MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ab06dad5958032d92be8b54abfd84e4a7828df3accffca30a459ad3a87ff4ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ab06dad5958032d92be8b54abfd84e4a7828df3accffca30a459ad3a87ff4ec
SHA3-384 hash: 31e686974376122c0bff5469aef7de50a0c1ac8c09b848805d6e4f0cfb95991168c7d510b2e6165dd643e38e58e4e9be
SHA1 hash: f577719e9b25aa48f92d2cef8a0c22390b96dc86
MD5 hash: 1b744789533dee1e231fd8d997e997eb
humanhash: sierra-sierra-island-sixteen
File name:Arabic letter .ppt
Download: download sample
Signature OskiStealer
Create hunting rule
File size:216'576 bytes
First seen:2021-07-07 09:55:17 UTC
Last seen:2021-07-07 10:44:19 UTC
File type:PowerPoint file ppt
MIME type:application/vnd.ms-powerpoint
ssdeep 1536:Dz7xxUvV7CqTMaciS0BC6/FO4mKdsIHeVPbsFmKNc9nH1V:73UvV7CqTMa1SIpNE47e9j
TLSH 1A2441197057C15FC6A80E354C9ADBF63B31BD029D8AA20731A47B6E7DBF640DB02687
Reporter _Clevero
Tags:ppt


Avatar
_Clevero
Subject: RE: Arabic letters for transfer of 30% as down payment ( After bank amendments).

Intelligence

File Origin
# of uploads :
2
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Arabic letter .ppt
Verdict:
Malicious activity
Analysis date:
2021-07-07 09:57:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/277d0322-0467-49e6-8033-0f90de5fd403

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
TwinWave.EvilDoc.DOCXSTRGOOD.HTTPS
Create hunting rule

Result
Verdict:
Malicious
File Type:
Legacy PowerPoint File with Macro
Link:
https://app.docguard.net/9ab06dad5958032d92be8b54abfd84e4a7828df3accffca30a459ad3a87ff4ec/results/dashboard
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/9ab06dad5958032d92be8b54abfd84e4a7828df3accffca30a459ad3a87ff4ec
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad.expl
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/812791
Signature
Creates a scheduled task launching mshta.exe (likely to bypass HIPS)
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: MSHTA Spawning Windows Shell
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Writes registry values via WMI
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ab06dad5958032d92be8b54abfd84e4a7828df3accffca30a459ad3a87ff4ec/
Threat name:
Script-Macro.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2021-07-07 03:21:43 UTC
AV detection:
9 of 46 (19.57%)
Threat level:
  5/5
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski infostealer macro spyware
Link:
https://tria.ge/reports/210707-3bbs1vyjlj/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Oski
Process spawned unexpected child process
Malware Config
C2 Extraction:
103.153.76.164/we/blac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9ab06dad5958032d92be8b54abfd84e4a7828df3accffca30a459ad3a87ff4ec

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

OskiStealer

PowerPoint file ppt 9ab06dad5958032d92be8b54abfd84e4a7828df3accffca30a459ad3a87ff4ec

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments