MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a440ef3be94895fcaaab5b4ba0755e8350e6131cabd507be510056739601df4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

OskiStealer

Vendor detections: 8

Intelligence 8 IOCs 7 YARA 5 File information Comments

SHA256 hash:	4a440ef3be94895fcaaab5b4ba0755e8350e6131cabd507be510056739601df4
SHA3-384 hash:	4c9fc3ea2a21c288ffc901bd6dcaf9d215d8e1f849bbc44ee7f667d3d1b3ecb46c350f87420581b4b3c10d853e357f5e
SHA1 hash:	f711f8acd1b587e2edc557756019e367d3ac8c78
MD5 hash:	74b37b00ec4ea2e2ee861621c5191ac2
humanhash:	avocado-idaho-earth-coffee
File name:	74b37b00ec4ea2e2ee861621c5191ac2.exe
Download:	download sample
Signature	OskiStealer Create hunting rule
File size:	1'346'048 bytes
First seen:	2021-07-21 19:30:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4da7a3c908f70c18780a67a792276e49 (2 x OskiStealer)
ssdeep	24576:3XouY9hgpcQ1eCBt8lvT/nfntO6S2bWU+2SJSNoj5TFs:3XoUBty/fnt24Y2ESkM
Threatray	268 similar samples on MalwareBazaar
TLSH	T17F5533B7ADCB9A16DDF98A7E66D11AA703320D7D6094205F74A92E30D5EE430834DFB0
Reporter	abuse_ch
Tags:	exe OskiStealer

abuse_ch

OskiStealer C2:
http://silverscreen.sg/se//6.jpg

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://silverscreen.sg/se//6.jpg	https://threatfox.abuse.ch/ioc/161980/
http://silverscreen.sg/se//1.jpg	https://threatfox.abuse.ch/ioc/161981/
http://silverscreen.sg/se//2.jpg	https://threatfox.abuse.ch/ioc/161982/
http://silverscreen.sg/se//3.jpg	https://threatfox.abuse.ch/ioc/161983/
http://silverscreen.sg/se//4.jpg	https://threatfox.abuse.ch/ioc/161984/
http://silverscreen.sg/se//5.jpg	https://threatfox.abuse.ch/ioc/161985/
http://silverscreen.sg/se//7.jpg	https://threatfox.abuse.ch/ioc/161986/

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

74b37b00ec4ea2e2ee861621c5191ac2.exe

Verdict:

Malicious activity

Analysis date:

2021-07-21 19:34:30 UTC

Tags:

trojan stealer vidar loader

Link:

https://app.any.run/tasks/c4698bc0-cc89-4e9a-8e22-941b5f406aa0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/173112/

Detection(s):

Win.Malware.Agen-9851100-0

PUA.Win.Packer.EnigmaProtector-9852682-0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7f657c2a-33b7-4b1d-a4b4-8869fee893bf

Result

Threat name:

Oski Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/819726

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Downloads files with wrong headers with respect to MIME Content-Type

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file has nameless sections

Posts data to a JPG file (protocol mismatch)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade analysis by execution special instruction which cause usermode exception

Yara detected Oski Stealer

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4a440ef3be94895fcaaab5b4ba0755e8350e6131cabd507be510056739601df4/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2021-07-19 22:23:09 UTC

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jjca5456ssev7svkww2lub2v5a2q4yjrzk6va67fcacwooladx2a._file

Verdict:

suspicious

OskiStealer

1553300557f17e7cb62c914616267bc733854b98a0edc5215d901cc4f8e4d0f0

OskiStealer

50cae11649a917039a3fadf933dcf5d724ce0db6fbe4d29cb0aa590896849ca6

OskiStealer

77a04b2b2e8bf13abb35b02d0c9cbbaf76e5be02995d3124f01f641841c280ef

OskiStealer

8b1c960881fc789460b5b274abd43baddb1c92e1a942d3a1080a4adb1f545e50

OskiStealer

a9b0a14beac57ba149a978c8f0996a4f4e70e003b80c67e631947c9dc3590154

OskiStealer

bd95c8709b9a82ab2af9d1454996fbdbd3a7da4e8335bf8481bd567430130184

OskiStealer

c41aa6d6eeac57851b0a00a619609ed764072881b85b7dad25ac30f2856eda43

OskiStealer

d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e

OskiStealer

dfe493ec90b4d3114618d81d5d222b6919317387445c21bf58e3ca4b26300aef

OskiStealer

+ 258 additional samples on MalwareBazaar

Result

Malware family:

oski

Score:

10/10

Tags:

family:oski discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210721-6ml5p1e7mn/

Behaviour

Checks processor information in registry

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Oski

Unpacked files

SH256 hash:

4a440ef3be94895fcaaab5b4ba0755e8350e6131cabd507be510056739601df4

MD5 hash:

74b37b00ec4ea2e2ee861621c5191ac2

SHA1 hash:

f711f8acd1b587e2edc557756019e367d3ac8c78

Link:

https://www.unpac.me/results/247327b9-ba86-4c84-9c0f-0659a31eb184/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4a440ef3be94895fcaaab5b4ba0755e8350e6131cabd507be510056739601df4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	EnigmaStub Create hunting rule
Author:	@bartblaze
Description:	Identifies Enigma packer stub.

Rule name:	MALWARE_Win_Vidar Create hunting rule
Author:	ditekSHen
Description:	Detects Vidar / ArkeiStealer

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	Vidar Create hunting rule
Author:	kevoreilly
Description:	Vidar Payload

Rule name:	win_smominru_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.smominru.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/173112/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample