedeb0696a69b9cb7f262a9bb33009ede20df100a

OskiStealer

69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c

OskiStealer

758353a1ee13e2b4e82bd4ebfa6df47a12a3ac2d488d9602bb89700a4dc6b997

OskiStealer

a68ec0c26f99b4f59d0abbd7cc98de6d9136ffe0d822d8056476d356121e5011

OskiStealer

b5b4f2430ee5b5348b55a2d1be3e1bf5f88094e67409bbb88d6e677da91c8482

OskiStealer

c0ff93ef4930a7dc2d95a6ee490fecdddcbe946e479b1d4fdb47285245b28675

OskiStealer

cc4c6be7a609aaaabf82ae1cd164c567ff7f7cc1ebdb59175d0ae1ecbac74b5c

OskiStealer

db127ccf5ea69c0bc3888efe5ae2a532c5f5590a2f589f049139fcf63f5e8062

OskiStealer

+ 149 additional samples on MalwareBazaar

Result

Malware family:

oski

Score:

10/10

Tags:

family:oski infostealer

Link:

https://tria.ge/reports/210511-kabxg2ym86/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Oski

Malware Config

C2 Extraction:

31.210.21.193

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/47efe12c67f3d5bad06207b057f006f8f40e53bc042561f7c0884d52144a5790

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_Vidar Create hunting rule
Author:	ditekSHen
Description:	Detects Vidar / ArkeiStealer

Rule name:	Vidar Create hunting rule
Author:	kevoreilly
Description:	Vidar Payload

Rule name:	win_oski_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/155150/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-11 16:02:37 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [C0032.001] Data Micro-objective::CRC32::Checksum
2) [C0026.002] Data Micro-objective::XOR::Encode Data
5) [C0045] File System Micro-objective::Copy File
6) [C0046] File System Micro-objective::Create Directory
7) [C0048] File System Micro-objective::Delete Directory
8) [C0047] File System Micro-objective::Delete File
9) [C0049] File System Micro-objective::Get File Attributes
10) [C0051] File System Micro-objective::Read File
11) [C0050] File System Micro-objective::Set File Attributes
12) [C0052] File System Micro-objective::Writes File
13) [E1510] Impact::Clipboard Modification
14) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
15) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
16) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
17) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
18) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
19) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
20) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
21) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
22) [C0017] Process Micro-objective::Create Process
23) [C0038] Process Micro-objective::Create Thread
24) [C0018] Process Micro-objective::Terminate Process