MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9bacacd8c4ca9d0988463b02247e4508c912b0d18f20dbdb4132ddea7714c96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 10


Intelligence 10 IOCs 7 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9bacacd8c4ca9d0988463b02247e4508c912b0d18f20dbdb4132ddea7714c96
SHA3-384 hash: cd0a023dbdf1e0c98b2581ccc6c0edf5a5f06b753b713b2ca471c4db9db135cd818fe4d7eb1827eac9bee8619fbe35d7
SHA1 hash: cf442a0d649651dbc3d1e35e1803e47669be7d15
MD5 hash: d1cc5570d785b34724fa0682a6071227
humanhash: rugby-california-idaho-hamper
File name:PFL4501030741000xls.exe
Download: download sample
Signature OskiStealer
Create hunting rule
File size:477'696 bytes
First seen:2021-06-24 09:05:51 UTC
Last seen:2021-06-24 09:45:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:TfKqMjcAySxsG9pnIGDO1TZQcX0PU/K1t:eFYSxZT+lZxX0H
Threatray 13 similar samples on MalwareBazaar
TLSH 69A44B2E16F1AB7EFA4AD2BB10C54D101EA4AD61BDC9F80EB7BE1D515F10918FE03942
Reporter abuse_ch
Tags:exe OskiStealer


Avatar
abuse_ch
OskiStealer C2:
http://195.133.40.152/6.jpg

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://195.133.40.152/6.jpg https://threatfox.abuse.ch/ioc/152880/
http://195.133.40.152/1.jpg https://threatfox.abuse.ch/ioc/152881/
http://195.133.40.152/2.jpg https://threatfox.abuse.ch/ioc/152882/
http://195.133.40.152/3.jpg https://threatfox.abuse.ch/ioc/152883/
http://195.133.40.152/4.jpg https://threatfox.abuse.ch/ioc/152884/
http://195.133.40.152/5.jpg https://threatfox.abuse.ch/ioc/152885/
http://195.133.40.152/7.jpg https://threatfox.abuse.ch/ioc/152886/

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PFL4501030741000xls.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-24 09:09:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/92e751a5-c4e0-4870-b546-2386740a38c6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167942/
Detection(s):
SecuriteInfo.com.Variant.Bulz.532662.22805.12447.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6177a2c-eea5-4a3b-8800-94dfcc2c694f
Result
Threat name:
Oski Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807335
Signature
Creates an undocumented autostart registry key
Downloads files with wrong headers with respect to MIME Content-Type
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Oski Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439746 Sample: PFL4501030741000xls.exe Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 8 other signatures 2->47 8 PFL4501030741000xls.exe 9 2->8         started        process3 file4 23 C:\Users\user\AppData\Roaming\...\task.exe, PE32 8->23 dropped 25 C:\Users\user\...\PFL4501030741000xls.exe, PE32 8->25 dropped 27 C:\Users\user\...\task.exe:Zone.Identifier, ASCII 8->27 dropped 29 2 other malicious files 8->29 dropped 49 Creates an undocumented autostart registry key 8->49 51 Writes to foreign memory regions 8->51 53 Injects a PE file into a foreign processes 8->53 12 PFL4501030741000xls.exe 193 8->12         started        signatures5 process6 dnsIp7 39 195.133.40.152, 49725, 80 SPD-NETTR Russian Federation 12->39 31 C:\ProgramData\vcruntime140.dll, PE32 12->31 dropped 33 C:\ProgramData\sqlite3.dll, PE32 12->33 dropped 35 C:\ProgramData\softokn3.dll, PE32 12->35 dropped 37 4 other files (none is malicious) 12->37 dropped 55 Multi AV Scanner detection for dropped file 12->55 57 Machine Learning detection for dropped file 12->57 59 Tries to harvest and steal browser information (history, passwords, etc) 12->59 61 Tries to steal Crypto Currency Wallets 12->61 17 cmd.exe 1 12->17         started        file8 signatures9 process10 process11 19 taskkill.exe 1 17->19         started        21 conhost.exe 17->21         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b9bacacd8c4ca9d0988463b02247e4508c912b0d18f20dbdb4132ddea7714c96/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 09:06:21 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xg5mvtmmjsu5bgeemoycer7ekcgjckynddza3pnucmw55j3rjsla._file
Verdict:
unknown
Similar samples:
17eac9b848711f3464eb21c8690c40ea3adfab56a98fff0741c30740298600da
OskiStealer
2664162d0341d8e5cf1cf3a290b77406d87111e3c9ff3fcf3a4f0836d15d3afe
OskiStealer
34189b707357341fdac1882ea7a727bad321fe30593396803da601c45def63ad
OskiStealer
45f36d853c48255cd05c836428f3c708bb9e9ee407d5b6f17a8815ffbd0bd186
OskiStealer
6a9e4f5dfdeda56d0151d01880899d9241815a35892ed87b8b65d44fecc9ba2f
OskiStealer
6df6d6a87c5379996b0b9594577167a3729e0eeea1f94c6e5ac1b78689d08292
OskiStealer
7124d39ff6581badebf4f2714f66ad9ec85528217f489e6e83922bc75a6ba271
OskiStealer
931b74dae99d57d93b21fb72c0da9184b83e04f95e024e9a7990a6c57a73ac7e
OskiStealer
9fd1365171b6855e5859a522a4642ae8c558e26ac2792a11b19a6a0ed8361c7b
OskiStealer
ec6609022ecc725ca1b77d8e968d79cda6beedc90c3480c7fc0ca8682a40269c
OskiStealer
+ 3 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210624-6wdmx8gmve/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Oski
Malware Config
C2 Extraction:
195.133.40.152
Unpacked files
SH256 hash:
8a063388bb097ebd65b5fc7b9a6cbf16326095028f4d97991d508fe892fb4bf3
MD5 hash:
7584c2693928f68bf62192f69c139b00
SHA1 hash:
f549b581ef86a8936aa193e6075cdc22f2e35bff
Link:
https://www.unpac.me/results/6891fee8-3051-474f-b8aa-7dfb4913e418/
SH256 hash:
5e09fc328551ab45b23a40b373eda8b6cc9d277fb2cd27f755095eac042496f7
MD5 hash:
6eeb2a4ec76cd2d6c80d0741695148be
SHA1 hash:
e54314f0aae4e1559f1c0a4a5c992c0d97655331
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/6891fee8-3051-474f-b8aa-7dfb4913e418/
Parent samples :
e608103988cf08ff222081097df51d1f5c57ef507e41e212e6769dfb17f58e36
b9bacacd8c4ca9d0988463b02247e4508c912b0d18f20dbdb4132ddea7714c96
SH256 hash:
4f6b5ffcf62f4ee553ab39fc216f620bcdbb7d420852e29f7e2a714ccef3c7d8
MD5 hash:
1f81d1177c5c4ac707a9e261e480bc81
SHA1 hash:
6b1cc8389a367733c6e3bd4552b737342f2a0040
Link:
https://www.unpac.me/results/6891fee8-3051-474f-b8aa-7dfb4913e418/
SH256 hash:
b9bacacd8c4ca9d0988463b02247e4508c912b0d18f20dbdb4132ddea7714c96
MD5 hash:
d1cc5570d785b34724fa0682a6071227
SHA1 hash:
cf442a0d649651dbc3d1e35e1803e47669be7d15
Link:
https://www.unpac.me/results/6891fee8-3051-474f-b8aa-7dfb4913e418/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b9bacacd8c4ca9d0988463b02247e4508c912b0d18f20dbdb4132ddea7714c96

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167942/

Comments