MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 926962feeeae5258e6d7bc03c9561cb19912e44b587a1eb30f54f52db479254c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 12


Intelligence 12 IOCs 7 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 926962feeeae5258e6d7bc03c9561cb19912e44b587a1eb30f54f52db479254c
SHA3-384 hash: b3bb7c8065bfdf085fc17152eb2e69e7123a569c6aa828b0c9d0e673784f5652b4ecc031753911228befb27b918bafce
SHA1 hash: e1cb9c502536f14f0760c4404b307a4804cb14c8
MD5 hash: 42752f5ad56e5b7db47f5cade7e84abc
humanhash: crazy-romeo-papa-coffee
File name:42752f5ad56e5b7db47f5cade7e84abc.exe
Download: download sample
Signature OskiStealer
Create hunting rule
File size:872'960 bytes
First seen:2021-09-26 19:26:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:iA6TFu1QNBwl+iFp5AyzeX25x64dYLopX+Fogqsb/hyDVebw:oTFu1e0+ajeXGXR6o1
Threatray 13'146 similar samples on MalwareBazaar
TLSH T1F505C0202264C26AE1F7EB7CE436D4718B3EE983A035D95E5DC3D8DA0D25341851BFAB
File icon (PE):PE icon
dhash icon f4cccc9cd6dce4f4 (8 x AveMariaRAT, 3 x OskiStealer, 3 x AgentTesla)
Reporter abuse_ch
Tags:exe OskiStealer


Avatar
abuse_ch
OskiStealer C2:
http://schulenburgrvpark.com/6.jpg

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://schulenburgrvpark.com/6.jpg https://threatfox.abuse.ch/ioc/226862/
http://schulenburgrvpark.com/1.jpg https://threatfox.abuse.ch/ioc/226863/
http://schulenburgrvpark.com/2.jpg https://threatfox.abuse.ch/ioc/226864/
http://schulenburgrvpark.com/3.jpg https://threatfox.abuse.ch/ioc/226865/
http://schulenburgrvpark.com/4.jpg https://threatfox.abuse.ch/ioc/226866/
http://schulenburgrvpark.com/5.jpg https://threatfox.abuse.ch/ioc/226867/
http://schulenburgrvpark.com/7.jpg https://threatfox.abuse.ch/ioc/226868/

Intelligence

File Origin
# of uploads :
1
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
42752f5ad56e5b7db47f5cade7e84abc.exe
Verdict:
Malicious activity
Analysis date:
2021-09-26 19:27:49 UTC
Tags:
loader
Link:
https://app.any.run/tasks/2bdb9263-9025-4030-b084-f9e29136a676

