MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c17243e46ff224631e589c55642c3666e5c560715841e8b8ebdd511cb70da8dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c17243e46ff224631e589c55642c3666e5c560715841e8b8ebdd511cb70da8dd
SHA3-384 hash: 30d0750050f900882e4de55fec3b2f115074388b4253b5b360fb562a5ff08efca1ba32c721ddc4bd7024834150d1e014
SHA1 hash: a4bb6e1e09621536559355cecdb3409f9b7d3ebe
MD5 hash: e029f21834d5ceea1006d1658768f4dc
humanhash: solar-nebraska-leopard-purple
File name:e029f21834d5ceea1006d1658768f4dc
Download: download sample
Signature OskiStealer
Create hunting rule
File size:526'336 bytes
First seen:2021-10-19 09:52:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:jIJFd3ilGzEUHt61r+Rnk3GWBdWaj/7+JZvH4r+:edxqKeWGR7+XvN
Threatray 3'975 similar samples on MalwareBazaar
TLSH T17AB4E1057950DD5FC88A4F3684385C324B22A9674316F2836DD73ECF7D9D7868A0A3AB
Reporter zbetcheckin
Tags:32 exe OskiStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/198443/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.17696.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/616e95849a5a1e91c5c5df77/reports/b450fca2-3f6f-4622-a1db-c9f7ef877578/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a78a7cf3-cfcf-4ad8-add5-77b9f1f04007
Result
Threat name:
Oski Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/872993
Signature
Antivirus detection for URL or domain
Downloads files with wrong headers with respect to MIME Content-Type
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Posts data to a JPG file (protocol mismatch)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AntiVM3
Yara detected Oski Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 505421 Sample: HTl3Oz56qe Startdate: 19/10/2021 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Antivirus detection for URL or domain 2->37 39 Yara detected Oski Stealer 2->39 41 7 other signatures 2->41 8 HTl3Oz56qe.exe 3 2->8         started        process3 file4 23 C:\Users\user\AppData\...\HTl3Oz56qe.exe.log, ASCII 8->23 dropped 43 Performs DNS queries to domains with low reputation 8->43 12 HTl3Oz56qe.exe 196 8->12         started        signatures5 process6 dnsIp7 33 stanelectronics.xyz 172.67.218.147, 49716, 80 CLOUDFLARENETUS United States 12->33 25 C:\ProgramData\vcruntime140.dll, PE32 12->25 dropped 27 C:\ProgramData\sqlite3.dll, PE32 12->27 dropped 29 C:\ProgramData\softokn3.dll, PE32 12->29 dropped 31 4 other files (none is malicious) 12->31 dropped 45 Tries to harvest and steal browser information (history, passwords, etc) 12->45 47 Tries to steal Crypto Currency Wallets 12->47 17 cmd.exe 1 12->17         started        file8 signatures9 process10 process11 19 taskkill.exe 1 17->19         started        21 conhost.exe 17->21         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c17243e46ff224631e589c55642c3666e5c560715841e8b8ebdd511cb70da8dd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-19 09:53:08 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yfzehzdp6isgghsytrkwilbwm3s4kydrlba6rohl3virznynvdoq._file
Verdict:
malicious
Similar samples:
024a5c3d369e1459332682cad7931a426722fdc2ec0950adc598e0227d0ef043
OskiStealer
44aa270e4c081241057bad8c1d0ea5864087325f8e3209aa10747f108123f718
OskiStealer
4ee9983bc82214479876383c1caa6c1800df1d9d9bc733bf0be74150570b12d0
OskiStealer
652ff7f52f0e2d6bdd5a0f36f4b24c4dafc8aab7d5236db91b77267650cdb140
OskiStealer
a54ecc8d83199ee37e9af81592b4b3dbc037aaa14eba989f6dc0504a570bcc9c
OskiStealer
a870249216a9fd48fa38faf197c7cad48a16b1c1f0d17f98b9b5de4c1a1b7cfb
OskiStealer
b43dde5ca3d23d16af5bf34c522869dff9624a78be67dfc3acde5c81ef24d318
OskiStealer
d53af79b3996389ff73ab33578448fd5e6ee2698251451ed3df7c63ba025fd21
OskiStealer
dda5d47308c0ebcb2555cda19b4c05a88d633396909456b9ee5fcee42e197724
OskiStealer
+ 3'965 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211019-lwm9tafeg2/
Behaviour
Suspicious use of WriteProcessMemory
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Oski
Malware Config
C2 Extraction:
stanelectronics.xyz
Unpacked files
SH256 hash:
245306c0b82d254688e24dc5e7310195e54577b10889f1eff11bc250295e79a8
MD5 hash:
66c61554814e813794855cb767681304
SHA1 hash:
bf33fa9424894ec356676dc04bc4569cfb313d80
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/99853a0b-50bf-48b2-a43c-9ec6a8b800db/
Parent samples :
c17243e46ff224631e589c55642c3666e5c560715841e8b8ebdd511cb70da8dd
12ca573395abe2197dd8e264d780b988830337b1ba66723c2ced6a0ce51993ce
SH256 hash:
7b4ba24781e21b310e2749bc2f7a80b9670a4198a54d26e42079a6a1c1be6ae7
MD5 hash:
7b77d210bf6b00fd8ee8187198852052
SHA1 hash:
7f78d6294a269349fc9a49ad3c8ccb3c3d2665b4
Link:
https://www.unpac.me/results/99853a0b-50bf-48b2-a43c-9ec6a8b800db/
SH256 hash:
7ff89ef7a249f73aa5386d36c88a41f6250099274ae23e84daec1a60900cb879
MD5 hash:
7cf73cbca63b8e9210cc4f4eb81af57e
SHA1 hash:
2dc413c06966f2ba045140239998e450253a739c
Link:
https://www.unpac.me/results/99853a0b-50bf-48b2-a43c-9ec6a8b800db/
SH256 hash:
c17243e46ff224631e589c55642c3666e5c560715841e8b8ebdd511cb70da8dd
MD5 hash:
e029f21834d5ceea1006d1658768f4dc
SHA1 hash:
a4bb6e1e09621536559355cecdb3409f9b7d3ebe
Link:
https://www.unpac.me/results/99853a0b-50bf-48b2-a43c-9ec6a8b800db/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c17243e46ff2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
vidar
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c17243e46ff224631e589c55642c3666e5c560715841e8b8ebdd511cb70da8dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

OskiStealer

Executable exe c17243e46ff224631e589c55642c3666e5c560715841e8b8ebdd511cb70da8dd

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1695597/
Cape
Cape
https://www.capesandbox.com/analysis/198443/

Comments


Avatar
zbet commented on 2021-10-19 09:52:23 UTC

url : hxxp://uploadingpanel.xyz/stanzx.exe