MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85b04366a901afa7df0d75f192032dccaee58e83827d7bd71674e202043d4f90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 12


Intelligence 12 IOCs 7 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85b04366a901afa7df0d75f192032dccaee58e83827d7bd71674e202043d4f90
SHA3-384 hash: 2eb9ad387ba72d3a290fe31d15ba9675072c85610a658693ed0194457aff6cf471a0708e6f17ed18353e5cd23c6ac29a
SHA1 hash: df946045c50b64ec46c5964d3f3fe53dc17a3832
MD5 hash: 6ae3b362c05a0d47368dbe6e8512c01f
humanhash: pizza-chicken-beryllium-indigo
File name:6ae3b362c05a0d47368dbe6e8512c01f.exe
Download: download sample
Signature OskiStealer
Create hunting rule
File size:647'168 bytes
First seen:2022-05-23 07:05:54 UTC
Last seen:2022-05-23 07:40:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:PpA+k2cthiAD/k+QjyYCnOq3SclzTMfh34QoP+ob6Vqxzs+F3Wva:jtctDFQjtCnO+lXMpo9XsN
Threatray 4'406 similar samples on MalwareBazaar
TLSH T112D41260395C9FAACC6E4779DC6962DC13F04E02AD12E35BDFD9B1DEA932380C81255B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.3% (.SCR) Windows screen saver (13101/52/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 688e33f0e8e071b2 (10 x AgentTesla, 8 x Formbook, 7 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe OskiStealer


Avatar
abuse_ch
OskiStealer C2:
http://tvscreen.co.vu/6.jpg

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://tvscreen.co.vu/6.jpg https://threatfox.abuse.ch/ioc/627209/
http://tvscreen.co.vu/1.jpg https://threatfox.abuse.ch/ioc/627210/
http://tvscreen.co.vu/2.jpg https://threatfox.abuse.ch/ioc/627211/
http://tvscreen.co.vu/3.jpg https://threatfox.abuse.ch/ioc/627212/
http://tvscreen.co.vu/4.jpg https://threatfox.abuse.ch/ioc/627213/
http://tvscreen.co.vu/5.jpg https://threatfox.abuse.ch/ioc/627214/
http://tvscreen.co.vu/7.jpg https://threatfox.abuse.ch/ioc/627215/

Intelligence

File Origin
# of uploads :
2
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
6ae3b362c05a0d47368dbe6e8512c01f.exe
Verdict:
Malicious activity
Analysis date:
2022-05-23 07:07:09 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/c5c7166a-09e4-40ab-9114-cb9e216dab18

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/273561/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/628b32686eb3ff326322d27d/reports/64c9e077-b4fa-4836-b7a9-b5afc9d451ea/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e05b2ce-68a0-4a4e-a35e-ef1e005edeeb
Result
Threat name:
Oski Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999578
Signature
.NET source code contains potential unpacker
Downloads files with wrong headers with respect to MIME Content-Type
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AntiVM3
Yara detected Oski Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85b04366a901afa7df0d75f192032dccaee58e83827d7bd71674e202043d4f90/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-23 07:06:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qwyegzvjagx2pxynoxyzeaznzsxoldudqj6xxvywotraebb5j6ia._file
Verdict:
malicious
Similar samples:
14a2149ffb9dc7a2bfa96e92ee4d7052222d5550431ffebc471b31859b397024
OskiStealer
191db013c67081442ef5e75edd00c2572f6ec9d7f629ddac9bba8942722c061d
OskiStealer
48d338ba06ada3da080eeeddb8a267b1b677dc9c3670f13e333ec8c73ff1b02c
OskiStealer
8399c97b606bb6613f99006964a47064e402e6489574b85db7a9872f601886b2
OskiStealer
ae672a54491d01385af7932cc9524889f6314dd4b4b8b9a846dfa1ffedaa8c61
OskiStealer
fabe67cd06d71d24a03fe0d11e62e975de4c58903bcbc35f48a3a566970c228c
OskiStealer
+ 4'396 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware stealer suricata
Link:
https://tria.ge/reports/220523-hw3sqacad8/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Oski
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
Malware Config
C2 Extraction:
tvscreen.co.vu
Unpacked files
SH256 hash:
0d5c224779d203043f9da25c6dcb8398b775e93703cecf1b6375d44a88d7adac
MD5 hash:
c4d44c9685847edfa12a4742482723bb
SHA1 hash:
d15a85270adf5059bfe3a189406520757657b505
Link:
https://www.unpac.me/results/3d5277df-46b0-435d-8675-b6fe5ba7b3dc/
SH256 hash:
fdd10fb67e6276b3d848c92d4686f56b2ecbea1d629795a241ca6306a2f62d55
MD5 hash:
f20fd214bbda1a459a3eb415eec86017
SHA1 hash:
c658f61e4f308a69a4509649439814166c655e84
Link:
https://www.unpac.me/results/3d5277df-46b0-435d-8675-b6fe5ba7b3dc/
SH256 hash:
4615b879a8d37c733de2ecde5671df91cfb918037af39dc50fc45e2b40a512c9
MD5 hash:
ba1c4b8afb07bce9cdda005c8aa961f3
SHA1 hash:
a4d492ab07d2e19e10000f99e212cfe50d6d4139
Link:
https://www.unpac.me/results/3d5277df-46b0-435d-8675-b6fe5ba7b3dc/
SH256 hash:
84cf69f3dd45b2f9e6249222e050c647d839e5f0592b505537da997d24551bf6
MD5 hash:
737a8ac62307679c1bafc32e08b1bd6c
SHA1 hash:
68468db3347561f505b077937e3bc70b57dd3c82
Link:
https://www.unpac.me/results/3d5277df-46b0-435d-8675-b6fe5ba7b3dc/
SH256 hash:
5f79d8b10712475ad791625767c083eed1cc2934a47f0b9bdf91e235be4b959c
MD5 hash:
d11ddc37c77db7c4fa35759e8cbe1554
SHA1 hash:
091bc361f4a48d1962ce7d1e3517afe611fabec3
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/3d5277df-46b0-435d-8675-b6fe5ba7b3dc/
SH256 hash:
85b04366a901afa7df0d75f192032dccaee58e83827d7bd71674e202043d4f90
MD5 hash:
6ae3b362c05a0d47368dbe6e8512c01f
SHA1 hash:
df946045c50b64ec46c5964d3f3fe53dc17a3832
Link:
https://www.unpac.me/results/3d5277df-46b0-435d-8675-b6fe5ba7b3dc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/85b04366a901/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85b04366a901afa7df0d75f192032dccaee58e83827d7bd71674e202043d4f90

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

OskiStealer

Executable exe 85b04366a901afa7df0d75f192032dccaee58e83827d7bd71674e202043d4f90

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2198006/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/273561/

Comments