MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74a4c90b44c56630cef55f461b176b8200b5c86fd31b4fde52602a4c725f47fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74a4c90b44c56630cef55f461b176b8200b5c86fd31b4fde52602a4c725f47fa
SHA3-384 hash: 8ec09d9d1534d0cfdc05b2f974dfa0a1c0560ce1f396e23a86f061042bcbdfba0a64f3d2ec785066115af86048c7b88e
SHA1 hash: ce52152e4ed64e5ef4f9c34d9b62056bf0dd5afb
MD5 hash: d06e8007f29254aa4401d33f3785d986
humanhash: sierra-sink-football-shade
File name:Po____062032.pdf.exe
Download: download sample
Signature OskiStealer
Create hunting rule
File size:585'216 bytes
First seen:2021-06-03 05:53:10 UTC
Last seen:2021-06-03 06:54:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:YMEmM7AQD2zRBShglqYVeW8+wfOtvRyp1p/TGgJYFge:n+CS6qYYF+wfOvkGeYFg
Threatray 175 similar samples on MalwareBazaar
TLSH 32C4E121F2B48B8AE0185FB357359A000B743C537865D63D285A35FB44B2BE3266FA77
Reporter GovCERT_CH
Tags:exe OskiStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Po____062032.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-06-03 05:56:05 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/ee6882f3-7c79-4111-acd0-ceaaa307d42f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/164267/
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Oski Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/796435
Signature
.NET source code contains potential unpacker
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Oski Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/74a4c90b44c56630cef55f461b176b8200b5c86fd31b4fde52602a4c725f47fa/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-03 05:54:10 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ossmsc2eyvtdbtxvl5dbwf3lqiallsdp2mnu7xssmavey4s7i75a._file
Verdict:
malicious
Similar samples:
017c0459b56b7e178721e18438dc793bbf2cd6cfe14481716a62441efcda3f0c
OskiStealer
07fc79c5c6b4bd6e705b227b25fcaf89629d695939bad84ceba042774f683cac
OskiStealer
2976262aeed56001f874b183072c03360a1dbcdde67bfdcc982078d3bc246857
OskiStealer
5a38b12ebce12dde580da36ee1b4a5c0387f9e81f7f738c278b60d5781dad6eb
OskiStealer
9db40f7f060e08b2891dc881c6f6d1ea165b56747b4302fd96e53d8bd194d8d5
OskiStealer
a5c9be9bcb214e69a39285a634f95e43fdf1ad10536bcc9bce84be7edb48cb31
OskiStealer
bf4a95df4ed9665758637f1f29705fd954aaf5a4b9e4e5d89025ddb6f8331904
OskiStealer
c41aa6d6eeac57851b0a00a619609ed764072881b85b7dad25ac30f2856eda43
OskiStealer
e0d22b336dbaf83cab6789c39802c8a0c2739b1642c1834265c621493212819b
OskiStealer
fdd6b649413776c157e7029b545d9e47a62b9decd6b2a11ca1708fd4363945a8
OskiStealer
+ 165 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski evasion infostealer
Link:
https://tria.ge/reports/210603-gx1z7sq1za/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Oski
Malware Config
C2 Extraction:
195.133.40.97
Unpacked files
SH256 hash:
222893c89bc62d463068c2eb4e3396b3f9c7ab10b1ba60fa97ea4e8f424bbec9
MD5 hash:
e2cc69ceabfaf2b1f80ec37382f64524
SHA1 hash:
f142165909737d2c765ee8ae7b0280c61ffe5256
Link:
https://www.unpac.me/results/0e916d10-2855-440e-8070-0a5e7610bbe2/
SH256 hash:
4346b1e7986afda5ee99f2ab78cbf5fba514e5a7359976bd2bf17cc814f4bd13
MD5 hash:
d6c0ca90be8b4553810c39bc8211ea20
SHA1 hash:
ab1bfa89a7904d727799d3f1d1cfaa01f30d613f
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/0e916d10-2855-440e-8070-0a5e7610bbe2/
SH256 hash:
5bede9eedf6ae6df5a9d587c116c9583b31474c159c2b53486b000093cb3fde6
MD5 hash:
072eeac61b35d3f09edee4ff4f80f52d
SHA1 hash:
696fd9905a47e526470c2e234fef32f1ec1b74ad
Link:
https://www.unpac.me/results/0e916d10-2855-440e-8070-0a5e7610bbe2/
SH256 hash:
74a4c90b44c56630cef55f461b176b8200b5c86fd31b4fde52602a4c725f47fa
MD5 hash:
d06e8007f29254aa4401d33f3785d986
SHA1 hash:
ce52152e4ed64e5ef4f9c34d9b62056bf0dd5afb
Link:
https://www.unpac.me/results/0e916d10-2855-440e-8070-0a5e7610bbe2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/74a4c90b44c56630cef55f461b176b8200b5c86fd31b4fde52602a4c725f47fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

OskiStealer

Executable exe 74a4c90b44c56630cef55f461b176b8200b5c86fd31b4fde52602a4c725f47fa

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/164267/

Comments