MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 930ad6fbbfbac743f4097748a7af399d3fbb61b1ba36bc6230803dcdfb357640. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 10


Intelligence 10 IOCs 7 YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 930ad6fbbfbac743f4097748a7af399d3fbb61b1ba36bc6230803dcdfb357640
SHA3-384 hash: 0fdc4ba0c7c540a6f4c39d87b34e9ffb7f4f9cea8f61f2db66a24d63e51f1056fcde299674b345782461ebc4c819bd58
SHA1 hash: 980367f1702c355961144c8f5cd6444c1f58baa8
MD5 hash: 16e153201be41825d56aaeac47183efd
humanhash: double-jupiter-apart-red
File name:16e153201be41825d56aaeac47183efd
Download: download sample
Signature OskiStealer
Create hunting rule
File size:831'488 bytes
First seen:2021-09-17 09:35:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ff0bb68e944131943365efbe4d5b9737 (4 x RemcosRAT, 1 x AveMariaRAT, 1 x OskiStealer)
ssdeep 24576:DMvnUyU3fec2QPesTbGIZHrIzvlZwXI7Dyj3SaH+MJF:DqUjes
Threatray 3'576 similar samples on MalwareBazaar
TLSH T14105295A92516F33C22F28399C56E7C884237D802D2ADFF912BCED763635691389D06F
dhash icon 0cb23272b98ce6d1 (6 x RemcosRAT, 5 x Formbook, 2 x DBatLoader)
Reporter zbetcheckin
Tags:32 exe OskiStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://103.141.138.110/p2//6.jpg https://threatfox.abuse.ch/ioc/222970/
http://103.141.138.110/p2//1.jpg https://threatfox.abuse.ch/ioc/222971/
http://103.141.138.110/p2//7.jpg https://threatfox.abuse.ch/ioc/222972/
http://103.141.138.110/p2//2.jpg https://threatfox.abuse.ch/ioc/222973/
http://103.141.138.110/p2//3.jpg https://threatfox.abuse.ch/ioc/222974/
http://103.141.138.110/p2//4.jpg https://threatfox.abuse.ch/ioc/222975/
http://103.141.138.110/p2//5.jpg https://threatfox.abuse.ch/ioc/222976/

Intelligence

File Origin
# of uploads :
1
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188635/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.2712.5000.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Modifying an executable file
Launching the default Windows debugger (dwwin.exe)
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/61752a4e9a5a1e91c5d2077f/reports/03e4071e-ac69-44c3-a8f0-efa78ebb7a72/overview
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a2faf35-b9c3-417d-aff5-aa7c76ffd0f1
Result
Threat name:
Oski Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/852634
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Downloads files with wrong headers with respect to MIME Content-Type
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Sigma detected: Execution from Suspicious Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Oski Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 485066 Sample: B6Q6lX4Jz5 Startdate: 17/09/2021 Architecture: WINDOWS Score: 100 62 Multi AV Scanner detection for domain / URL 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 Yara detected Oski Stealer 2->66 68 5 other signatures 2->68 8 Ymwqrsx.exe 13 2->8         started        12 B6Q6lX4Jz5.exe 1 22 2->12         started        15 Ymwqrsx.exe 14 2->15         started        process3 dnsIp4 58 162.159.130.233, 443, 49746, 49748 CLOUDFLARENETUS United States 8->58 74 Multi AV Scanner detection for dropped file 8->74 76 Detected unpacking (changes PE section rights) 8->76 78 Detected unpacking (overwrites its own PE header) 8->78 17 Ymwqrsx.exe 196 8->17         started        60 cdn.discordapp.com 162.159.133.233, 443, 49734, 49735 CLOUDFLARENETUS United States 12->60 54 C:\Users\Public\Libraries\Ymwqrsx.exe, PE32 12->54 dropped 80 Injects a PE file into a foreign processes 12->80 21 B6Q6lX4Jz5.exe 196 12->21         started        24 cmd.exe 1 12->24         started        26 cmd.exe 1 12->26         started        file5 signatures6 process7 dnsIp8 46 C:\ProgramData\vcruntime140.dll, PE32 17->46 dropped 48 C:\ProgramData\sqlite3.dll, PE32 17->48 dropped 50 C:\ProgramData\softokn3.dll, PE32 17->50 dropped 52 4 other files (none is malicious) 17->52 dropped 70 Tries to harvest and steal browser information (history, passwords, etc) 17->70 72 Tries to steal Crypto Currency Wallets 17->72 56 103.141.138.110, 49740, 49747, 49749 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 21->56 28 cmd.exe 1 21->28         started        30 reg.exe 1 24->30         started        32 conhost.exe 24->32         started        34 cmd.exe 1 26->34         started        36 conhost.exe 26->36         started        file9 signatures10 process11 process12 38 taskkill.exe 1 28->38         started        40 conhost.exe 28->40         started        42 conhost.exe 30->42         started        44 conhost.exe 34->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/930ad6fbbfbac743f4097748a7af399d3fbb61b1ba36bc6230803dcdfb357640/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2021-09-16 16:23:06 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=smfnn657xlduh5ajo5ekplzztu73wynrxi3lyyrqqa6436zvozaa._file
Verdict:
malicious
Similar samples:
10410848d808e42758883ff2045ac5b10d16ad3d4155771483f0aba1f245a6e4
OskiStealer
42c682af79cf1b73127ebf00349a8c4cabccdf42d2e14f77cda67121f870d8bf
OskiStealer
a03b45dabcaf812402454befd876b2eafbdf9e967f3bb01e66f33f3cabbdebd5
OskiStealer
a2013616892886b9fcd2067d2e77436c5233653772f6a6f235a325b1122c34a9
OskiStealer
c254079e9a75cb708e28deb9c72c77689c53425f8256338343c06285bed8ebbe
OskiStealer
e65c6e141516a7d76fe7c1e3bcc5433758fa627dfd6c18f65504efcfa62d4855
OskiStealer
f5abfba489bfcef9819f0ca20cd54efc779d6091f6462b6083c363636739f41b
OskiStealer
+ 3'566 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer persistence spyware stealer suricata
Link:
https://tria.ge/reports/210917-lkz48saagl/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Oski
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
103.141.138.110/p2/
Unpacked files
SH256 hash:
519197f521aa39b7a7ab34b4500a304a7329d967115c2e48fe1b6eb201e39af1
MD5 hash:
3da921c9355d01d335cf03159a950030
SHA1 hash:
3be3f4ea8f289a123dcd1f6ac97c6f34a503c9cf
Link:
https://www.unpac.me/results/a57692cd-5ae9-4757-a6c8-2ef43676510a/
SH256 hash:
930ad6fbbfbac743f4097748a7af399d3fbb61b1ba36bc6230803dcdfb357640
MD5 hash:
16e153201be41825d56aaeac47183efd
SHA1 hash:
980367f1702c355961144c8f5cd6444c1f58baa8
Link:
https://www.unpac.me/results/a57692cd-5ae9-4757-a6c8-2ef43676510a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/930ad6fbbfba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Oski Stealer
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/930ad6fbbfbac743f4097748a7af399d3fbb61b1ba36bc6230803dcdfb357640

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.oski.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

OskiStealer

Executable exe 930ad6fbbfbac743f4097748a7af399d3fbb61b1ba36bc6230803dcdfb357640

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1627203/
Cape
Cape
https://www.capesandbox.com/analysis/188635/

Comments


Avatar
zbet commented on 2021-09-17 09:35:49 UTC

url : hxxp://195.242.110.13/Anye.exe