MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d12860910f95752bab43166470d3ac6dd1b8be3599bae2fca48aa1d01d1034a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

OskiStealer

Vendor detections: 12

Intelligence 12 IOCs 7 YARA 3 File information Comments

SHA256 hash:	7d12860910f95752bab43166470d3ac6dd1b8be3599bae2fca48aa1d01d1034a
SHA3-384 hash:	78737354168cf1d3c04724b1cc58ef38c05c9505d9154497bb8d154ec0748c3f760e4ea63fe5a81fb78f09c7ce9af17f
SHA1 hash:	bdf3d1ee7760dea64c34cd93c4103ad100a9bf9e
MD5 hash:	d89300e103bfd617274ee22294bcc16c
humanhash:	aspen-violet-victor-paris
File name:	Payment_Advice.exe
Download:	download sample
Signature	OskiStealer Create hunting rule
File size:	777'216 bytes
First seen:	2021-08-31 17:20:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:7JAPTiU4IvFjEqIZg/0e6WJjHYhBY8NP7FFNG+B3IKKLnGENHp6XhBgR7NCE:KriRIvBEqIZ1kHsNPDN9lLKLNHwRB
Threatray	3'243 similar samples on MalwareBazaar
TLSH	T1E1F41C7F19BDA127A175C6F58BD78413F0018BAF31206924B6D643264323A7AB5F336E
Reporter	GovCERT_CH
Tags:	exe OskiStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://bctpump.us/6.jpg	https://threatfox.abuse.ch/ioc/203872/
http://bctpump.us/1.jpg	https://threatfox.abuse.ch/ioc/203873/
http://bctpump.us/2.jpg	https://threatfox.abuse.ch/ioc/203874/
http://bctpump.us/3.jpg	https://threatfox.abuse.ch/ioc/203875/
http://bctpump.us/4.jpg	https://threatfox.abuse.ch/ioc/203876/
http://bctpump.us/5.jpg	https://threatfox.abuse.ch/ioc/203877/
http://bctpump.us/7.jpg	https://threatfox.abuse.ch/ioc/203878/

Intelligence

File Origin

# of uploads :

# of downloads :

238

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Payment_Advice.exe

Verdict:

Malicious activity

Analysis date:

2021-08-31 17:21:46 UTC

Tags:

trojan stealer vidar

Link:

https://app.any.run/tasks/af27d5bc-a70c-4ee5-bf5a-c51ce68ef5ce

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/184274/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a file

DNS request

Connection attempt

Deleting a recently created file

Reading critical registry keys

Replacing files

Delayed writing of the file

Running batch commands

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Searching for the window

Forced shutdown of a system process

Stealing user critical data

Launching a tool to kill processes

Unauthorized injection to a system process

Malware family:

Oski Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6aa15ecb-eae7-4401-8c37-7d4f151c1479

Result

Threat name:

Oski Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/842856

Signature

Allocates memory in foreign processes

DLL side loading technique detected

Downloads files with wrong headers with respect to MIME Content-Type

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Posts data to a JPG file (protocol mismatch)

Sigma detected: Suspicious Process Start Without DLL

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Oski Stealer

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7d12860910f95752bab43166470d3ac6dd1b8be3599bae2fca48aa1d01d1034a/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-08-31 15:38:36 UTC

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pujimciq7flvfovugfteodj2y3orxc7dlgn24l6kjcvb2aoranfa._file

Verdict:

malicious

OskiStealer

223dfd54929007ac23d6a20dbcf81a519a14f1c4061d23afcb761b75796042d2

OskiStealer

42c682af79cf1b73127ebf00349a8c4cabccdf42d2e14f77cda67121f870d8bf

OskiStealer

43460a1724b2521dd5e97c68c16edfce9caf22d49452efd956a64db91b5935a7

OskiStealer

44aa270e4c081241057bad8c1d0ea5864087325f8e3209aa10747f108123f718

OskiStealer

60d1297adb502d942493a794945336aea891d2c321476ef3349ac07726fca7c3

OskiStealer

83e8782266edec54f4c451f60e2095864c8a9d817e7296076e128c686a6bfea3

OskiStealer

a03b45dabcaf812402454befd876b2eafbdf9e967f3bb01e66f33f3cabbdebd5

OskiStealer

c254079e9a75cb708e28deb9c72c77689c53425f8256338343c06285bed8ebbe

OskiStealer

+ 3'233 additional samples on MalwareBazaar

Result

Malware family:

oski

Score:

10/10

Tags:

family:oski infostealer spyware

Link:

https://tria.ge/reports/210831-1d5chaevve/

Behaviour

Checks processor information in registry

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Downloads MZ/PE file

Oski

Malware Config

C2 Extraction:

http://bctpump.us

Unpacked files

SH256 hash:

f942d2cab554777a231753aaa425c3041c922012369684d6e4a91a9960f3511e

MD5 hash:

3a658f5a533ca8728d8e3d23e1fc6265

SHA1 hash:

f36f1ac80abf620c986b08147d6144e239aeaa09

Link:

https://www.unpac.me/results/1c8ef4c3-6716-43b3-885d-bf1c19e8790c/

SH256 hash:

8e03f35b69cfaa3dd1969957d7947c91e56df9670ea6a5db5975c3376d359ee0

MD5 hash:

87017c5617759bca27207d528697bdc3

SHA1 hash:

919a1a153ab4b6d1b42a934e1b9741daa15db268

Detections:

win_oski_g0

win_oski_auto

Link:

https://www.unpac.me/results/1c8ef4c3-6716-43b3-885d-bf1c19e8790c/

Parent samples :

7d12860910f95752bab43166470d3ac6dd1b8be3599bae2fca48aa1d01d1034a
5ffe71b977866248e55612e20cea0bf3ad51a50896443d791081f58b49cdc5df
2ca6487650676dfac02da8af32d2eea7c0a2162ff5c9881c54f698beac6921c4
091fb99d751df7e9e867422f401ff7181adc35c6f90ad2c8aafd54e3ec724771
21ac6486349c780cc40e9ab611d1e918a2919ba01d360572534c1da745b338a6

SH256 hash:

81f9eac76804c02f5baaa34c91b5775f965a34ad7811218d9c24e50cb6d9a90c

MD5 hash:

bae511742374b721136acaa03b0c1fa0

SHA1 hash:

215c50455b01a78ea173bbb034ddbe4b452ea734

Link:

https://www.unpac.me/results/1c8ef4c3-6716-43b3-885d-bf1c19e8790c/

SH256 hash:

7d12860910f95752bab43166470d3ac6dd1b8be3599bae2fca48aa1d01d1034a

MD5 hash:

d89300e103bfd617274ee22294bcc16c

SHA1 hash:

bdf3d1ee7760dea64c34cd93c4103ad100a9bf9e

Link:

https://www.unpac.me/results/1c8ef4c3-6716-43b3-885d-bf1c19e8790c/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/7d12860910f9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7d12860910f95752bab43166470d3ac6dd1b8be3599bae2fca48aa1d01d1034a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

OskiStealer

exe 7d12860910f95752bab43166470d3ac6dd1b8be3599bae2fca48aa1d01d1034a

(this sample)

Dropped by

OskiStealer

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/184274/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample