MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90d1b1d870c2b99c0d9773afc353bf3e96cc5806169f911753362f2fb41d1934. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 11


Intelligence 11 IOCs 7 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90d1b1d870c2b99c0d9773afc353bf3e96cc5806169f911753362f2fb41d1934
SHA3-384 hash: 9d019a04197bddee028458a96f4da313cf0442613f611df72762d426e42787c03f6096eab309c5968e51a0b2eed67e80
SHA1 hash: f053fb5d416aa735352566cc8373b596714393bb
MD5 hash: 29851bb481e2b1f6cc1a56bd198cd9a2
humanhash: salami-grey-asparagus-triple
File name:Wells Fargo ACH payment.exe
Download: download sample
Signature OskiStealer
Create hunting rule
File size:706'048 bytes
First seen:2021-07-16 17:35:53 UTC
Last seen:2021-07-16 19:43:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:peDVI4xSms4ZKlRI/mpKRxW1mT8+htO3vKrTs4yVMqPraV/gG9QNTgCrPy:UVIFmDYRI/mkRxW136t4KvsNVTW2G9Qc
Threatray 1'778 similar samples on MalwareBazaar
TLSH T1C9E4123C5365FB67C9BC01B48401460B47F2EF269A93E74E2D98F1F86E7278126119EB
Reporter abuse_ch
Tags:exe OskiStealer


Avatar
abuse_ch
OskiStealer C2:
http://mmcjo.com/crown//6.jpg

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://mmcjo.com/crown//6.jpg https://threatfox.abuse.ch/ioc/160797/
http://mmcjo.com/crown//1.jpg https://threatfox.abuse.ch/ioc/160798/
http://mmcjo.com/crown//2.jpg https://threatfox.abuse.ch/ioc/160799/
http://mmcjo.com/crown//3.jpg https://threatfox.abuse.ch/ioc/160800/
http://mmcjo.com/crown//4.jpg https://threatfox.abuse.ch/ioc/160801/
http://mmcjo.com/crown//5.jpg https://threatfox.abuse.ch/ioc/160802/
http://mmcjo.com/crown//7.jpg https://threatfox.abuse.ch/ioc/160803/

