MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52338add561f1e396b0f8377e77bae2a05bcb8d7cc19548dbf9ff8cf0b57cc1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



OskiStealer


Vendor detections: 14


Intelligence 14 IOCs 7 YARA 3 File information Comments

SHA256 hash: 52338add561f1e396b0f8377e77bae2a05bcb8d7cc19548dbf9ff8cf0b57cc1f
SHA3-384 hash: ddd1da1c1608c1966915cc4f1fc5f312976cfa8c18d32df543178102e1fca9cac1650d3d7aba5fb7fcc1bcf55dbfadae
SHA1 hash: 79b6a5708b05b88847b605dfe5271073826ba5f4
MD5 hash: 3ac80dee855e85c52c0170373af79a04
humanhash: hamper-mexico-ten-neptune
File name:52338ADD561F1E396B0F8377E77BAE2A05BCB8D7CC195.exe
Download: download sample
Signature OskiStealer
File size:204'800 bytes
First seen:2022-04-20 16:41:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7bb9d345a5fec4fbbf5100d6a3ffbb8c (88 x ArkeiStealer, 85 x OskiStealer, 1 x Reconyc)
ssdeep 3072:WfUomEuYm98dlSq7gt5q7Dx+XgS6aCEwhOfUbCalNT2pbB3fIC1Xi6FLPo3c:WfUauY68uSWCx+XA7mg2pNr1Ljo3c
Threatray 730 similar samples on MalwareBazaar
TLSH T18D146D30B690C035E8A310BCDDEE86BEB96C7A301F5950C3A3D45A662F712F27A71657
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe OskiStealer


Avatar
abuse_ch
OskiStealer C2:
http://62.77.159.212/6.jpg

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://62.77.159.212/6.jpg https://threatfox.abuse.ch/ioc/522030/
http://62.77.159.212/1.jpg https://threatfox.abuse.ch/ioc/522031/
http://62.77.159.212/2.jpg https://threatfox.abuse.ch/ioc/522032/
http://62.77.159.212/3.jpg https://threatfox.abuse.ch/ioc/522033/
http://62.77.159.212/4.jpg https://threatfox.abuse.ch/ioc/522034/
http://62.77.159.212/5.jpg https://threatfox.abuse.ch/ioc/522035/
http://62.77.159.212/7.jpg https://threatfox.abuse.ch/ioc/522036/

Intelligence


File Origin
# of uploads :
1
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
ID:
1
File name:
https://www33.zippyshare.com/d/hvc6SWB0/405227/Oski_Stealer.rar
Verdict:
Malicious activity
Analysis date:
2020-12-08 22:24:35 UTC
Tags:
trojan stealer vidar loader

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware vidar virus zusy
Malware family:
Oski Stealer
Verdict:
Malicious
Result
Threat name:
Oski Stealer Vidar
Detection:
malicious
Classification:
troj.spyw
Score:
100 / 100
Behaviour
Behavior Graph:
n/a
Threat name:
Win32.Infostealer.Vidar
Status:
Malicious
First seen:
2020-12-09 05:50:42 UTC
File Type:
PE (Exe)
AV detection:
27 of 34 (79.41%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:oski infostealer spyware stealer
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Reads user/profile data of web browsers
Oski
Malware Config
C2 Extraction:
62.77.159.212
Unpacked files
SH256 hash:
52338add561f1e396b0f8377e77bae2a05bcb8d7cc19548dbf9ff8cf0b57cc1f
MD5 hash:
3ac80dee855e85c52c0170373af79a04
SHA1 hash:
79b6a5708b05b88847b605dfe5271073826ba5f4
Detections:
win_oski_g0 win_oski_auto
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Vidar
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Author:kevoreilly
Description:Vidar Payload
Rule name:win_oski_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.oski.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments