MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8b500427918db815fb5b55eb807c8830192ea1ccd676d4a17155f4d10a1c36e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 9


Intelligence 9 IOCs 7 YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8b500427918db815fb5b55eb807c8830192ea1ccd676d4a17155f4d10a1c36e
SHA3-384 hash: f7912c597d10b06349849a24fc62b8adf617736f4d32276f817750a9f677e95554ae803a79b1e831e2a49a02c9b19a16
SHA1 hash: 4c0654f0475f0e001cfbf9bf47caed94ae137af8
MD5 hash: ef8bf0e0c08418ed74b33120185fd044
humanhash: berlin-william-uranus-aspen
File name:ef8bf0e0c08418ed74b33120185fd044.exe
Download: download sample
Signature OskiStealer
Create hunting rule
File size:225'080 bytes
First seen:2021-04-29 06:29:07 UTC
Last seen:2021-04-29 10:35:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 3072:46ZJh8A7tfzoeAWRfS8ypYAxBWA3VcuVdxcK/SVaKpDKt1X5BX7Cm:j8UtfUeAIQHuA36cd3/SVawKbC
Threatray 10 similar samples on MalwareBazaar
TLSH 852401435E98C226DAE13E716EB2F3245A34BD10B832E1DF59D8F35ADB70B00C665362
Reporter abuse_ch
Tags:exe OskiStealer


Avatar
abuse_ch
OskiStealer C2:
http://205.185.120.57/6.jpg

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://205.185.120.57/6.jpg https://threatfox.abuse.ch/ioc/22232/
http://205.185.120.57/1.jpg https://threatfox.abuse.ch/ioc/22233/
http://205.185.120.57/2.jpg https://threatfox.abuse.ch/ioc/22234/
http://205.185.120.57/3.jpg https://threatfox.abuse.ch/ioc/22235/
http://205.185.120.57/4.jpg https://threatfox.abuse.ch/ioc/22236/
http://205.185.120.57/5.jpg https://threatfox.abuse.ch/ioc/22237/
http://205.185.120.57/7.jpg https://threatfox.abuse.ch/ioc/22238/

Intelligence

File Origin
# of uploads :
3
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d8b500427918db815fb5b55eb807c8830192ea1ccd676d4a17155f4d10a1c36e.exe
Verdict:
Malicious activity
Analysis date:
2021-04-29 06:45:26 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/e1c98e8a-3eaa-4c8a-923e-0892fbc5dda4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/146412/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.27073.14548.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/703149
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8b500427918db815fb5b55eb807c8830192ea1ccd676d4a17155f4d10a1c36e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-29 00:41:17 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3c2qaqtzddnycx5vwvplqb6iqmazf2q4zvtw2sqxcvpu2efbynxa._file
Verdict:
unknown
Similar samples:
023fb24e4591fcbbff6096a61e7cbfb79bc1bade9236dd0db6ede7ab1e00bf9f
OskiStealer
06b7205ba6898b1f45883d5a313c1e3e39d8c226eec0ae289f42106af070e8db
OskiStealer
0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1
OskiStealer
312c1e6a195ca210070f9fdc8e2ed8a6363bd8386047ad48ff20e36d60dae6e4
OskiStealer
31768ba567580677ef466b1451e012d1fd35341ca7ec9692c56ecfc09c4e13fc
OskiStealer
5a38b12ebce12dde580da36ee1b4a5c0387f9e81f7f738c278b60d5781dad6eb
OskiStealer
bd95c8709b9a82ab2af9d1454996fbdbd3a7da4e8335bf8481bd567430130184
OskiStealer
d1d245f4d408bf9dbaed6c59f68c995e427d95bd8316cc358377ec7ee43fb2f2
OskiStealer
fdd6b649413776c157e7029b545d9e47a62b9decd6b2a11ca1708fd4363945a8
OskiStealer
fe2853104646e2bd3446a2965268b953f728d3cdc941e8add4760975e2d12e86
OskiStealer
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210429-gzxycq1we2/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Oski
Unpacked files
SH256 hash:
c0ce2cf58bbfebb58d003bb17a189e96a376b69a89242a19e34e625f32bb78ab
MD5 hash:
d1076d69ad47c02a6baeacd06b13eccd
SHA1 hash:
e08d7460fba61eba7cad811aa0aed4ce6d52efe7
Link:
https://www.unpac.me/results/c8cb7f99-555f-41cb-b86c-b1c762efff56/
SH256 hash:
d807c5a146785c120bb8ff16ca059c7eb37024e3462abc7dfe412f36e5b0b206
MD5 hash:
c8d909374b75e49924686131cb76f655
SHA1 hash:
59027c20a59832ca9e9fe1ddfb5e6a323447b9ce
Link:
https://www.unpac.me/results/c8cb7f99-555f-41cb-b86c-b1c762efff56/
SH256 hash:
fc5da7e67cc4a77fc94a814cdde8b7c2705cf1fd09addfe91ee204647275538f
MD5 hash:
b188c5edfad98e6d1039796e8b988caf
SHA1 hash:
19b6c0b32f5add2f51645a8df94d1dc672e7c952
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/c8cb7f99-555f-41cb-b86c-b1c762efff56/
Parent samples :
d8b500427918db815fb5b55eb807c8830192ea1ccd676d4a17155f4d10a1c36e
916bd03b40de6bfa498311e3a70d3e98c50e8255fd413d446daab77951224856
6bbdcec0763847706f9b75674aad231ff23afd2b212138fc630a86f69f8180d8
SH256 hash:
d8b500427918db815fb5b55eb807c8830192ea1ccd676d4a17155f4d10a1c36e
MD5 hash:
ef8bf0e0c08418ed74b33120185fd044
SHA1 hash:
4c0654f0475f0e001cfbf9bf47caed94ae137af8
Link:
https://www.unpac.me/results/c8cb7f99-555f-41cb-b86c-b1c762efff56/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d8b500427918db815fb5b55eb807c8830192ea1ccd676d4a17155f4d10a1c36e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:INDICATOR_KB_CERT_04f131322cc31d92c849fca351d2f141
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_oski_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

OskiStealer

Executable exe d8b500427918db815fb5b55eb807c8830192ea1ccd676d4a17155f4d10a1c36e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/146412/
  
URLhaus
https://urlhaus.abuse.ch/url/1182046/
  
Delivery method
Distributed via web download

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-29 07:12:23 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0023] Execution::Install Additional Program