Intelligence

File Origin
# of uploads :
2
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Wells Fargo ACH payment.exe
Verdict:
Malicious activity
Analysis date:
2021-07-16 17:39:31 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/46154b18-98c3-450a-b678-b10041deedc2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172240/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/679fd08b-c7a6-469e-b4c7-ee1250efbe0f
Result
Threat name:
Oski Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817622
Signature
Downloads files with wrong headers with respect to MIME Content-Type
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Oski Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450033 Sample: Wells Fargo ACH payment.exe Startdate: 16/07/2021 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected Oski Stealer 2->48 50 8 other signatures 2->50 8 Wells Fargo ACH payment.exe 7 2->8         started        process3 file4 26 C:\Users\user\AppData\Roaming\crBXjImL.exe, PE32 8->26 dropped 28 C:\Users\...\crBXjImL.exe:Zone.Identifier, ASCII 8->28 dropped 30 C:\Users\user\AppData\Local\...\tmpBA2F.tmp, XML 8->30 dropped 32 C:\Users\...\Wells Fargo ACH payment.exe.log, ASCII 8->32 dropped 11 Wells Fargo ACH payment.exe 193 8->11         started        16 schtasks.exe 1 8->16         started        process5 dnsIp6 42 mmcjo.com 160.153.133.86, 49720, 80 GODADDY-AMSDE United States 11->42 34 C:\ProgramData\vcruntime140.dll, PE32 11->34 dropped 36 C:\ProgramData\sqlite3.dll, PE32 11->36 dropped 38 C:\ProgramData\softokn3.dll, PE32 11->38 dropped 40 4 other files (none is malicious) 11->40 dropped 52 Tries to harvest and steal browser information (history, passwords, etc) 11->52 54 Tries to steal Crypto Currency Wallets 11->54 18 cmd.exe 1 11->18         started        20 conhost.exe 16->20         started        file7 signatures8 process9 process10 22 taskkill.exe 1 18->22         started        24 conhost.exe 18->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90d1b1d870c2b99c0d9773afc353bf3e96cc5806169f911753362f2fb41d1934/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-07-16 17:36:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
12 of 28 (42.86%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sdi3dwdqyk4zydmxoox4gu57h2lmywagc2pzcf2tgyxs7na5de2a._file
Verdict:
malicious
Similar samples:
04739bba7ef80f72f47dd22eb66b9fddb6f48b5c3744b1f9cc6018615aa11bd6
OskiStealer
0768e83e8d36f21ea90867dcf3935ee48795daf2e4a0017979e752b865c95d9e
OskiStealer
12f5634cd28b25f6dcde9a1d7902d64ab4ded48b50e06e4ec0f583e03a156125
OskiStealer
138ccd9e494958214619110418407a634db9d8b073be4ffcd7d23083b58fb945
OskiStealer
37f96df377557cad9bdb2caa4064bbf4dd862e935a64e1d802d445358695e15c
OskiStealer
3cabdecbde62bcbd0f3528e45decf78d85e1b1d827a9cd19bb3cc1371d0cacae
OskiStealer
4b550c500aae1686f38edfc7e28fe3a7939b997e01ee73a432c0caa7ea69892b
OskiStealer
5f55898f4f260025ec6507f92ed128dcd90f5f83d14b507282352f4c79fb71bc
OskiStealer
b2454961c84e927b086719e0bae8016bee823e17402fb0feca8bda4e63ff009c
OskiStealer
c41aa6d6eeac57851b0a00a619609ed764072881b85b7dad25ac30f2856eda43
OskiStealer
+ 1'768 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210716-gcnr11w7y6/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Oski
Malware Config
C2 Extraction:
mmcjo.com/crown/
Unpacked files
SH256 hash:
b78520fd0bfc19c1277ffe0de68f53eda25a8f76ab32985798d512d9ac6b32e8
MD5 hash:
be48ad322171c4de34c222ec41b1f5c9
SHA1 hash:
c08a83e9bfeb9bddb1982f1528bf490052b1d5b8
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/79821df7-f5f7-48fb-bc6d-79cc9953e20d/
Parent samples :
90d1b1d870c2b99c0d9773afc353bf3e96cc5806169f911753362f2fb41d1934
e8b4e90cb7a9233231088d027c2c090aafc143c77e1f46d34d6b206c2c797419
SH256 hash:
82a4065578bf324c5a382d4e43510bfe37dc2d4accaa25792aecea77c7387714
MD5 hash:
ecff0ff8f308ad9a7ab4e8d8c6632f1f
SHA1 hash:
b2149cd8ad0767e9ee467d85f7f5d97494ecb07a
Link:
https://www.unpac.me/results/79821df7-f5f7-48fb-bc6d-79cc9953e20d/
SH256 hash:
7f6ef6efe0363079469a0f7ddd95898e9422c2b4d6e0e54971fda25c02d4c65b
MD5 hash:
504736829fd260641016c512a9a86bb6
SHA1 hash:
44af8756603bc09629ec5a0367bf53ce0a5a2106
Link:
https://www.unpac.me/results/79821df7-f5f7-48fb-bc6d-79cc9953e20d/
SH256 hash:
d5258e38ecd640cc07042fd2a5a5fab4b6e948ebe96d04472b1e3641a3b79092
MD5 hash:
34620e2a7416b4ef8ffc488e896ce99c
SHA1 hash:
1fdbc3e38aec63e18ada5a45b0d032a7358d575a
Link:
https://www.unpac.me/results/79821df7-f5f7-48fb-bc6d-79cc9953e20d/
SH256 hash:
90d1b1d870c2b99c0d9773afc353bf3e96cc5806169f911753362f2fb41d1934
MD5 hash:
29851bb481e2b1f6cc1a56bd198cd9a2
SHA1 hash:
f053fb5d416aa735352566cc8373b596714393bb
Link:
https://www.unpac.me/results/79821df7-f5f7-48fb-bc6d-79cc9953e20d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90d1b1d870c2b99c0d9773afc353bf3e96cc5806169f911753362f2fb41d1934

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172240/

Comments