MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84cdb9ed95d361af46291bf3423855d70adbb56d0e9fd51f325537b249233730. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 10


Intelligence 10 IOCs 7 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84cdb9ed95d361af46291bf3423855d70adbb56d0e9fd51f325537b249233730
SHA3-384 hash: 647bd90340cbe71fa41fe69983e94eb74ad89152e22c9e2780d3fcc769ca81f72b720d934e26756e1045fb0ddfa8afed
SHA1 hash: 6853dbbbbc69ab661d3dfb79491e1f0017d33529
MD5 hash: 1eef9d19ccbabcbcfd3b1509e54886c8
humanhash: muppet-magazine-gee-mobile
File name:9VJhD2bmjXNfdk0.exe
Download: download sample
Signature OskiStealer
Create hunting rule
File size:1'532'416 bytes
First seen:2021-06-11 09:00:16 UTC
Last seen:2021-06-11 09:57:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:KQPNeBUdtwsEgwsoe/z8YEoqSg5LlJfH7cxPYokFLJ3lp5VmwTEuXKwhzMIDsxTo:RwBUwsEgwsoe5U/BldbcxAok1dXVTEuJ
Threatray 1'491 similar samples on MalwareBazaar
TLSH 7465BE1066009B51D12947758C23D6B04FB0AD0EEEE6C64E7DEB7C9F38717B21A2E25E
Reporter abuse_ch
Tags:exe OskiStealer


Avatar
abuse_ch
OskiStealer C2:
http://45.180.174.39/6.jpg

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.180.174.39/6.jpg https://threatfox.abuse.ch/ioc/85849/
http://45.180.174.39/1.jpg https://threatfox.abuse.ch/ioc/85850/
http://45.180.174.39/2.jpg https://threatfox.abuse.ch/ioc/85851/
http://45.180.174.39/3.jpg https://threatfox.abuse.ch/ioc/85852/
http://45.180.174.39/4.jpg https://threatfox.abuse.ch/ioc/85853/
http://45.180.174.39/5.jpg https://threatfox.abuse.ch/ioc/85854/
http://45.180.174.39/7.jpg https://threatfox.abuse.ch/ioc/85855/

Intelligence

File Origin
# of uploads :
2
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9VJhD2bmjXNfdk0.exe
Verdict:
Malicious activity
Analysis date:
2021-06-11 09:02:25 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/8fcbeadd-1993-4744-a1ed-7d9529dc8359

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/166056/
Detection(s):
SecuriteInfo.com.Artemis1EEF9D19CCBA.30152.10887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6cd19bc-42ad-4db1-abf1-48f3e46ba5be
Result
Threat name:
Oski Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/800728
Signature
Downloads files with wrong headers with respect to MIME Content-Type
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Posts data to a JPG file (protocol mismatch)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Oski Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 433124 Sample: 9VJhD2bmjXNfdk0.exe Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Yara detected Oski Stealer 2->43 45 Yara detected AntiVM3 2->45 47 5 other signatures 2->47 8 9VJhD2bmjXNfdk0.exe 6 2->8         started        process3 file4 27 C:\Users\user\AppData\Local\...\tmp5757.tmp, XML 8->27 dropped 29 C:\Users\user\AppData\Roaming\WcGngZ.exe, PE32 8->29 dropped 49 Uses schtasks.exe or at.exe to add and modify task schedules 8->49 51 Injects a PE file into a foreign processes 8->51 12 9VJhD2bmjXNfdk0.exe 193 8->12         started        17 schtasks.exe 1 8->17         started        signatures5 process6 dnsIp7 39 45.180.174.39, 49712, 80 PINHALTELECOMLTDABR Chile 12->39 31 C:\ProgramData\vcruntime140.dll, PE32 12->31 dropped 33 C:\ProgramData\sqlite3.dll, PE32 12->33 dropped 35 C:\ProgramData\softokn3.dll, PE32 12->35 dropped 37 4 other files (none is malicious) 12->37 dropped 53 Tries to harvest and steal browser information (history, passwords, etc) 12->53 55 Tries to steal Crypto Currency Wallets 12->55 19 cmd.exe 1 12->19         started        21 conhost.exe 17->21         started        file8 signatures9 process10 process11 23 taskkill.exe 1 19->23         started        25 conhost.exe 19->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84cdb9ed95d361af46291bf3423855d70adbb56d0e9fd51f325537b249233730/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-06-11 08:53:18 UTC
AV detection:
3 of 46 (6.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qtg3t3mv2nq26rrjdpzueocv24fnxnlnb2p5khzsku33esjdg4ya._file
Verdict:
unknown
Similar samples:
033dd7d02172855d2e61e1dcfae24bdeb9136310503e06bf7079ef78db9422ae
OskiStealer
0c38c10261c2ae14822b19d1ebc54ad4ab417961b5f324716bb85a2038e3bb15
OskiStealer
1553300557f17e7cb62c914616267bc733854b98a0edc5215d901cc4f8e4d0f0
OskiStealer
1860347130f68ba0d084750816ca0fc532b8647d89e36ff53c0355e73a46d332
OskiStealer
682be0853ccd6f60deb69d27941a628758c4e13e7d2e6ee95a95f415f3a9f0c6
OskiStealer
916bd03b40de6bfa498311e3a70d3e98c50e8255fd413d446daab77951224856
OskiStealer
c09ced50c5dacaf28676dfaa0abff8f4b53fb4516c93fa5acd000e481841dd7b
OskiStealer
c41aa6d6eeac57851b0a00a619609ed764072881b85b7dad25ac30f2856eda43
OskiStealer
dfe493ec90b4d3114618d81d5d222b6919317387445c21bf58e3ca4b26300aef
OskiStealer
ed9d96725b88ce0a3caee6d98c11369fb84a1d7eca3847db66abe63c49955f73
OskiStealer
+ 1'481 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210611-6f4r7e23je/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Oski
Malware Config
C2 Extraction:
45.180.174.39
Unpacked files
SH256 hash:
e987e066b6b1ca5c3698a367d405b671a7f33e388289cb6b191faf4796478596
MD5 hash:
8b3814abb5e9cd9fb5da34bc71a4afc2
SHA1 hash:
8005c030dd9d0c1f146d18c4597f0a0f55e16577
Link:
https://www.unpac.me/results/d605b0a5-f948-4f58-a3c0-5ba9c5fee964/
SH256 hash:
84cdb9ed95d361af46291bf3423855d70adbb56d0e9fd51f325537b249233730
MD5 hash:
1eef9d19ccbabcbcfd3b1509e54886c8
SHA1 hash:
6853dbbbbc69ab661d3dfb79491e1f0017d33529
Link:
https://www.unpac.me/results/d605b0a5-f948-4f58-a3c0-5ba9c5fee964/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84cdb9ed95d361af46291bf3423855d70adbb56d0e9fd51f325537b249233730

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/166056/

Comments