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191842/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.26929.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a window
Enabling autorun with the shell\open\command registry branches
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f353b6c-acbe-46ef-95f6-928c3587631b
Result
Threat name:
AgentTesla Oski Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/858517
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Downloads files with wrong headers with respect to MIME Content-Type
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Oski Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 490948 Sample: AsDNzvikjM.exe Startdate: 26/09/2021 Architecture: WINDOWS Score: 100 116 Multi AV Scanner detection for domain / URL 2->116 118 Antivirus detection for URL or domain 2->118 120 Multi AV Scanner detection for dropped file 2->120 122 14 other signatures 2->122 10 AsDNzvikjM.exe 3 7 2->10         started        14 LKkBk.exe 5 2->14         started        16 LKkBk.exe 2->16         started        process3 file4 88 C:\Users\user\AppData\Local\...\tmpA986.tmp, XML 10->88 dropped 90 C:\Users\user\AppData\...\AsDNzvikjM.exe.log, ASCII 10->90 dropped 92 C:\Users\user\AppData\...\tlZLQDWEhCq.exe, PE32 10->92 dropped 132 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->132 134 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->134 136 Uses schtasks.exe or at.exe to add and modify task schedules 10->136 138 Adds a directory exclusion to Windows Defender 10->138 18 AsDNzvikjM.exe 17 7 10->18         started        23 powershell.exe 25 10->23         started        25 schtasks.exe 1 10->25         started        140 Injects a PE file into a foreign processes 14->140 27 LKkBk.exe 14->27         started        29 schtasks.exe 14->29         started        signatures5 process6 dnsIp7 96 pizzaitaliano.ca 192.185.181.6, 49799, 49806, 80 UNIFIEDLAYER-AS-1US United States 18->96 98 smtp.mail.ru 94.100.180.160, 49815, 587 MAILRU-ASMailRuRU Russian Federation 18->98 100 www.pizzaitaliano.ca 18->100 74 C:\Users\user\AppData\Roaming\...\LKkBk.exe, PE32 18->74 dropped 76 C:\Users\user\...\LKkBk.exe:Zone.Identifier, ASCII 18->76 dropped 124 Tries to steal Mail credentials (via file access) 18->124 126 Tries to harvest and steal ftp login credentials 18->126 128 Tries to harvest and steal browser information (history, passwords, etc) 18->128 130 2 other signatures 18->130 31 app.exe 18->31         started        35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        102 www.pizzaitaliano.ca 27->102 78 C:\Users\user\AppData\Local\Temp\app.exe, PE32 27->78 dropped 39 app.exe 27->39         started        41 conhost.exe 29->41         started        file8 signatures9 process10 file11 94 C:\Users\user\AppData\...\vhdkcrwsNOIJ.exe, PE32 31->94 dropped 108 Multi AV Scanner detection for dropped file 31->108 110 Machine Learning detection for dropped file 31->110 112 Adds a directory exclusion to Windows Defender 31->112 43 app.exe 31->43         started        47 powershell.exe 31->47         started        49 schtasks.exe 31->49         started        114 Injects a PE file into a foreign processes 39->114 51 app.exe 39->51         started        54 schtasks.exe 39->54         started        signatures12 process13 dnsIp14 104 schulenburgrvpark.com 69.194.233.139, 49801, 49807, 80 IHNETUS United States 43->104 106 192.168.2.1 unknown unknown 43->106 56 cmd.exe 43->56         started        58 conhost.exe 47->58         started        60 conhost.exe 49->60         started        80 C:\ProgramData\vcruntime140.dll, PE32 51->80 dropped 82 C:\ProgramData\sqlite3.dll, PE32 51->82 dropped 84 C:\ProgramData\softokn3.dll, PE32 51->84 dropped 86 4 other files (none is malicious) 51->86 dropped 142 Tries to harvest and steal browser information (history, passwords, etc) 51->142 144 Tries to steal Crypto Currency Wallets 51->144 62 cmd.exe 51->62         started        64 conhost.exe 54->64         started        file15 signatures16 process17 process18 66 conhost.exe 56->66         started        68 taskkill.exe 56->68         started        70 conhost.exe 62->70         started        72 taskkill.exe 62->72         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/926962feeeae5258e6d7bc03c9561cb19912e44b587a1eb30f54f52db479254c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-26 19:27:07 UTC
AV detection:
28 of 45 (62.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sjuwf7xovzjfrzwxxqb4svq4wgmrfzcllb5b5mypkt2s3ndzevga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4fab57203daa45d7bed9b0dbf64ab4bceb1b5d523a14f769e60aa595e53f78a1
OskiStealer
6e15e0a1a16d9b751be92a7407ff5412c3f32129f9d9ef5cf6ae4ea3e88edc7e
OskiStealer
8e55c4365371bd684ac3f4e58d360c98355359c0598d2448d201b2702efc1549
OskiStealer
fcf2392e4f6cff50cca5aa9d3cfa76da02eabc86a698758f5bee49ec4ffe2620
OskiStealer
+ 13'136 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:oski discovery infostealer keylogger persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210926-x5376sfbgp/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
AgentTesla Payload
AgentTesla
Oski
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
schulenburgrvpark.com
Unpacked files
SH256 hash:
cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7
MD5 hash:
71a894ff252c767b80d65ab1e54fda2b
SHA1 hash:
bcc4ff628585ca28b8b0f2c30e63049b910d4d49
Link:
https://www.unpac.me/results/e9e95dd5-7b6b-4626-8648-93a818b13cdc/
SH256 hash:
ed0f3188869822cb23b9949bfb57e6740c2cc1f43616ff4cd038e30d2cdc8b77
MD5 hash:
2f7337963e1e8d6b65fdddebca5a769f
SHA1 hash:
a8d3d3a24d31508deac1828b63aa112375a9e346
Link:
https://www.unpac.me/results/e9e95dd5-7b6b-4626-8648-93a818b13cdc/
SH256 hash:
80c86b781de7e2ea3ee21a462fd8d40fb81aacd28921f8f8110981295ff62e17
MD5 hash:
095a2bd65e34bce035016a0ab543e417
SHA1 hash:
6d83e101e5b945b3e6fc3f5133ce3bef813ad8db
Link:
https://www.unpac.me/results/e9e95dd5-7b6b-4626-8648-93a818b13cdc/
SH256 hash:
85f4f82288d4edb96a022f0290b54f3e9ca7e403c245d9b24e873729ab0de395
MD5 hash:
6badf3385177f9da8197dae773bab746
SHA1 hash:
380c8698decdf7f186b5c59f80c9956a1836c8fc
Link:
https://www.unpac.me/results/e9e95dd5-7b6b-4626-8648-93a818b13cdc/
SH256 hash:
926962feeeae5258e6d7bc03c9561cb19912e44b587a1eb30f54f52db479254c
MD5 hash:
42752f5ad56e5b7db47f5cade7e84abc
SHA1 hash:
e1cb9c502536f14f0760c4404b307a4804cb14c8
Link:
https://www.unpac.me/results/e9e95dd5-7b6b-4626-8648-93a818b13cdc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/926962feeeae5258e6d7bc03c9561cb19912e44b587a1eb30f54f52db479254c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/191842/

Comments