MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a29e53d24618766608672bb9d74821104738c939bee4f6baf2b36151b0d1dc07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a29e53d24618766608672bb9d74821104738c939bee4f6baf2b36151b0d1dc07
SHA3-384 hash: af3ffda9036a186cb2f65e8f2ce63885c5ce233e42a32383b436fbd9c41fa6b9963dd40f59ab24a43f88771161fa5356
SHA1 hash: 6a3a97f3caed0fe034b25c3741d0b3e47eac5b5a
MD5 hash: db39dd22ddb272a1022ce1c5dd933617
humanhash: whiskey-georgia-network-snake
File name:Waybill Document 22700456XX,pdf.exe
Download: download sample
Signature OskiStealer
Create hunting rule
File size:903'680 bytes
First seen:2021-05-20 15:04:55 UTC
Last seen:2021-05-20 21:22:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3e8a518ae58159a44bd8bc83008aa8aa (1 x OskiStealer, 1 x Loki, 1 x RemcosRAT)
ssdeep 12288:9S80SbYOAD65QF6ofEwawyWCqGjUwudw1239PadHiomSD1zmEyCiomjNs:93VbRAQQF78waJqqtGoOAHaCCs
Threatray 1'472 similar samples on MalwareBazaar
TLSH 7C15AE22B2414436C17A1E389C1B66B69E35BF31AD18946B37F53D0CBF356A13E292C7
Reporter lowmal3
Tags:OskiStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Waybill Document 22700456XX,pdf.cab
Verdict:
Malicious activity
Analysis date:
2021-05-20 13:21:52 UTC
Tags:
trojan stealer vidar loader evasion
Link:
https://app.any.run/tasks/bde595f6-0c71-42d0-b89c-e5b71f768003

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/159742/
Detection(s):
Win.Malware.Fhrt-9863084-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Reading critical registry keys
Replacing files
Delayed writing of the file
Sending an HTTP GET request
Changing the Zone.Identifier stream
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Running batch commands
Using the Windows Management Instrumentation requests
Searching for the window
Unauthorized injection to a recently created process
Stealing user critical data
Launching a tool to kill processes
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a29e53d24618766608672bb9d74821104738c939bee4f6baf2b36151b0d1dc07/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-20 15:05:13 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ukpfhusgdb3gmcdhfo45osbbcbdtrsjzx3spnoxswnqvdmgr3qdq._file
Verdict:
malicious
Similar samples:
122efe2f5bdfc7dff383279a644ea982eb45a71d28a72d5af96ae661d3337967
OskiStealer
274a37bcafbaf670efe2f810216ab36736fa1e188a958f1fab84fde4427036da
OskiStealer
52b5f2f95b1200b20a6f3adfcb93c6f87713155f83176dede353ee158c7c1b63
OskiStealer
5b474ca6fc8158bd6f14d53bca8962f25db3392dfe324f49ddf376610bd785e4
OskiStealer
5ccd6b50f201428181f7082e0f598a189cad9461dcd05eede6d3989dca0bb068
OskiStealer
61d71ab4e23eba8055de07d4283a6e2f70e00fbb3c4fdeaf8ae8258fafe340f7
OskiStealer
6c404683f0d9d7f41ac518a69c1166d4ba35cdad7ceef504eb8656274fdda19e
OskiStealer
9b3f5aa2523fa2949822a93ad4c2476ad02d1d25cd1f737ed493da1b15914f7d
OskiStealer
a6ab3a1ec39d3a4c0660bbfdbe8cbbdd89d9278cca176d7bff77d7aab00dd7ed
OskiStealer
d86e152d1a1ed576cf10f18573fc08868ec938fbb655d38d23aebddbfe1bb323
OskiStealer
+ 1'462 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:oski family:snakekeylogger discovery infostealer keylogger spyware stealer
Link:
https://tria.ge/reports/210520-146sbh65q2/
Behaviour
Checks processor information in registry
Kills process with taskkill
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Oski
Snake Keylogger
Snake Keylogger Payload
Malware Config
C2 Extraction:
45.133.1.223
https://api.telegram.org/bot1761516426:AAE3Juu_v6fG9Gy1S33LdTvyz85ua-duZsk/sendMessage?chat_id=1727399585
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a29e53d24618766608672bb9d74821104738c939bee4f6baf2b36151b0d1dc07

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

OskiStealer

Executable exe a29e53d24618766608672bb9d74821104738c939bee4f6baf2b36151b0d1dc07

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/159742/

Comments