MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9b7cd9594e42b49718c8e4c093ce9bd2e494ab5d11ae6fbe505ce24a5cc3867. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



OskiStealer


Vendor detections: 14


Intelligence 14 IOCs 7 YARA 6 File information Comments

SHA256 hash: c9b7cd9594e42b49718c8e4c093ce9bd2e494ab5d11ae6fbe505ce24a5cc3867
SHA3-384 hash: a0e9509120258ed8e42b799383c71d61992ecd60dec8218ad8199521fffe3e1255289c7a6ee023894c71d995b0b247a1
SHA1 hash: cafb904a8227f35ca916e1c7b1213ce76b4282b2
MD5 hash: 6fbe0d88a13f078bdb6ce169f64cf2d6
humanhash: don-hot-foxtrot-eighteen
File name:C9B7CD9594E42B49718C8E4C093CE9BD2E494AB5D11AE.exe
Download: download sample
Signature OskiStealer
File size:325'632 bytes
First seen:2022-06-19 21:11:30 UTC
Last seen:2022-06-19 21:32:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'081 x AgentTesla, 20'056 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 6144:RNk4bwkmsQ0YdjCzt4JXfzceqiJvg2659Wx0Ma+RRtFV1+ihOpJwKN3Obb4oD:3kUwky0qCiJXfoeP4nAvFT+M6z+bbJD
Threatray 782 similar samples on MalwareBazaar
TLSH T152642AF37256E316C2A403BC5CFD0A7B175A9944941381DDBB0D36A7F60A43A32ADED2
TrID 49.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
28.9% (.EXE) InstallShield setup (43053/19/16)
7.0% (.EXE) Win64 Executable (generic) (10523/12/4)
4.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon e862eae6b696c6ec (1 x OskiStealer)
Reporter abuse_ch
Tags:exe OskiStealer


Avatar
abuse_ch
OskiStealer C2:
http://weirdtrendz.com/6.jpg

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://weirdtrendz.com/6.jpg https://threatfox.abuse.ch/ioc/716463/
http://weirdtrendz.com/1.jpg https://threatfox.abuse.ch/ioc/716464/
http://weirdtrendz.com/2.jpg https://threatfox.abuse.ch/ioc/716465/
http://weirdtrendz.com/3.jpg https://threatfox.abuse.ch/ioc/716466/
http://weirdtrendz.com/4.jpg https://threatfox.abuse.ch/ioc/716467/
http://weirdtrendz.com/5.jpg https://threatfox.abuse.ch/ioc/716468/
http://weirdtrendz.com/7.jpg https://threatfox.abuse.ch/ioc/716469/

Intelligence


File Origin
# of uploads :
2
# of downloads :
359
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
ID:
1
File name:
Minitool_Partition_wizard_9_keygen_by_KeygenNinja.exe
Verdict:
Malicious activity
Analysis date:
2021-04-20 07:09:26 UTC
Tags:
evasion trojan stealer kpot ficker pony fareit vidar

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
DNS request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed palevo
Malware family:
Oski Stealer
Verdict:
Malicious
Result
Threat name:
Oski Stealer, Vidar
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Oski Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.Zilla
Status:
Malicious
First seen:
2021-04-18 15:47:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:oski infostealer spyware stealer suricata
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Oski
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
Malware Config
C2 Extraction:
weirdtrendz.com
Unpacked files
SH256 hash:
3c648992d1546155e984774bc4b6ca5f3ffd83d084f4e0d08346a08a95e30aa2
MD5 hash:
de1559dbbf4a543bd6ea181340105ae5
SHA1 hash:
d88509684b84254f2dc27f6ff86d6e20540b21b7
SH256 hash:
eed0bc7bd3a248dcf95d3932aa4a239aba4a767c8ee158477034521300879410
MD5 hash:
80c21bd02f102207b6daf0596f976cf7
SHA1 hash:
d76ff6565f289b725728e7d710c25cd758008e44
Detections:
win_oski_g0 win_oski_auto
SH256 hash:
c9b7cd9594e42b49718c8e4c093ce9bd2e494ab5d11ae6fbe505ce24a5cc3867
MD5 hash:
6fbe0d88a13f078bdb6ce169f64cf2d6
SHA1 hash:
cafb904a8227f35ca916e1c7b1213ce76b4282b2
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:MALWARE_Win_Vidar
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:Vidar
Author:kevoreilly
Description:Vidar Payload
Rule name:win_oski_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.oski.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments