MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd85d30840bc092fb71a2dcba02260d06925468adfa5bf239248f1fb159e7a9f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

OskiStealer

Vendor detections: 9

Intelligence 9 IOCs 7 YARA 2 File information Comments

SHA256 hash:	bd85d30840bc092fb71a2dcba02260d06925468adfa5bf239248f1fb159e7a9f
SHA3-384 hash:	ab48798aaecf9f23341eef3597cadc19090238f37ccab6d3736294909393acef20748f2df0011fd4de29206140941a60
SHA1 hash:	5563f10366f61f04182f0564a823d2eb172a8c32
MD5 hash:	363c4cea3a99747da37106372dd25559
humanhash:	echo-lima-iowa-sad
File name:	Purchase Order N0 6604493.scr.exe
Download:	download sample
Signature	OskiStealer Create hunting rule
File size:	1'083'904 bytes
First seen:	2021-07-06 09:00:55 UTC
Last seen:	2021-07-06 09:40:08 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:DKPbaIMVjLz7T5FDiOcen3gVZsZZZsZYwHoqYtXiiux1Q9AqQEJ81h/z4tCyVxfn:ziOrwsii4CJ8v/zAVxfKEQaPJ
Threatray	1'666 similar samples on MalwareBazaar
TLSH	78359E35A1B28FD5EC7FC7394B31351C4FE9A67AD217FAB86C9460890490B414B72A2F
Reporter	abuse_ch
Tags:	exe OskiStealer

abuse_ch

OskiStealer C2:
http://195.133.40.225/6.jpg

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://195.133.40.225/6.jpg	https://threatfox.abuse.ch/ioc/157874/
http://195.133.40.225/1.jpg	https://threatfox.abuse.ch/ioc/157875/
http://195.133.40.225/2.jpg	https://threatfox.abuse.ch/ioc/157876/
http://195.133.40.225/3.jpg	https://threatfox.abuse.ch/ioc/157877/
http://195.133.40.225/4.jpg	https://threatfox.abuse.ch/ioc/157878/
http://195.133.40.225/5.jpg	https://threatfox.abuse.ch/ioc/157879/
http://195.133.40.225/7.jpg	https://threatfox.abuse.ch/ioc/157880/

Intelligence

File Origin

# of uploads :

# of downloads :

165

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Purchase Order N0 6604493.scr.exe

Verdict:

Malicious activity

Analysis date:

2021-07-06 09:02:45 UTC

Tags:

trojan stealer vidar loader

Link:

https://app.any.run/tasks/1ebf9e2f-e1ae-4971-96a2-1844dd285419

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/169919/

Detection(s):

SecuriteInfo.com.Malware.AI.2742560324.30044.8727.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/afa2795c-7e6f-4161-a726-51ac4329356e

Result

Threat name:

Oski Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/812151

Signature

Downloads files with wrong headers with respect to MIME Content-Type

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Posts data to a JPG file (protocol mismatch)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Oski Stealer

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bd85d30840bc092fb71a2dcba02260d06925468adfa5bf239248f1fb159e7a9f/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-06 09:01:18 UTC

AV detection:

6 of 46 (13.04%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xwc5gccaxqes7ny2fxf2aita2buskruk36s36i4sjdy7wfm6pkpq._file

Verdict:

malicious

OskiStealer

0768e83e8d36f21ea90867dcf3935ee48795daf2e4a0017979e752b865c95d9e

OskiStealer

12f5634cd28b25f6dcde9a1d7902d64ab4ded48b50e06e4ec0f583e03a156125

OskiStealer

138ccd9e494958214619110418407a634db9d8b073be4ffcd7d23083b58fb945

OskiStealer

37f96df377557cad9bdb2caa4064bbf4dd862e935a64e1d802d445358695e15c

OskiStealer

3cabdecbde62bcbd0f3528e45decf78d85e1b1d827a9cd19bb3cc1371d0cacae

OskiStealer

3e7063017d638a0ae77d3576ffe9fc6c2c8e48235e010b35b697eb944c79cad1

OskiStealer

5f55898f4f260025ec6507f92ed128dcd90f5f83d14b507282352f4c79fb71bc

OskiStealer

b2454961c84e927b086719e0bae8016bee823e17402fb0feca8bda4e63ff009c

OskiStealer

c41aa6d6eeac57851b0a00a619609ed764072881b85b7dad25ac30f2856eda43

OskiStealer

+ 1'656 additional samples on MalwareBazaar

Result

Malware family:

oski

Score:

10/10

Tags:

family:oski discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210706-gbgnf3lj26/

Behaviour

Checks processor information in registry

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Oski

Malware Config

C2 Extraction:

195.133.40.225

Unpacked files

SH256 hash:

6ff011d06cfa8f581413484a56ccfb08ac855e17aa24b23ef9c820f100c8f3e5

MD5 hash:

f00ffa81b0882fc7dd814c37d144017c

SHA1 hash:

b6bac21e08e7efc47881685dfab3a111ce336d67

Detections:

win_oski_g0

win_oski_auto

Link:

https://www.unpac.me/results/b08206af-4e2e-42a7-b5c4-64f2609990c8/

SH256 hash:

730d74e7ec528532a8db39b379f9fde3cafd16ddce496e06d3fd77fd74d2b6bd

MD5 hash:

684f81792a21022e96f23567c7c6278d

SHA1 hash:

94e126da715b116444a930f806da9874bd59642e

Link:

https://www.unpac.me/results/b08206af-4e2e-42a7-b5c4-64f2609990c8/

SH256 hash:

5209992fd1f96cd1959efb5e1afa71f5c9ae2ab4430e258fe9d0ec915098d110

MD5 hash:

257ca10e5cbb2f8bdf0ae6f3e900e11e

SHA1 hash:

9d25ee80dbe3bbce5ab4479912c5e21b19b6aeec

Link:

https://www.unpac.me/results/b08206af-4e2e-42a7-b5c4-64f2609990c8/

SH256 hash:

bd85d30840bc092fb71a2dcba02260d06925468adfa5bf239248f1fb159e7a9f

MD5 hash:

363c4cea3a99747da37106372dd25559

SHA1 hash:

5563f10366f61f04182f0564a823d2eb172a8c32

Link:

https://www.unpac.me/results/b08206af-4e2e-42a7-b5c4-64f2609990c8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/bd85d30840bc092fb71a2dcba02260d06925468adfa5bf239248f1fb159e7a9f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/169919/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample