MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fa9ee208355cb9fc7872e0579195a4d1f3c70179757e25755fc6312134a14cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 8


Intelligence 8 IOCs 7 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fa9ee208355cb9fc7872e0579195a4d1f3c70179757e25755fc6312134a14cf
SHA3-384 hash: 83eb7497ca084f3c649a34a2111ef6278b4b636c68a4ff71035d2c1c4e96daacd3f3951565f19906b3142c5f8f976c00
SHA1 hash: 06f0e148bc96cd5f0e5ec24dad6c4d65df072399
MD5 hash: 1e7459185fe44408001afba7d8b9579a
humanhash: oxygen-burger-delaware-harry
File name:068938934834984984989248298292892829389828932.exe
Download: download sample
Signature OskiStealer
Create hunting rule
File size:390'456 bytes
First seen:2021-04-26 13:21:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 3072:e7hAAE1pUofS8ypYAxBWA3VcuVdxOwyXCXsmC2yh/PICKpXKWm6xXv8EYVsGDBSK:kZraQHuA36cd0w2GqHICQKWF/rOY2G
Threatray 4 similar samples on MalwareBazaar
TLSH E984B178FDFF6985C210DE3A666CB15A56E09C48CE8B837BE0D472A47E70CC81A4651F
Reporter abuse_ch
Tags:exe OskiStealer


Avatar
abuse_ch
OskiStealer C2:
http://4hzq.xyz/6.jpg

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://4hzq.xyz/6.jpg https://threatfox.abuse.ch/ioc/10144/
http://4hzq.xyz/1.jpg https://threatfox.abuse.ch/ioc/10145/
http://4hzq.xyz/2.jpg https://threatfox.abuse.ch/ioc/10146/
http://4hzq.xyz/3.jpg https://threatfox.abuse.ch/ioc/10147/
http://4hzq.xyz/4.jpg https://threatfox.abuse.ch/ioc/10148/
http://4hzq.xyz/5.jpg https://threatfox.abuse.ch/ioc/10149/
http://4hzq.xyz/7.jpg https://threatfox.abuse.ch/ioc/10150/

Intelligence

File Origin
# of uploads :
1
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
068938934834984984989248298292892829389828932.exe
Verdict:
No threats detected
Analysis date:
2021-04-26 13:22:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1f88daf5-0d99-42c4-8c4a-0d1f1feb00b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144374/
Detection(s):
Win.Packed.Bulz-9854729-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a file
Deleting a recently created file
Replacing files
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/698000
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Downloads files with wrong headers with respect to MIME Content-Type
Found many strings related to Crypto-Wallets (likely being stolen)
Performs DNS queries to domains with low reputation
Posts data to a JPG file (protocol mismatch)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 397920 Sample: 068938934834984984989248298... Startdate: 26/04/2021 Architecture: WINDOWS Score: 88 39 Yara detected Vidar stealer 2->39 41 .NET source code contains potential unpacker 2->41 43 Downloads files with wrong headers with respect to MIME Content-Type 2->43 45 4 other signatures 2->45 8 068938934834984984989248298292892829389828932.exe 8 2->8         started        process3 file4 23 C:\Users\user\AppData\Roaming\...\notpad.exe, PE32 8->23 dropped 25 068938934834984984...892829389828932.exe, PE32 8->25 dropped 27 068938934834984984...exe:Zone.Identifier, ASCII 8->27 dropped 47 Creates an undocumented autostart registry key 8->47 12 068938934834984984989248298292892829389828932.exe 193 8->12         started        signatures5 process6 dnsIp7 37 4hzq.xyz 51.195.108.235, 49726, 80 OVHFR France 12->37 29 C:\ProgramData\vcruntime140.dll, PE32 12->29 dropped 31 C:\ProgramData\sqlite3.dll, PE32 12->31 dropped 33 C:\ProgramData\softokn3.dll, PE32 12->33 dropped 35 4 other files (none is malicious) 12->35 dropped 49 Performs DNS queries to domains with low reputation 12->49 51 Tries to harvest and steal browser information (history, passwords, etc) 12->51 53 Tries to steal Crypto Currency Wallets 12->53 17 cmd.exe 1 12->17         started        file8 signatures9 process10 process11 19 taskkill.exe 1 17->19         started        21 conhost.exe 17->21         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4fa9ee208355cb9fc7872e0579195a4d1f3c70179757e25755fc6312134a14cf/
Threat name:
ByteCode-MSIL.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-04-26 13:22:11 UTC
AV detection:
11 of 47 (23.40%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j6u64iedkxfz7r4hfycxsgk2jupty4axs5l6ev2v7rrree2kcthq._file
Verdict:
unknown
Similar samples:
6733d0ce3ad0c63755f82e7c05a815f2420cccd7f7775dd9227732f59e7fafff
OskiStealer
7376932014797e4b7f5a1c4776d865e1ba03cba69d9811f11a449c188157c918
OskiStealer
767ff6709f5ea14af565b50baca9c574d1ec22eb0ddfd8468b64adf7a4ea6ca4
OskiStealer
8ad095b5f3cbe5651719b70347c94f489a4a14d72a4535c68f9829fe8d0ec738
OskiStealer
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210426-21b192b44x/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Loads dropped DLL
Downloads MZ/PE file
Oski
Unpacked files
SH256 hash:
ebb4c7a8527658d4f02f6242d0a4a518e5881ac4b89ee7036cc8464214a66811
MD5 hash:
9766c14be8e0d0a3e027c63fa097b55b
SHA1 hash:
c96561c8f8aa14db919676b8e84bccb581436db7
Link:
https://www.unpac.me/results/e924f728-3605-4a37-8f6d-6fe15f7acbf8/
SH256 hash:
3847c42f48247c4df4049127e3aec92ec9c97914f6391db894261b61e4360e37
MD5 hash:
0c58c1e065fcabf6cfb7b61e10c07afd
SHA1 hash:
a63dc8a8e52e2f92d22deb42d9717b6e144092c5
Link:
https://www.unpac.me/results/e924f728-3605-4a37-8f6d-6fe15f7acbf8/
SH256 hash:
cd153dee1d95e11751ddaf2cb810b24bb65ffec8b2df422a9b651adfc435f0d5
MD5 hash:
2c089bf08aeeff619f9e9328c0af938a
SHA1 hash:
22f316ae4e13bf5556e1304157b8f2b75c477c92
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/e924f728-3605-4a37-8f6d-6fe15f7acbf8/
SH256 hash:
4fa9ee208355cb9fc7872e0579195a4d1f3c70179757e25755fc6312134a14cf
MD5 hash:
1e7459185fe44408001afba7d8b9579a
SHA1 hash:
06f0e148bc96cd5f0e5ec24dad6c4d65df072399
Link:
https://www.unpac.me/results/e924f728-3605-4a37-8f6d-6fe15f7acbf8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4fa9ee208355cb9fc7872e0579195a4d1f3c70179757e25755fc6312134a14cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:INDICATOR_KB_CERT_04f131322cc31d92c849fca351d2f141
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_oski_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144374/

Comments