MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a996cb18e61a3ac99ec0317bd0738d05e3e90b8982e6ef9271d268586647e253. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a996cb18e61a3ac99ec0317bd0738d05e3e90b8982e6ef9271d268586647e253
SHA3-384 hash: 4ad47c06fdba74f9586f5d3271a8163b6645941d703662e474558047df7ca69384174ccc4cfc085cf02fc9f38307deea
SHA1 hash: 5a74e88b9ad8d7e5d30bad8f01d12ff3b7d34e20
MD5 hash: bcd89320adf5c8665a94f80ab28f7f76
humanhash: twenty-enemy-monkey-alaska
File name:bcd89320adf5c8665a94f80ab28f7f76.exe
Download: download sample
Signature OskiStealer
Create hunting rule
File size:836'224 bytes
First seen:2021-05-25 14:15:26 UTC
Last seen:2021-05-25 15:07:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3ce36334df24b9b0e96702a83ffba1af (3 x RemcosRAT, 3 x Formbook, 1 x OskiStealer)
ssdeep 12288:Sq/664+YlIpVmBVMuYl/lnu6ZerpObSVE9QkrhQd8Nsq:Sq/6H8mBVmkCEpObVq2sq
Threatray 1'275 similar samples on MalwareBazaar
TLSH 84059E22F29904F7C5A7AE38AC1B5765A939BE702D14559377FA3C0C8F3A39139242D3
Reporter abuse_ch
Tags:exe OskiStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2421c4d0_by_Libranalysis
Verdict:
Malicious activity
Analysis date:
2021-05-25 09:19:39 UTC
Tags:
exploit CVE-2017-11882 trojan stealer vidar loader
Link:
https://app.any.run/tasks/7cedc9c6-80dc-4732-a809-199f3782b518

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/161994/
Detection(s):
SecuriteInfo.com.Trojan-Downloader00577dce1.11393.19588.UNOFFICIAL
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Reading critical registry keys
Replacing files
Delayed writing of the file
Sending an HTTP GET request
Changing the Zone.Identifier stream
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Using the Windows Management Instrumentation requests
Searching for the window
Unauthorized injection to a recently created process
Stealing user critical data
Launching a tool to kill processes
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Oski Snake Keylogger Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/791718
Signature
.NET source code contains very large strings
Creates files in alternative data streams (ADS)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Downloads files with wrong headers with respect to MIME Content-Type
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Yara detected AntiVM3
Yara detected Beds Obfuscator
Yara detected Oski Stealer
Yara detected Snake Keylogger
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 424114 Sample: Dr2roEBoQA.exe Startdate: 25/05/2021 Architecture: WINDOWS Score: 100 64 Found malware configuration 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 Yara detected Snake Keylogger 2->68 70 11 other signatures 2->70 8 Dr2roEBoQA.exe 17 2->8         started        process3 dnsIp4 44 pqyyhg.bl.files.1drv.com 8->44 46 onedrive.live.com 8->46 48 bl-files.fe.1drv.com 8->48 78 Detected unpacking (changes PE section rights) 8->78 80 Detected unpacking (overwrites its own PE header) 8->80 82 Injects a PE file into a foreign processes 8->82 12 Dr2roEBoQA.exe 200 8->12         started        signatures5 process6 dnsIp7 50 195.133.40.80, 49731, 80 SPD-NETTR Russian Federation 12->50 52 www.almacigoschile.cl 12->52 54 almacigoschile.cl 190.107.177.247, 49732, 80 SOCCOMERCIALWIRENETCHILELTDACL Chile 12->54 30 C:\Users\user\...\BtyHsvndm4z0Q2N[1].exe, PE32 12->30 dropped 32 C:\ProgramData\416940471710.exe, PE32 12->32 dropped 34 C:\...\416940471710.exe:Zone.Identifier, ASCII 12->34 dropped 36 7 other files (none is malicious) 12->36 dropped 84 Creates files in alternative data streams (ADS) 12->84 86 Tries to harvest and steal browser information (history, passwords, etc) 12->86 88 Tries to steal Crypto Currency Wallets 12->88 17 416940471710.exe 3 12->17         started        20 cmd.exe 1 12->20         started        file8 signatures9 process10 signatures11 56 Multi AV Scanner detection for dropped file 17->56 58 May check the online IP address of the machine 17->58 60 Machine Learning detection for dropped file 17->60 62 Injects a PE file into a foreign processes 17->62 22 416940471710.exe 15 2 17->22         started        26 taskkill.exe 1 20->26         started        28 conhost.exe 20->28         started        process12 dnsIp13 38 checkip.dyndns.org 22->38 40 checkip.dyndns.com 216.146.43.70, 49734, 49735, 80 DYNDNSUS United States 22->40 42 freegeoip.app 104.21.19.200, 443, 49736 CLOUDFLARENETUS United States 22->42 72 Tries to steal Mail credentials (via file access) 22->72 74 Tries to harvest and steal ftp login credentials 22->74 76 Tries to harvest and steal browser information (history, passwords, etc) 22->76 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a996cb18e61a3ac99ec0317bd0738d05e3e90b8982e6ef9271d268586647e253/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-05-25 13:53:54 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vglmwghgdi5mthwagf55a44naxr6sc4jqlto7etr2jufqzsh4jjq._file
Verdict:
malicious
Similar samples:
1860347130f68ba0d084750816ca0fc532b8647d89e36ff53c0355e73a46d332
OskiStealer
2b3f661e6165b5a63130acb2509821a895f0eee94e7af31fdd6abd32db3ab687
OskiStealer
40afa1e323be151d0d7a38c72f771b0b9e909f49ddade942d4260a5e29e5ec2f
OskiStealer
4802297e2a410305aa78c2fec920bfa3948b9cf43c644768238fd664ca660f02
OskiStealer
606367b05183c5ec1e848241849a990f6b47a3d25f0228da2efd9f6c8a14a8ea
OskiStealer
916bd03b40de6bfa498311e3a70d3e98c50e8255fd413d446daab77951224856
OskiStealer
a29e53d24618766608672bb9d74821104738c939bee4f6baf2b36151b0d1dc07
OskiStealer
a3ef4500e9f5f2447d55de102e2529a62b48f644b03d22199ce5c69c0ca57c88
OskiStealer
d217032899487162688fa6c3855e13040b074de38d9c57c91b47c1190842edc2
OskiStealer
edb5b2e40ba1596106785ac718cbb576310e3c05674a5db31189f4a1dc753677
OskiStealer
+ 1'265 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:oski family:snakekeylogger discovery infostealer keylogger spyware stealer
Link:
https://tria.ge/reports/210525-kgql6e11zn/
Behaviour
Checks processor information in registry
Kills process with taskkill
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Oski
Snake Keylogger
Snake Keylogger Payload
Malware Config
C2 Extraction:
195.133.40.80
https://api.telegram.org/bot1761516426:AAE3Juu_v6fG9Gy1S33LdTvyz85ua-duZsk/sendMessage?chat_id=1727399585
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a996cb18e61a3ac99ec0317bd0738d05e3e90b8982e6ef9271d268586647e253

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_0be3f393d1ef0272aed0e2319c1b5dd0
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

OskiStealer

Executable exe a996cb18e61a3ac99ec0317bd0738d05e3e90b8982e6ef9271d268586647e253

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1282456/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/161994/

Comments