MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62ff4acb82aa8f8e187d10029882cc2864f7a091bf1ff0a4ee1475119ba6ad9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

OskiStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	62ff4acb82aa8f8e187d10029882cc2864f7a091bf1ff0a4ee1475119ba6ad9d
SHA3-384 hash:	848405d2b65601ff7edb2b6805c5cf431b6e912b01377370035e052901335b5e86507792fe070d66d380633fe4868588
SHA1 hash:	eeb55b51a51ba0e0325397eeae08b332b5724b45
MD5 hash:	93d1db10e708c676866a7cd1dba55b68
humanhash:	double-michigan-green-moon
File name:	h7tfR29LuPk1YuPJO199.exe
Download:	download sample
Signature	OskiStealer Create hunting rule
File size:	889'860 bytes
First seen:	2021-05-05 11:30:38 UTC
Last seen:	2021-05-05 12:02:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:Bb69vowwoXYXB8VzVfLRlahu3EHYjA8++++4+++++++0+++++++i:ByowwoiB89BbQu0H4h++++4+++++++0/
Threatray	1'108 similar samples on MalwareBazaar
TLSH	DF15DF3272A467D5D23CA7389D21D17053E33E66E201EA6FB9E4BCCF35753A20876912
Reporter	starsSk87264403
Tags:	OskiStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/150548/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.624-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/62ff4acb82aa8f8e187d10029882cc2864f7a091bf1ff0a4ee1475119ba6ad9d/

Threat name:

ByteCode-MSIL.Trojan.Agentesla

Status:

Malicious

First seen:

2021-05-02 17:39:20 UTC

AV detection:

26 of 47 (55.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ml7uvs4cvkhy4gd5cabjrawmfbsppierx4p7bjhocr2rdg5gvwoq._file

Verdict:

malicious

OskiStealer

376c76d02aeb61b3e845c8ecf4f92bae4800e528cb2e30ec8285eecda31caa7b

OskiStealer

37f96df377557cad9bdb2caa4064bbf4dd862e935a64e1d802d445358695e15c

OskiStealer

3aeccf51ec935646a4987a1683d5dd8a251d171d326041282759753e371dff4f

OskiStealer

916bd03b40de6bfa498311e3a70d3e98c50e8255fd413d446daab77951224856

OskiStealer

9b26547086a1489e5534452021694af3a565fe76926e671112be4852947a5d27

OskiStealer

a9e2cff74c2afe7a6d87d7cb25bc41f044f8b492541729fb1503408b7ede6fa2

OskiStealer

b2454961c84e927b086719e0bae8016bee823e17402fb0feca8bda4e63ff009c

OskiStealer

cb24694242c1c1618678711184ab8abe6a1335d348f3549d2b568d99f793bf28

OskiStealer

cc4c6be7a609aaaabf82ae1cd164c567ff7f7cc1ebdb59175d0ae1ecbac74b5c

OskiStealer

+ 1'098 additional samples on MalwareBazaar

Result

Malware family:

oski

Score:

10/10

Tags:

family:oski discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210505-kq7911qetj/

Behaviour

Checks processor information in registry

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Oski

Unpacked files

SH256 hash:

bdf79e57b5574f9bafb56f6d0592f5ee429df7eb0ad536fbdb4f2956aae36f87

MD5 hash:

826b29e2a141b055a5491c9d7dc6eea7

SHA1 hash:

af4201362b8603bf7e4b6e2ead1cfb610dd7c0a9

Link:

https://www.unpac.me/results/8af77ae7-7a30-4eec-8ce3-cf98a3ff77c7/

SH256 hash:

62ff4acb82aa8f8e187d10029882cc2864f7a091bf1ff0a4ee1475119ba6ad9d

MD5 hash:

93d1db10e708c676866a7cd1dba55b68

SHA1 hash:

eeb55b51a51ba0e0325397eeae08b332b5724b45

Link:

https://www.unpac.me/results/8af77ae7-7a30-4eec-8ce3-cf98a3ff77c7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Nanocore

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/62ff4acb82aa8f8e187d10029882cc2864f7a091bf1ff0a4ee1475119ba6ad9d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/150548/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample