MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0765fd53d64c425a848b89fa1168552fd2cae90984cfa14c0b7d4e0789fece7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0765fd53d64c425a848b89fa1168552fd2cae90984cfa14c0b7d4e0789fece7
SHA3-384 hash: 2a045a863f791c4424840d5fd2a2254063766279ff900944b91bb8f27297cbc1d35f838187586740f2e6ae70e7e99c4d
SHA1 hash: 0190b8be28d87e6b59a7b1b1d0d0cb78a199b9d6
MD5 hash: 8e771b25550073599c67601bad91b7b4
humanhash: mars-oregon-stream-pip
File name:8e771b25550073599c67601bad91b7b4.exe
Download: download sample
Signature OskiStealer
Create hunting rule
File size:1'041'408 bytes
First seen:2021-07-30 06:14:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:Q+FuI0ZV/d3I42PFQ/ry2hsof85X1/+GtdHN7HH2V:rJCDhBf85l/RjHH
Threatray 1'670 similar samples on MalwareBazaar
TLSH T1C525AF21F888DF45C46E03368FDE46245FF8A881A1B1DF253FA423FD5450B62E97A35A
dhash icon 10f0c4c8c8c4f010 (26 x AgentTesla, 18 x Smoke Loader, 10 x Formbook)
Reporter abuse_ch
Tags:exe OskiStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
572
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8e771b25550073599c67601bad91b7b4.exe
Verdict:
Malicious activity
Analysis date:
2021-07-30 06:17:27 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/206301d1-7821-45c8-bde0-a4e9bfc84a7a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175201/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.967-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6627efbc-3250-4821-9158-a750102b299a
Result
Threat name:
Oski
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/824312
Signature
Adds a directory exclusion to Windows Defender
Downloads files with wrong headers with respect to MIME Content-Type
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Sigma detected: Powershell Defender Exclusion
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Oski Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 456722 Sample: MnsgvsGlvD.exe Startdate: 30/07/2021 Architecture: WINDOWS Score: 100 46 clientconfig.passport.net 2->46 48 prda.aadg.msidentity.com 2->48 52 Multi AV Scanner detection for domain / URL 2->52 54 Found malware configuration 2->54 56 Multi AV Scanner detection for dropped file 2->56 58 9 other signatures 2->58 8 MnsgvsGlvD.exe 7 2->8         started        signatures3 process4 file5 30 C:\Users\user\AppData\Roaming\CsFvluJ.exe, PE32 8->30 dropped 32 C:\Users\user\...\CsFvluJ.exe:Zone.Identifier, ASCII 8->32 dropped 34 C:\Users\user\AppData\Local\...\tmp2DF4.tmp, XML 8->34 dropped 36 C:\Users\user\AppData\...\MnsgvsGlvD.exe.log, ASCII 8->36 dropped 60 Uses schtasks.exe or at.exe to add and modify task schedules 8->60 62 Adds a directory exclusion to Windows Defender 8->62 64 Injects a PE file into a foreign processes 8->64 12 MnsgvsGlvD.exe 8->12         started        16 powershell.exe 24 8->16         started        18 powershell.exe 24 8->18         started        20 2 other processes 8->20 signatures6 process7 dnsIp8 50 fine.le-pearl.com 108.167.158.96, 49709, 49714, 49716 UNIFIEDLAYER-AS-1US United States 12->50 38 C:\ProgramData\sqlite3.dll, PE32 12->38 dropped 40 C:\ProgramData\softokn3.dll, PE32 12->40 dropped 42 C:\ProgramData\mozglue.dll, PE32 12->42 dropped 44 C:\ProgramData\freebl3.dll, PE32 12->44 dropped 22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        26 conhost.exe 20->26         started        28 conhost.exe 20->28         started        file9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0765fd53d64c425a848b89fa1168552fd2cae90984cfa14c0b7d4e0789fece7/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-07-30 06:15:07 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yb3f7vj5mtcclkcixcp2cfufkl6szluqtbgpufgaw7koa6e75ttq._file
Verdict:
malicious
Similar samples:
12f5634cd28b25f6dcde9a1d7902d64ab4ded48b50e06e4ec0f583e03a156125
OskiStealer
8e07cf5e12ed70918b410fdb95fdf6905c191df169df5fdf994daac99c8bd359
OskiStealer
90a9ef1c549a9f2646f6c603e27570832f371d25d2fc4b967c96f55fa034e557
OskiStealer
a375d88a6666e7101b4f582ea0239033e4716e883ecb301245011e9c58054a9c
OskiStealer
c41aa6d6eeac57851b0a00a619609ed764072881b85b7dad25ac30f2856eda43
OskiStealer
d022b7b48419dbef83e9d084602cbb5b10566d193db01248a72be46251669a97
OskiStealer
f85de586c3a33df88ebb5493c0bbcbd18c9f732e201c4c1604f2b2779976434e
OskiStealer
+ 1'660 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware stealer suricata
Link:
https://tria.ge/reports/210730-neeblq9lyn/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
CustAttr .NET packer
Oski
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
fine.le-pearl.com
Unpacked files
SH256 hash:
664a2086112cfe9d1c5a9a47731329c4f5d133a20b9a58cf5fd6baf2358bf248
MD5 hash:
ab5450282e13ef8adb0629403b4f47c3
SHA1 hash:
d848b4f81c01692ef3cf48666cc6b37895b9cd11
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/63d4890e-ad27-4238-8ea3-7710067b757b/
Parent samples :
a375d88a6666e7101b4f582ea0239033e4716e883ecb301245011e9c58054a9c
c0765fd53d64c425a848b89fa1168552fd2cae90984cfa14c0b7d4e0789fece7
bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750
SH256 hash:
910d2b520f7c1baca9a240aaa91ed020e7b090911da1e2367796c730581d8df2
MD5 hash:
34ec89e38e520b0aaf2ab688328f34e3
SHA1 hash:
7a417f0cdb4996a6991b12dd8f55725cb9bc8464
Link:
https://www.unpac.me/results/63d4890e-ad27-4238-8ea3-7710067b757b/
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/63d4890e-ad27-4238-8ea3-7710067b757b/
SH256 hash:
c0765fd53d64c425a848b89fa1168552fd2cae90984cfa14c0b7d4e0789fece7
MD5 hash:
8e771b25550073599c67601bad91b7b4
SHA1 hash:
0190b8be28d87e6b59a7b1b1d0d0cb78a199b9d6
Link:
https://www.unpac.me/results/63d4890e-ad27-4238-8ea3-7710067b757b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/c0765fd53d64c425a848b89fa1168552fd2cae90984cfa14c0b7d4e0789fece7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

OskiStealer

Executable exe c0765fd53d64c425a848b89fa1168552fd2cae90984cfa14c0b7d4e0789fece7

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/175201/
  
URLhaus
https://urlhaus.abuse.ch/url/1487362/
  
Delivery method
Distributed via web download

Comments