MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9895bb45438484629059895f9a1eede851a6a0e33ea8d9fd4a452500e01c2ee5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 11


Intelligence 11 IOCs 7 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9895bb45438484629059895f9a1eede851a6a0e33ea8d9fd4a452500e01c2ee5
SHA3-384 hash: e79876a599da8827467e9624d263057f2a1e97d15424fe4e344571b582c14cc20aaafe3535157e39c4ac910bf71aeeda
SHA1 hash: 226acf3605782b9c080573fb7ec16312ec1bfa86
MD5 hash: c71ab91fdc1c2b65b4a6af5a920a10e0
humanhash: spring-north-apart-butter
File name:c71ab91fdc1c2b65b4a6af5a920a10e0.exe
Download: download sample
Signature OskiStealer
Create hunting rule
File size:735'744 bytes
First seen:2021-09-30 05:01:50 UTC
Last seen:2021-09-30 06:04:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:MbQ+X8+UiDLbRHahnUaUF5ZEvAzfWLEl4M4u98Tfi1:MbQ+X8+UiDLbRHahnUaUnZE6H8Tfi
Threatray 3'728 similar samples on MalwareBazaar
TLSH T1D8F48D54F11CD2B9FE1826B1293DFCC815F82EA8147DF91BBA97B1E224B9E3154B0097
Reporter abuse_ch
Tags:exe OskiStealer


Avatar
abuse_ch
OskiStealer C2:
http://dellproductz.xyz/6.jpg

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://dellproductz.xyz/6.jpg https://threatfox.abuse.ch/ioc/228330/
http://dellproductz.xyz/1.jpg https://threatfox.abuse.ch/ioc/228331/
http://dellproductz.xyz/2.jpg https://threatfox.abuse.ch/ioc/228332/
http://dellproductz.xyz/3.jpg https://threatfox.abuse.ch/ioc/228333/
http://dellproductz.xyz/4.jpg https://threatfox.abuse.ch/ioc/228334/
http://dellproductz.xyz/5.jpg https://threatfox.abuse.ch/ioc/228335/
http://dellproductz.xyz/7.jpg https://threatfox.abuse.ch/ioc/228336/

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c71ab91fdc1c2b65b4a6af5a920a10e0.exe
Verdict:
Malicious activity
Analysis date:
2021-09-30 05:03:30 UTC
Tags:
trojan stealer vidar loader phishing
Link:
https://app.any.run/tasks/f954d763-59a7-4687-a2df-27917fcda1c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/193300/
Detection(s):
SecuriteInfo.com.ArtemisC71AB91FDC1C.19030.4392.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6e6aa435-727a-4c48-bb69-e39db247e868
Result
Threat name:
Oski Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/861517
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
DLL side loading technique detected
Downloads files with wrong headers with respect to MIME Content-Type
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Performs DNS queries to domains with low reputation
Posts data to a JPG file (protocol mismatch)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Oski Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9895bb45438484629059895f9a1eede851a6a0e33ea8d9fd4a452500e01c2ee5/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-09-30 05:02:07 UTC
AV detection:
8 of 45 (17.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tck3wrkdqscgfeczrfpzuhxn5bi2nihdh2unt7kkiusqbya4f3sq._file
Verdict:
malicious
Similar samples:
06c8a1e6544aede327bad32a5732d5bcfff143da73da01d34938efbe917e3289
OskiStealer
42c682af79cf1b73127ebf00349a8c4cabccdf42d2e14f77cda67121f870d8bf
OskiStealer
43460a1724b2521dd5e97c68c16edfce9caf22d49452efd956a64db91b5935a7
OskiStealer
44aa270e4c081241057bad8c1d0ea5864087325f8e3209aa10747f108123f718
OskiStealer
5953d0e6904dcb824fe1afde62ed8c2e2266f9f074514d395a31b759013e846f
OskiStealer
5ffe71b977866248e55612e20cea0bf3ad51a50896443d791081f58b49cdc5df
OskiStealer
83e8782266edec54f4c451f60e2095864c8a9d817e7296076e128c686a6bfea3
OskiStealer
a03b45dabcaf812402454befd876b2eafbdf9e967f3bb01e66f33f3cabbdebd5
OskiStealer
d950a4ee53971eb72e947a01bb1093a04676b7587fc0c6ccc26d9c964b1fc916
OskiStealer
+ 3'718 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski infostealer spyware suricata
Link:
https://tria.ge/reports/210930-fn5k8sgecq/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
Oski
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
dellproductz.xyz
Unpacked files
SH256 hash:
82840459ae4c47338f1b1d9e31041c6a242778ae8f79e862b8398d0336d4a864
MD5 hash:
043ed1269d15bcb686f8a9e958cf2ebe
SHA1 hash:
ed5e515c4221ba4f6fcfca60fbace279e6b8f9da
Link:
https://www.unpac.me/results/ab2a5666-6af3-4305-980f-de7cec5d9f11/
SH256 hash:
87875da08c30ee79c98b6f1a43274f1c352c885453ffef313618be7a429a6a06
MD5 hash:
87601c28bb5eb421590aad32e3b96ba2
SHA1 hash:
8438912e460b4491516a174ee09b74fd64496d0b
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/ab2a5666-6af3-4305-980f-de7cec5d9f11/
SH256 hash:
b37657dd1322d1f828f45571b1bc822922258bdb31ab829e506db36915bc6600
MD5 hash:
bf2a8c497a96a166e7c2825915d0c823
SHA1 hash:
3e21ecb3ca496e1a5362eb3eb43c67a962ae3a53
Link:
https://www.unpac.me/results/ab2a5666-6af3-4305-980f-de7cec5d9f11/
SH256 hash:
6fef8420a8bd6a90cfe7ac8aeb0e3811422b9b6cb9e0b14ea03f5236438f72ba
MD5 hash:
10c7772f435231d58046e0dc34def127
SHA1 hash:
38c8f9ffb5136848d62582ef41bab6c810121c74
Link:
https://www.unpac.me/results/ab2a5666-6af3-4305-980f-de7cec5d9f11/
SH256 hash:
f7d272daf3522f99ca67b99bfe557564baba239104c7f20cef842f2e870bdf28
MD5 hash:
cceaca53d81061c0f1c6cf35ca7bf34b
SHA1 hash:
23ba45b249e0e4bdc5a8d4b4b07e2f7509cf85be
Link:
https://www.unpac.me/results/ab2a5666-6af3-4305-980f-de7cec5d9f11/
SH256 hash:
9895bb45438484629059895f9a1eede851a6a0e33ea8d9fd4a452500e01c2ee5
MD5 hash:
c71ab91fdc1c2b65b4a6af5a920a10e0
SHA1 hash:
226acf3605782b9c080573fb7ec16312ec1bfa86
Link:
https://www.unpac.me/results/ab2a5666-6af3-4305-980f-de7cec5d9f11/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9895bb454384/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9895bb45438484629059895f9a1eede851a6a0e33ea8d9fd4a452500e01c2ee5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

OskiStealer

Executable exe 9895bb45438484629059895f9a1eede851a6a0e33ea8d9fd4a452500e01c2ee5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1619115/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/193300/

Comments