MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2454961c84e927b086719e0bae8016bee823e17402fb0feca8bda4e63ff009c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 8


Intelligence 8 IOCs 7 YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2454961c84e927b086719e0bae8016bee823e17402fb0feca8bda4e63ff009c
SHA3-384 hash: 798f9aa75ac4dd869c0ae07175207f10b438885e093448ec15f400fc660681fc7231f1f253a93dfcc35281f5a9d4aac0
SHA1 hash: baf70f81c09d6772337359633f3424a78e3f607e
MD5 hash: 28884f9a28c69b5f39f066fef59392cb
humanhash: pizza-pennsylvania-indigo-stream
File name:TBBurmah Trading Co., Ltd - products inquiry .exe
Download: download sample
Signature OskiStealer
Create hunting rule
File size:626'688 bytes
First seen:2021-04-30 11:31:11 UTC
Last seen:2021-04-30 12:01:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'631 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:RrPf5OdFNxgGKrxGGjgZJJ+MIYndAorytpeZzxtsL/CJFVGW0PxGNdYX:V5sFSrxGGjgZJJx9AorUoZ3syOPx8da
Threatray 1'083 similar samples on MalwareBazaar
TLSH 58D4D01132DC9727E07D4B74182611B15FF2BE36EB25D61D7D5930C99AB3F028A22AB3
Reporter abuse_ch
Tags:exe OskiStealer


Avatar
abuse_ch
OskiStealer C2:
http://31.210.21.181/6.jpg

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://31.210.21.181/6.jpg https://threatfox.abuse.ch/ioc/26671/
http://31.210.21.181/1.jpg https://threatfox.abuse.ch/ioc/26672/
http://31.210.21.181/2.jpg https://threatfox.abuse.ch/ioc/26673/
http://31.210.21.181/3.jpg https://threatfox.abuse.ch/ioc/26674/
http://31.210.21.181/4.jpg https://threatfox.abuse.ch/ioc/26675/
http://31.210.21.181/5.jpg https://threatfox.abuse.ch/ioc/26676/
http://31.210.21.181/7.jpg https://threatfox.abuse.ch/ioc/26677/

