MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

OskiStealer

Vendor detections: 9

Intelligence 9 IOCs 7 YARA 6 File information Comments

SHA256 hash:	d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9
SHA3-384 hash:	3caaee74181d7fc624c194ed289abddf80293bc933bef92165082796ae4200e3c12a34966ba4b9cb6a43244d0e2c6055
SHA1 hash:	db9efd2c26760ce555c1c31ca8d80d1731b26771
MD5 hash:	92d6baf79e990130a1db2175731d4e46
humanhash:	winner-snake-crazy-item
File name:	d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9
Download:	download sample
Signature	OskiStealer Create hunting rule
File size:	702'464 bytes
First seen:	2021-08-24 22:50:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:PsIi50Ynk0H5sQH0YDMr1se/fRlA6EiNxcBO3XF02kLxEz33n5+mEJqyOx4:PtiKY/OQUwekXCcBmF3WS3Jta7O4
TLSH	T16CE412881AE8553BC93DAD7CD0A6AB41C2F0C0A55283F3267EC8DDEE97857C81745B87
Reporter	AndreGironda
Tags:	exe OskiStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://ck7.mooo.com/6.jpg	https://threatfox.abuse.ch/ioc/194051/
http://ck7.mooo.com/1.jpg	https://threatfox.abuse.ch/ioc/194052/
http://ck7.mooo.com/2.jpg	https://threatfox.abuse.ch/ioc/194053/
http://ck7.mooo.com/3.jpg	https://threatfox.abuse.ch/ioc/194054/
http://ck7.mooo.com/4.jpg	https://threatfox.abuse.ch/ioc/194055/
http://ck7.mooo.com/5.jpg	https://threatfox.abuse.ch/ioc/194056/
http://ck7.mooo.com/7.jpg	https://threatfox.abuse.ch/ioc/194057/

Intelligence

File Origin

# of uploads :

# of downloads :

105

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9

Verdict:

Malicious activity

Analysis date:

2021-08-24 22:52:16 UTC

Tags:

trojan stealer vidar loader

Link:

https://app.any.run/tasks/6e06a855-7e61-4904-af77-102887ec934a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

DNS request

Connection attempt

Deleting a recently created file

Reading critical registry keys

Replacing files

Delayed writing of the file

Running batch commands

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Searching for the window

Stealing user critical data

Launching a tool to kill processes

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6b354034-c60d-45e7-8846-757c17c1c0b3

Result

Threat name:

Oski Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/838639

Signature

Antivirus / Scanner detection for submitted sample

Downloads files with wrong headers with respect to MIME Content-Type

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Posts data to a JPG file (protocol mismatch)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected AntiVM3

Yara detected Oski Stealer

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-08-24 22:51:12 UTC

AV detection:

25 of 46 (54.35%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3h5ju3jpstnehtvr4vg7fswe4cm5m4ak2uw3ov7fzo7m5aq6opmq._file

Result

Malware family:

oski

Score:

10/10

Tags:

family:oski discovery infostealer spyware stealer suricata

Link:

https://tria.ge/reports/210824-8n66j4asaa/

Behaviour

Checks processor information in registry

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Oski

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

Malware Config

C2 Extraction:

ck7.mooo.com

Unpacked files

SH256 hash:

e8fd915f6c176308283f7567c4b2cbdbdcf617328492c9d09fcfd6364a6ddfba

MD5 hash:

2a000e68693fc94e1c93d7649712eb2f

SHA1 hash:

e5a8846d7161c3464987acb8c6ae610cafef4da1

Detections:

win_oski_g0

win_oski_auto

Link:

https://www.unpac.me/results/c4b98a91-559e-4b8f-a01e-fac5f7a580e9/

Parent samples :

d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9
e8fd915f6c176308283f7567c4b2cbdbdcf617328492c9d09fcfd6364a6ddfba

SH256 hash:

6912e4bedd1288f116e968f0a79d9797f6d6bd24d45a5f10c52e20f9d33b8c61

MD5 hash:

03bde4a82ad64c0f314985232fbca3fa

SHA1 hash:

e8d0b6339e94192eaaca32c812f914e60576dca6

Link:

https://www.unpac.me/results/c4b98a91-559e-4b8f-a01e-fac5f7a580e9/

SH256 hash:

7b82ef67319cf926fedd28e2f74ffba0eb32a04ee4ab630c9500bf78bda18b20

MD5 hash:

2b37c7816d53bc4f66b1ef8beb775561

SHA1 hash:

f3c4cc62f579f86b636d25cd5d55b9fb89d8cccc

Link:

https://www.unpac.me/results/c4b98a91-559e-4b8f-a01e-fac5f7a580e9/

SH256 hash:

d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9

MD5 hash:

92d6baf79e990130a1db2175731d4e46

SHA1 hash:

db9efd2c26760ce555c1c31ca8d80d1731b26771

Link:

https://www.unpac.me/results/c4b98a91-559e-4b8f-a01e-fac5f7a580e9/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/d9fa9a6d2f94/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_Vidar Create hunting rule
Author:	ditekSHen
Description:	Detects Vidar / ArkeiStealer

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Vidar Create hunting rule
Author:	kevoreilly
Description:	Vidar Payload

Rule name:	win_oski_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.oski.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

OskiStealer

xlsx 0231aa0cf3686c184fb9dd21492fe6f5a7615719a74fb341d7369283f559a2c7

OskiStealer

exe 2d308933203744252691fb15fb6c02fa50bed49da96c68d8159ff8b911f5e235

OskiStealer

exe d9fa9a6d2f94da43ceb1e54df2cac4e099d6700ad52db757e5cbbece821e73d9

(this sample)

7b82ef67319cf926fedd28e2f74ffba0eb32a04ee4ab630c9500bf78bda18b20

Cape

https://capesandbox.com/analysis/182026/

Link

https://tria.ge/210824-b4gq37316a/behavioral1

Link

https://www.unpac.me/results/355d6d00-f792-4884-92c8-3ae121f5e773

Dropped by

SHA256 2d308933203744252691fb15fb6c02fa50bed49da96c68d8159ff8b911f5e235

Dropping

SHA256 7b82ef67319cf926fedd28e2f74ffba0eb32a04ee4ab630c9500bf78bda18b20

Dropping

SHA256 6912e4bedd1288f116e968f0a79d9797f6d6bd24d45a5f10c52e20f9d33b8c61

Dropping

SHA256 e8fd915f6c176308283f7567c4b2cbdbdcf617328492c9d09fcfd6364a6ddfba

Delivery method

Other

URLhaus

https://urlhaus.abuse.ch/url/1562343/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample