MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9b74e819b296f329399e9867d40d7b87477be291ee5509bdde6a7d90778fc44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9b74e819b296f329399e9867d40d7b87477be291ee5509bdde6a7d90778fc44
SHA3-384 hash: 590331ea4eb541abca6471bf7ffb6b749217dd4cdf0507d4f9285cd8bafae5eb8ee7bf32e5308e5fb8ad20f46fa6cfdc
SHA1 hash: f5bde5e7cf2c9e4902a776b0b10c15ebbc177f46
MD5 hash: 41c53b19529008aebacf79f4c9c380a9
humanhash: hot-earth-one-mango
File name:Bestellung 210950030.ppam
Download: download sample
Signature OskiStealer
Create hunting rule
File size:16'974 bytes
First seen:2021-09-17 18:08:52 UTC
Last seen:Never
File type:PowerPoint file ppam
MIME type:application/vnd.openxmlformats-officedocument.presentationml.presentation
ssdeep 384:dXPB4KI6jlR3lQxh4VFI9/RewcRSVuVLFK:VP+76jlXAh8SRQRZVo
TLSH T1D872C0BB0D175768CB315AFAE09C08FABF1EC47563A9AE1B1105F1260434C83539DABD
Reporter abuse_ch
Tags:DEU geo OskiStealer ppam

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
MiscreantPunch.EvilMacro.PSHELLFromB64w.4.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.WSHCROVARCHRMATHLONGGONE.20200524.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD._IEX.210408B64.4.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.STRINGBUILDERCaliNights.20210823.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Legacy PowerPoint File with Macro
Link:
https://app.docguard.net/c9b74e819b296f329399e9867d40d7b87477be291ee5509bdde6a7d90778fc44/results/dashboard
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
macros macros-on-open
Link:
https://www.filescan.io/uploads/61752e2ba9d585e6d5371320/reports/5718584f-f6a7-4544-89bc-e8d6459c4e15/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/c9b74e819b296f329399e9867d40d7b87477be291ee5509bdde6a7d90778fc44
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Result
Threat name:
Oski Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/852918
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Downloads files with wrong headers with respect to MIME Content-Type
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
Posts data to a JPG file (protocol mismatch)
PowerShell case anomaly found
Sigma detected: Execution from Suspicious Folder
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Very long command line found
Yara detected Oski Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 485345 Sample: Bestellung 210950030.ppam Startdate: 17/09/2021 Architecture: WINDOWS Score: 100 92 Multi AV Scanner detection for domain / URL 2->92 94 Multi AV Scanner detection for submitted file 2->94 96 Yara detected Oski Stealer 2->96 98 12 other signatures 2->98 11 POWERPNT.EXE 501 29 2->11         started        15 Kdkvxuf.exe 2->15         started        18 Kdkvxuf.exe 2->18         started        process3 dnsIp4 78 C:\Users\user\...\~$Bestellung 210950030.ppam, data 11->78 dropped 116 Obfuscated command line found 11->116 118 Very long command line found 11->118 20 cmd.exe 1 11->20         started        86 162.159.134.233, 443, 49779, 49780 CLOUDFLARENETUS United States 15->86 88 cdn.discordapp.com 15->88 120 Detected unpacking (changes PE section rights) 15->120 122 Detected unpacking (overwrites its own PE header) 15->122 124 Injects a PE file into a foreign processes 15->124 23 Kdkvxuf.exe 15->23         started        90 cdn.discordapp.com 18->90 26 Kdkvxuf.exe 18->26         started        file5 signatures6 process7 file8 106 Very long command line found 20->106 108 Encrypted powershell cmdline option found 20->108 110 PowerShell case anomaly found 20->110 28 powershell.exe 26 20->28         started        30 conhost.exe 20->30         started        64 C:\ProgramData\vcruntime140.dll, PE32 23->64 dropped 66 C:\ProgramData\nss3.dll, PE32 23->66 dropped 68 C:\ProgramData\msvcp140.dll, PE32 23->68 dropped 112 Tries to harvest and steal browser information (history, passwords, etc) 23->112 114 Tries to steal Crypto Currency Wallets 23->114 70 C:\ProgramData\sqlite3.dll, PE32 26->70 dropped 72 C:\ProgramData\softokn3.dll, PE32 26->72 dropped 74 C:\ProgramData\mozglue.dll, PE32 26->74 dropped 76 C:\ProgramData\freebl3.dll, PE32 26->76 dropped signatures9 process10 process11 32 yitshj.exe 28->32         started        dnsIp12 80 cdn.discordapp.com 162.159.133.233, 443, 49746, 49747 CLOUDFLARENETUS United States 32->80 62 C:\Users\Public\Libraries\...\Kdkvxuf.exe, PE32 32->62 dropped 100 Detected unpacking (changes PE section rights) 32->100 102 Detected unpacking (overwrites its own PE header) 32->102 104 Injects a PE file into a foreign processes 32->104 37 yitshj.exe 32->37         started        40 cmd.exe 32->40         started        42 cmd.exe 32->42         started        file13 signatures14 process15 dnsIp16 82 103.141.138.110, 49776, 49778, 49782 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 37->82 84 192.168.2.1 unknown unknown 37->84 44 cmd.exe 37->44         started        46 cmd.exe 40->46         started        48 conhost.exe 40->48         started        50 reg.exe 42->50         started        52 conhost.exe 42->52         started        process17 process18 54 conhost.exe 44->54         started        56 taskkill.exe 44->56         started        58 conhost.exe 46->58         started        60 conhost.exe 50->60         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9b74e819b296f329399e9867d40d7b87477be291ee5509bdde6a7d90778fc44/
Threat name:
Script-Macro.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2021-09-17 10:20:15 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zg3u5am3ffxtfe4z5gdh2qgxxb2hpprjd3svbg6542t5sb3y7rca._file
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski infostealer persistence spyware suricata
Link:
https://tria.ge/reports/210917-wrfz2sahen/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies registry key
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Loads dropped DLL
Downloads MZ/PE file
Oski
Process spawned unexpected child process
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
103.141.138.110/p2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c9b74e819b29/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c9b74e819b296f329399e9867d40d7b87477be291ee5509bdde6a7d90778fc44

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments