MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1b4adb57471b463700ab48f81cd2550270fac73e0c1a95366fdc4380d15a659. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

OskiStealer

Vendor detections: 12

Intelligence 12 IOCs 7 YARA 3 File information Comments

SHA256 hash:	b1b4adb57471b463700ab48f81cd2550270fac73e0c1a95366fdc4380d15a659
SHA3-384 hash:	bfd4de87f809aa4da388071ae7f767439b383a942aaf7150e187d8b14b757c245dcb15a1401fc81983c03daac9058bc4
SHA1 hash:	3d9e3331f558962d5fbbab68f8a9dcca0b31bb6f
MD5 hash:	458ad2463c8a61f37ce0c256d5d824e0
humanhash:	south-leopard-connecticut-magnesium
File name:	183-60005400R revA.exe
Download:	download sample
Signature	OskiStealer Create hunting rule
File size:	457'965 bytes
First seen:	2021-07-26 13:50:30 UTC
Last seen:	2021-07-26 15:01:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d4cc1601fd324eebfdf856765dda2bd4 (3 x Formbook, 1 x SnakeKeylogger, 1 x RemcosRAT)
ssdeep	12288:efiUDGoIgDSiJc8uFxhSGeFSkVKNA9iMVLF1qHYfpRY80HiN433FLNNNNNNNNNNb:5QjJcJiGegkVIGLF1q4fpRY80HiN433h
Threatray	1'989 similar samples on MalwareBazaar
TLSH	T196A4F16974D1C872C87628311CF5C6B2292DBD321B719A9F639827395E212E39318F7F
dhash icon	f9f8c0c0c0c0c0c0 (2 x OskiStealer)
Reporter	abuse_ch
Tags:	exe OskiStealer

abuse_ch

OskiStealer C2:
http://evakark.xyz/6.jpg

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://evakark.xyz/6.jpg	https://threatfox.abuse.ch/ioc/162936/
http://evakark.xyz/1.jpg	https://threatfox.abuse.ch/ioc/162937/
http://evakark.xyz/2.jpg	https://threatfox.abuse.ch/ioc/162938/
http://evakark.xyz/3.jpg	https://threatfox.abuse.ch/ioc/162939/
http://evakark.xyz/4.jpg	https://threatfox.abuse.ch/ioc/162940/
http://evakark.xyz/5.jpg	https://threatfox.abuse.ch/ioc/162941/
http://evakark.xyz/7.jpg	https://threatfox.abuse.ch/ioc/162942/

Intelligence

File Origin

# of uploads :

# of downloads :

163

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

183-60005400R revA.exe

Verdict:

Malicious activity

Analysis date:

2021-07-26 14:02:02 UTC

Tags:

trojan stealer vidar phishing

Link:

https://app.any.run/tasks/e1095eba-cda3-4390-b8b2-a09c000c2b37

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/174153/

Detection(s):

SecuriteInfo.com.Artemis458AD2463C8A.15643.26199.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

DNS request

Connection attempt

Creating a file

Launching the default Windows debugger (dwwin.exe)

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Oski Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/59597026-b45f-4d3e-abe0-f001c03c56ca

Result

Threat name:

Oski Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/821819

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Downloads files with wrong headers with respect to MIME Content-Type

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Posts data to a JPG file (protocol mismatch)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Oski Stealer

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Trojan.Tnega

Status:

Malicious

First seen:

2021-07-26 13:12:26 UTC

AV detection:

18 of 27 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wg2k3nluog2gg4akwshydtjfkatq7ldt4da2su3g7xcdqdivuzmq._file

Verdict:

malicious

OskiStealer

2efb273760c5f443d4fc9269ba66f258debf0d9c68ca5172a2d947a39fefe148

OskiStealer

3c66ae164f1823585301787debf4ac1a78eeff71ce7dd70f5b6e3ff8b50e7555

OskiStealer

42ca09428f55c746db7b893f0ae4abdd56343e6aa37e59b482d82039841ab4c3

OskiStealer

4f1bded2f0d6d077f672506e9a3ab5f4021a0a1a579e0b00d2773cd44199b813

OskiStealer

827a8b72cc614c417de4dadb9afcc2f89999c38774ae808b8297929aeaf5aa97

OskiStealer

841a9afb39d8f6d7262af9e44b8f94910c4b219d7b8353e3e10d869dc3fb62f0

OskiStealer

a880e6f25d99f5bebe3ef7becdc1d1c0496c4dbd5502233bd4d1f173f753e00f

OskiStealer

b77cc5e7045b42da624e017d2d542cc8165e920671cff068c86ea481350dff17

OskiStealer

d0d9b227fbb62d92ca026a3464966a1442d55a30cb11ed498c89b8e625bf2aac

OskiStealer

+ 1'979 additional samples on MalwareBazaar

Result

Malware family:

oski

Score:

10/10

Tags:

family:oski discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210726-rew2v4rq86/

Behaviour

Kills process with taskkill

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Oski

Malware Config

C2 Extraction:

evakark.xyz

Unpacked files

SH256 hash:

69ac4667c38cc5f08ed01c3a6a8930b31738d74bfc8b7ec0642bf298c1c40bb3

MD5 hash:

1184ce7616e75754536f7468440f12bb

SHA1 hash:

34c6641b47a5efa0934d73466abe83c42b2ee6ed

Detections:

win_oski_g0

win_oski_auto

Link:

https://www.unpac.me/results/4977083d-a45c-4f0c-b7f6-36d99a0754b4/

Parent samples :

b1b4adb57471b463700ab48f81cd2550270fac73e0c1a95366fdc4380d15a659
90a9ef1c549a9f2646f6c603e27570832f371d25d2fc4b967c96f55fa034e557

SH256 hash:

b1b4adb57471b463700ab48f81cd2550270fac73e0c1a95366fdc4380d15a659

MD5 hash:

458ad2463c8a61f37ce0c256d5d824e0

SHA1 hash:

3d9e3331f558962d5fbbab68f8a9dcca0b31bb6f

Link:

https://www.unpac.me/results/4977083d-a45c-4f0c-b7f6-36d99a0754b4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b1b4adb57471b463700ab48f81cd2550270fac73e0c1a95366fdc4380d15a659

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_Vidar Create hunting rule
Author:	ditekSHen
Description:	Detects Vidar / ArkeiStealer

Rule name:	Vidar Create hunting rule
Author:	kevoreilly
Description:	Vidar Payload

Rule name:	win_oski_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.oski.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/174153/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample