MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bbdcec0763847706f9b75674aad231ff23afd2b212138fc630a86f69f8180d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bbdcec0763847706f9b75674aad231ff23afd2b212138fc630a86f69f8180d8
SHA3-384 hash: 3e695c5e547d9c90da8807b7bd6dd6518d4e3a91eeae16b32ca86de90be7524b80f3710e405cc867631f10f2aea6c835
SHA1 hash: a5c6148505c3707580947351e9d07062979bb05d
MD5 hash: 090148a4d527120eaaa7d5d2f0aa5bf1
humanhash: october-eleven-ten-hotel
File name:SecuriteInfo.com.Trojan.GenericKD.46212578.16723.14032
Download: download sample
Signature OskiStealer
Create hunting rule
File size:784'184 bytes
First seen:2021-05-03 12:15:28 UTC
Last seen:2021-05-03 13:05:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:3PUeeAItC66s5xvpAjrarTo7skY2XqzB3jn/:n9I0S5xv0JYk5qzB3j/
Threatray 88 similar samples on MalwareBazaar
TLSH FDF47B00A3ECA626D1EE3BB4B9702B1147F5FD06B572D74F99C8B5A99873B404C50BA3
Reporter SecuriteInfoCom
Tags:OskiStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/148461/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46212578.16723.14032.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Creating a file
Deleting a recently created file
Replacing files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/707807
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Downloads files with wrong headers with respect to MIME Content-Type
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 402821 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 03/05/2021 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 7 other signatures 2->47 8 SecuriteInfo.com.Trojan.GenericKD.46212578.16723.exe 8 2->8         started        process3 file4 23 C:\Users\user\AppData\Roaming\...\notpad.exe, PE32 8->23 dropped 25 SecuriteInfo.com.T....46212578.16723.exe, PE32 8->25 dropped 27 C:\Users\user\...\notpad.exe:Zone.Identifier, ASCII 8->27 dropped 29 2 other malicious files 8->29 dropped 49 Creates an undocumented autostart registry key 8->49 51 Writes to foreign memory regions 8->51 53 Allocates memory in foreign processes 8->53 55 Injects a PE file into a foreign processes 8->55 12 SecuriteInfo.com.Trojan.GenericKD.46212578.16723.exe 193 8->12         started        signatures5 process6 dnsIp7 39 205.185.120.57, 49733, 80 PONYNETUS United States 12->39 31 C:\ProgramData\vcruntime140.dll, PE32 12->31 dropped 33 C:\ProgramData\sqlite3.dll, PE32 12->33 dropped 35 C:\ProgramData\softokn3.dll, PE32 12->35 dropped 37 4 other files (none is malicious) 12->37 dropped 57 Multi AV Scanner detection for dropped file 12->57 59 Machine Learning detection for dropped file 12->59 61 Tries to harvest and steal browser information (history, passwords, etc) 12->61 63 Tries to steal Crypto Currency Wallets 12->63 17 cmd.exe 1 12->17         started        file8 signatures9 process10 process11 19 taskkill.exe 1 17->19         started        21 conhost.exe 17->21         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6bbdcec0763847706f9b75674aad231ff23afd2b212138fc630a86f69f8180d8/
Threat name:
ByteCode-MSIL.Trojan.Witch
Create hunting rule
Status:
Malicious
First seen:
2021-04-29 21:51:49 UTC
AV detection:
29 of 47 (61.70%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=no645qdwhbdxa343ovtuvljdd7zdv7jleeqtr7ddbkdpnh4bqdma._file
Verdict:
unknown
Similar samples:
03ddd7fbc456dfe2408a00727347e029a2b2ad6bd870ff10c324d94baf57dcfa
OskiStealer
0c2e617efd564557bce2248bb25254d7c5a091eba9529e48cadca43517431596
OskiStealer
163dbf95558cd288990fb6e6d84643d879abf23e8a5910cdd592d74c24f7fbd0
OskiStealer
25372a9d5205bae496a358c0d33c9f4f9a6e4f3daa00e693cc1df5721c8227fb
OskiStealer
7c67a475559541ba8fa4f10d6f32f9941cea16cb9e3c8feee665c4129229ffb1
OskiStealer
a9a3bb0f7160512839169fd9095821469bbfd54228b6c4c7dc9da4a53cafffb9
OskiStealer
edc06b40f56182a3097a869414dd97ae1f7d14d6ba5698ae29f1ced7c5c659ec
OskiStealer
ef9cd00bad5ac49401b46b918313e10d1f17d93e8cb4ef409b09158ba21b9144
OskiStealer
eff2bda9797c042cbae44c8aed29b31b853733c0676a687dc62676752197c05d
OskiStealer
fb91f67073fef8d391ccb08c31183ff2ff00e8a8ca0f71fb5bfce17fb0ddbd26
OskiStealer
+ 78 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210503-1yslrkdafn/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Oski
Unpacked files
SH256 hash:
627313c62d851ad8948930eaf1b3e18f7a34f6131e3502a59c357bd39615f07f
MD5 hash:
48a8b4e53668bae5b7ac1c5660a2ef5e
SHA1 hash:
8b776e6fdd9ca11feeca248e11f56c0f69efa682
Link:
https://www.unpac.me/results/ad153f4a-43af-4a35-bdbe-352fb5067fb9/
SH256 hash:
ede7a871fca7f195aca416b7fb3a4d65e71d841fe50fa8b9d2c6b7f6bcc6bb54
MD5 hash:
eb0765cc454eccbcc2809e29a7c52098
SHA1 hash:
237a51729be05f9a55ff9a467a71798a955058cd
Link:
https://www.unpac.me/results/ad153f4a-43af-4a35-bdbe-352fb5067fb9/
SH256 hash:
fc5da7e67cc4a77fc94a814cdde8b7c2705cf1fd09addfe91ee204647275538f
MD5 hash:
b188c5edfad98e6d1039796e8b988caf
SHA1 hash:
19b6c0b32f5add2f51645a8df94d1dc672e7c952
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/ad153f4a-43af-4a35-bdbe-352fb5067fb9/
Parent samples :
d8b500427918db815fb5b55eb807c8830192ea1ccd676d4a17155f4d10a1c36e
916bd03b40de6bfa498311e3a70d3e98c50e8255fd413d446daab77951224856
6bbdcec0763847706f9b75674aad231ff23afd2b212138fc630a86f69f8180d8
SH256 hash:
6bbdcec0763847706f9b75674aad231ff23afd2b212138fc630a86f69f8180d8
MD5 hash:
090148a4d527120eaaa7d5d2f0aa5bf1
SHA1 hash:
a5c6148505c3707580947351e9d07062979bb05d
Link:
https://www.unpac.me/results/ad153f4a-43af-4a35-bdbe-352fb5067fb9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6bbdcec0763847706f9b75674aad231ff23afd2b212138fc630a86f69f8180d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:INDICATOR_KB_CERT_04f131322cc31d92c849fca351d2f141
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

OskiStealer

Executable exe 6bbdcec0763847706f9b75674aad231ff23afd2b212138fc630a86f69f8180d8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1187862/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/148461/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-03 13:04:15 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0023] Execution::Install Additional Program