MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2a66114f2afb03bd4087e7fc37d6c89ff7f3d3bd48d751dc9334a5a746f7c37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2a66114f2afb03bd4087e7fc37d6c89ff7f3d3bd48d751dc9334a5a746f7c37
SHA3-384 hash: f8d01ea12779d90083417be46a32212e59ac22a9d31375ffab087e9dba2ab4a54b27f0b678120164b31246188fdc0255
SHA1 hash: e447d424cccd2e632233f86d4b20c0718cc45fcd
MD5 hash: bb4489ef3af30a3f1ac77bca896285b3
humanhash: quiet-massachusetts-quiet-robert
File name:MT103_Swift-confirmation#4425-28373XXX.exe
Download: download sample
Signature OskiStealer
Create hunting rule
File size:814'080 bytes
First seen:2021-04-12 08:34:29 UTC
Last seen:2021-04-12 09:55:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:MVzsxgkcHKyMDXpNEHWOx6//i8JrwOaBbKbx9h+YZjmPzLHDaLlPC9nMjvLek:Gzs4qyMDXnqCnvwxB6/hJtmv0vLek
Threatray 611 similar samples on MalwareBazaar
TLSH FC05D039A214ED11E7B80777CCA1D6341739BE66AF92D72E18E430AD6F72FF90416206
Reporter JAMESWT_WT
Tags:OskiStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MT103_Swift-confirmation#4425-28373XXX.exe
Verdict:
Malicious activity
Analysis date:
2021-04-12 08:36:19 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/0273000c-ebf5-4a51-a89e-3d0159ff5bb3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133701/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.645.14164.29734.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/672744
Signature
Downloads files with wrong headers with respect to MIME Content-Type
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Posts data to a JPG file (protocol mismatch)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2a66114f2afb03bd4087e7fc37d6c89ff7f3d3bd48d751dc9334a5a746f7c37/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-04-12 08:35:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
10 of 48 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wktgcfhsv6ydxvaipz74g7lmrh7x6pj32sgxkhojgnffu5dppq3q._file
Verdict:
malicious
Similar samples:
033741ca568e4e71a586be960e503415579b0520d2c9ecd298ed03becf406b9c
OskiStealer
3b9f555888df6326a6a0c7dd2c2c1c2d78bbb969c1b7d40ea0d0e9679a06bbc5
OskiStealer
40afa1e323be151d0d7a38c72f771b0b9e909f49ddade942d4260a5e29e5ec2f
OskiStealer
5389a958986f6ceccaa9e44006852becbccabfb07f126d69e6b031227fb0b487
OskiStealer
69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c
OskiStealer
8959562f5a87f40b9c3917a98e10d68e2c459c8df9bdd9664f615af6d5b9959e
OskiStealer
b699a2766f106ff77377780bad431b72ef1748bf989e09f2b82fb73cf30cbde3
OskiStealer
c0ff93ef4930a7dc2d95a6ee490fecdddcbe946e479b1d4fdb47285245b28675
OskiStealer
d217032899487162688fa6c3855e13040b074de38d9c57c91b47c1190842edc2
OskiStealer
d40dedd7f637a1ef9703b582a6d536469d1cf62bddc1a462a9cceeb7f9194f13
OskiStealer
+ 601 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210412-g5l3lkfx36/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Oski
Unpacked files
SH256 hash:
5e0f3da625a479a5e7e807b5f09c889d95474139410b312ba3a39bcb05976729
MD5 hash:
3d20c2ea9ac04e1707f853bb1780bc18
SHA1 hash:
805e90b023eb92d44bbe11daefce6edbe872cb74
Link:
https://www.unpac.me/results/6ed7d64e-c2fc-45ac-9268-00278f15c51e/
SH256 hash:
b2a66114f2afb03bd4087e7fc37d6c89ff7f3d3bd48d751dc9334a5a746f7c37
MD5 hash:
bb4489ef3af30a3f1ac77bca896285b3
SHA1 hash:
e447d424cccd2e632233f86d4b20c0718cc45fcd
Link:
https://www.unpac.me/results/6ed7d64e-c2fc-45ac-9268-00278f15c51e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/b2a66114f2afb03bd4087e7fc37d6c89ff7f3d3bd48d751dc9334a5a746f7c37

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/133701/

Comments