MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e295db3f673745f6e7a9de653c3e7648eadb10702144b2542bf699c607efb8b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e295db3f673745f6e7a9de653c3e7648eadb10702144b2542bf699c607efb8b1
SHA3-384 hash: 836a3484d372941222323ae0c27d27a70a180407e10b3808c97f24ff281f0b8c5518f7c2d910ed5f959594c0f7eaab5f
SHA1 hash: 83f79cd53609f0c721ac8a8ce389473230099eb4
MD5 hash: 9e4324dc4d0beb2210c7ff46beeb9fc9
humanhash: kentucky-sixteen-spring-india
File name:FPL_0663_752_010.exe
Download: download sample
Signature OskiStealer
Create hunting rule
File size:395'064 bytes
First seen:2021-04-26 05:33:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:AnAJdf/UitfUeAIQHuA36cdzJ0KbSRikEKRTvmRG:Om/beeAItC66zGcSR8+TuA
Threatray 40 similar samples on MalwareBazaar
TLSH 6384A078FDFF6A85C610DE3A666CB15606E09C48CE9B837BE0D472A47E30DC81A4651F
Reporter abuse_ch
Tags:exe OskiStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FPL_0663_752_010.exe
Verdict:
No threats detected
Analysis date:
2021-04-26 05:38:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dbd91f22-d743-4d6b-bfa0-d780698b93e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144168/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.20871.11594.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Creating a file
DNS request
Deleting a recently created file
Reading critical registry keys
Replacing files
Creating a window
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Connection attempt to an infection source
Stealing user critical data
Launching a tool to kill processes
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/697280
Signature
Creates an undocumented autostart registry key
Downloads files with wrong headers with respect to MIME Content-Type
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Posts data to a JPG file (protocol mismatch)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 397557 Sample: FPL_0663_752_010.exe Startdate: 26/04/2021 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for dropped file 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Downloads files with wrong headers with respect to MIME Content-Type 2->45 47 4 other signatures 2->47 8 FPL_0663_752_010.exe 8 2->8         started        process3 file4 23 C:\Users\user\AppData\Roaming\...\notpad.exe, PE32 8->23 dropped 25 C:\Users\user\...\FPL_0663_752_010.exe, PE32 8->25 dropped 27 C:\...\FPL_0663_752_010.exe:Zone.Identifier, ASCII 8->27 dropped 29 C:\Users\user\...\FPL_0663_752_010.exe.log, ASCII 8->29 dropped 49 Creates an undocumented autostart registry key 8->49 51 Writes to foreign memory regions 8->51 53 Injects a PE file into a foreign processes 8->53 12 FPL_0663_752_010.exe 193 8->12         started        signatures5 process6 dnsIp7 39 3ssq.xyz 45.15.143.157, 49747, 80 DEDIPATH-LLCUS Latvia 12->39 31 C:\ProgramData\vcruntime140.dll, PE32 12->31 dropped 33 C:\ProgramData\sqlite3.dll, PE32 12->33 dropped 35 C:\ProgramData\softokn3.dll, PE32 12->35 dropped 37 4 other files (none is malicious) 12->37 dropped 55 Multi AV Scanner detection for dropped file 12->55 57 Performs DNS queries to domains with low reputation 12->57 59 Tries to harvest and steal browser information (history, passwords, etc) 12->59 61 Tries to steal Crypto Currency Wallets 12->61 17 cmd.exe 1 12->17         started        file8 signatures9 process10 process11 19 taskkill.exe 1 17->19         started        21 conhost.exe 17->21         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e295db3f673745f6e7a9de653c3e7648eadb10702144b2542bf699c607efb8b1/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-04-26 02:00:53 UTC
AV detection:
7 of 47 (14.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4kk5wp3hg5c7nz5j3zstyptwjdvnwedqefclevbl62m4mb7pxcyq._file
Verdict:
suspicious
Similar samples:
029626fb22c7446fc6f2abd2551252a08507c68fd035d41694e2c77b6e868698
OskiStealer
1e86893e03f2f3bec014fc26e5fabd65fdfa2ddf14111707d0ef20dadf5bcef9
OskiStealer
398e6661f5ca757d0d7c777a0ed8ca1481b5c2df810008164e1f51deefc2ab48
OskiStealer
6626efff01b34eef4f69d8357052b70a36dd8abac62bad192397d335ff9247dd
OskiStealer
9930543939f97818319ed031530d9e084994331aa4b06a304faeb321bbcc63db
OskiStealer
9dd08cf2672502db217f9772affb88657f8559d8f4d946af25c4b22428ea336a
OskiStealer
b02fe380538c1b317f665d51bd360fa5ee46399150a296c2b354b0295bef6a53
OskiStealer
b33514e7b334b8aee694323114c7d2694f3cdb49c7614291ca8f064c23ff8542
OskiStealer
e1865abf21c3b8f3b3d15e6c6e477468941f9e65700ceaaa0f4cb269d967c83e
OskiStealer
e9573722d616d444c71e82f1ac6973921f3c942af4403760e0292b3ebf9159b0
OskiStealer
+ 30 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210426-chkm3eky5x/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Oski
Unpacked files
SH256 hash:
4f8fc9264c659b14180e0763ebff0a0a413879cc87c3bdb452fc7cdda43eccc6
MD5 hash:
39525118e071bce02bba459707f4802c
SHA1 hash:
82470d7381c9b24a2819e9b7f3f6a775a8a0a1e5
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/bf442626-b358-4464-b83b-9834b6f03050/
SH256 hash:
ebb4c7a8527658d4f02f6242d0a4a518e5881ac4b89ee7036cc8464214a66811
MD5 hash:
9766c14be8e0d0a3e027c63fa097b55b
SHA1 hash:
c96561c8f8aa14db919676b8e84bccb581436db7
Link:
https://www.unpac.me/results/bf442626-b358-4464-b83b-9834b6f03050/
SH256 hash:
5916d2863bedf4496941cedd515cd1fdcbe90bce2aa9cfcf0a6203ac8dcbdc69
MD5 hash:
5828beae39d1352926979ecadcd5d462
SHA1 hash:
988b7c3fa3f6fdace56e2c7536d92df20caa6bf0
Link:
https://www.unpac.me/results/bf442626-b358-4464-b83b-9834b6f03050/
SH256 hash:
e295db3f673745f6e7a9de653c3e7648eadb10702144b2542bf699c607efb8b1
MD5 hash:
9e4324dc4d0beb2210c7ff46beeb9fc9
SHA1 hash:
83f79cd53609f0c721ac8a8ce389473230099eb4
Link:
https://www.unpac.me/results/bf442626-b358-4464-b83b-9834b6f03050/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e295db3f673745f6e7a9de653c3e7648eadb10702144b2542bf699c607efb8b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:INDICATOR_KB_CERT_04f131322cc31d92c849fca351d2f141
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144168/

Comments