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/147380/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.688-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/704665
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates files in alternative data streams (ADS)
Detected Nanocore Rat
DLL reload attack detected
Downloads files with wrong headers with respect to MIME Content-Type
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 401258 Sample: TBBurmah Trading Co., Ltd -... Startdate: 30/04/2021 Architecture: WINDOWS Score: 100 80 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 14 other signatures 2->86 10 TBBurmah Trading Co., Ltd - products inquiry .exe 3 2->10         started        14 mercy1.exe 2->14         started        16 mercy1.exe 2->16         started        process3 file4 58 TBBurmah Trading C...ts inquiry .exe.log, ASCII 10->58 dropped 104 Injects a PE file into a foreign processes 10->104 18 TBBurmah Trading Co., Ltd - products inquiry .exe 200 10->18         started        60 C:\Users\user\AppData\Local\Temp\mercy1.exe, PE32 14->60 dropped 62 C:\Users\user\...\mercy1.exe:Zone.Identifier, ASCII 14->62 dropped 106 Machine Learning detection for dropped file 14->106 23 mercy1.exe 14->23         started        25 mercy1.exe 16->25         started        signatures5 process6 dnsIp7 74 31.210.21.181, 49717, 80 PLUSSERVER-ASN1DE Netherlands 18->74 76 www.michaelgreis.org 18->76 78 michaelgreis.org 107.180.93.185, 49724, 80 AS-26496-GO-DADDY-COM-LLCUS United States 18->78 50 C:\Users\user\AppData\Local\...\mtth[1].exe, PE32 18->50 dropped 52 C:\ProgramData\735446645592.exe, PE32 18->52 dropped 54 C:\...\735446645592.exe:Zone.Identifier, ASCII 18->54 dropped 56 7 other files (none is malicious) 18->56 dropped 96 Creates files in alternative data streams (ADS) 18->96 98 Tries to harvest and steal browser information (history, passwords, etc) 18->98 100 Tries to steal Crypto Currency Wallets 18->100 27 735446645592.exe 4 9 18->27         started        31 cmd.exe 1 18->31         started        102 Machine Learning detection for dropped file 23->102 file8 signatures9 process10 file11 64 C:\Users\user\AppData\Local\mercy1.exe, PE32 27->64 dropped 66 C:\Users\user\AppData\...\735446645592.exe, PE32 27->66 dropped 68 C:\Users\user\...\mercy1.exe:Zone.Identifier, ASCII 27->68 dropped 70 2 other malicious files 27->70 dropped 108 Machine Learning detection for dropped file 27->108 110 Writes to foreign memory regions 27->110 112 Allocates memory in foreign processes 27->112 114 Injects a PE file into a foreign processes 27->114 33 735446645592.exe 9 27->33         started        38 wscript.exe 1 27->38         started        40 taskkill.exe 1 31->40         started        42 conhost.exe 31->42         started        signatures12 process13 dnsIp14 72 45.137.22.50, 4557, 49730, 49731 ROOTLAYERNETNL Netherlands 33->72 48 C:\Users\user\AppData\Roaming\...\run.dat, data 33->48 dropped 88 Machine Learning detection for dropped file 33->88 90 Hides that the sample has been downloaded from the Internet (zone.identifier) 33->90 92 Wscript starts Powershell (via cmd or directly) 38->92 94 Adds a directory exclusion to Windows Defender 38->94 44 powershell.exe 38->44         started        file15 signatures16 process17 process18 46 conhost.exe 44->46         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2454961c84e927b086719e0bae8016bee823e17402fb0feca8bda4e63ff009c/
Threat name:
ByteCode-MSIL.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-04-30 11:32:14 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wjcusyoij2jhwcdhdhqlv2abnpxiepqxiax3b7wkrpne4y77acoa._file
Verdict:
malicious
Similar samples:
25372a9d5205bae496a358c0d33c9f4f9a6e4f3daa00e693cc1df5721c8227fb
OskiStealer
37f96df377557cad9bdb2caa4064bbf4dd862e935a64e1d802d445358695e15c
OskiStealer
3aeccf51ec935646a4987a1683d5dd8a251d171d326041282759753e371dff4f
OskiStealer
604e8bce3d31f5e04fe9622cedeb0696a69b9cb7f262a9bb33009ede20df100a
OskiStealer
9b26547086a1489e5534452021694af3a565fe76926e671112be4852947a5d27
OskiStealer
9db40f7f060e08b2891dc881c6f6d1ea165b56747b4302fd96e53d8bd194d8d5
OskiStealer
a5c9be9bcb214e69a39285a634f95e43fdf1ad10536bcc9bce84be7edb48cb31
OskiStealer
cb24694242c1c1618678711184ab8abe6a1335d348f3549d2b568d99f793bf28
OskiStealer
db127ccf5ea69c0bc3888efe5ae2a532c5f5590a2f589f049139fcf63f5e8062
OskiStealer
fdd6b649413776c157e7029b545d9e47a62b9decd6b2a11ca1708fd4363945a8
OskiStealer
+ 1'073 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:nanocore family:oski discovery evasion infostealer keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210430-pfva4wrzbe/
Behaviour
Checks processor information in registry
Kills process with taskkill
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
NanoCore
Oski
Malware Config
C2 Extraction:
45.137.22.50:4557
127.0.0.1:4557
Unpacked files
SH256 hash:
11cf5a51e593c007ff4f91294cf505ffd5e425e56387c60d81e6479cc284cc3b
MD5 hash:
73cc3f7e7700e6a54cb5f291dffe5aa1
SHA1 hash:
09174f9fa55c9bac0540efb7a8c682878a32d02d
Link:
https://www.unpac.me/results/edef5e6a-4df8-42f2-98e4-77faec0b6d34/
SH256 hash:
b2454961c84e927b086719e0bae8016bee823e17402fb0feca8bda4e63ff009c
MD5 hash:
28884f9a28c69b5f39f066fef59392cb
SHA1 hash:
baf70f81c09d6772337359633f3424a78e3f607e
Link:
https://www.unpac.me/results/edef5e6a-4df8-42f2-98e4-77faec0b6d34/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/b2454961c84e927b086719e0bae8016bee823e17402fb0feca8bda4e63ff009c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/147380/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-30 12:00:17 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection