MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e65c6e141516a7d76fe7c1e3bcc5433758fa627dfd6c18f65504efcfa62d4855. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 12


Intelligence 12 IOCs 7 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e65c6e141516a7d76fe7c1e3bcc5433758fa627dfd6c18f65504efcfa62d4855
SHA3-384 hash: 12dcc2716346bd0bafb68c88e9e1d6804ab1e4236ccfe540c4e759e9dc39e73538f32b72dbcf60a25ca0c4351bb3f536
SHA1 hash: 102b326899fbb5a2e6c03fcfb8e401c5c3a72f78
MD5 hash: 5d8d890614b10708afe877fb67a3e65b
humanhash: princess-oregon-seven-uniform
File name:Gatdhaozmwzqbfqrwgmuappjkqvltpfcxj.exe
Download: download sample
Signature OskiStealer
Create hunting rule
File size:730'624 bytes
First seen:2021-09-16 12:41:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 48363177332cef840c51cef50a86516c (3 x RemcosRAT, 2 x Formbook, 1 x OskiStealer)
ssdeep 12288:xX8lG7bLQlI+h4Y+RNEVpgnoWO2ucgD6g8LxoKnrVHc:xs+LQbh0KUoWO2uh2rVH
Threatray 3'753 similar samples on MalwareBazaar
TLSH T150F45CE1A2D556F2E0332A7DAC5AB29034197D913EE8DC4D26D9CD4B0A31ED03CE917B
dhash icon 274e4d3305010141 (7 x RemcosRAT, 2 x NetWire, 2 x Formbook)
Reporter madjack_red
Tags:exe OskiStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://103.141.138.110/p1//6.jpg https://threatfox.abuse.ch/ioc/222532/
http://103.141.138.110/p1//1.jpg https://threatfox.abuse.ch/ioc/222533/
http://103.141.138.110/p1//2.jpg https://threatfox.abuse.ch/ioc/222534/
http://103.141.138.110/p1//3.jpg https://threatfox.abuse.ch/ioc/222535/
http://103.141.138.110/p1//4.jpg https://threatfox.abuse.ch/ioc/222536/
http://103.141.138.110/p1//5.jpg https://threatfox.abuse.ch/ioc/222537/
http://103.141.138.110/p1//7.jpg https://threatfox.abuse.ch/ioc/222538/

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Rfq Urgent Order #PO45465456564AU
Verdict:
Malicious activity
Analysis date:
2021-09-16 12:06:01 UTC
Tags:
macros macros-on-open opendir loader trojan stealer vidar
Link:
https://app.any.run/tasks/a5d482e9-384c-4916-bcbb-9c6cd2d4c85e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188427/
Detection(s):
SecuriteInfo.com.UDS.Backdoor.Win32.Remcos.gen.30206.347.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Modifying an executable file
Launching the default Windows debugger (dwwin.exe)
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm keylogger
Link:
https://www.filescan.io/uploads/617522909a5a1e91c5d20525/reports/f6d3006f-5192-49cc-9936-c6528c6d8d1a/overview
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6fd7015c-5b17-47c3-8f75-757fe63679aa
Result
Threat name:
Oski Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/852063
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Downloads files with wrong headers with respect to MIME Content-Type
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Sigma detected: Execution from Suspicious Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Oski Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 484494 Sample: Gatdhaozmwzqbfqrwgmuappjkqv... Startdate: 16/09/2021 Architecture: WINDOWS Score: 100 78 Found malware configuration 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 Yara detected Oski Stealer 2->82 84 6 other signatures 2->84 8 Jepdqqdn.exe 13 2->8         started        12 Gatdhaozmwzqbfqrwgmuappjkqvltpfcxj.exe 1 21 2->12         started        15 Jepdqqdn.exe 13 2->15         started        process3 dnsIp4 68 162.159.134.233, 443, 49749 CLOUDFLARENETUS United States 8->68 86 Multi AV Scanner detection for dropped file 8->86 88 Detected unpacking (changes PE section rights) 8->88 90 Detected unpacking (overwrites its own PE header) 8->90 92 Machine Learning detection for dropped file 8->92 17 Jepdqqdn.exe 196 8->17         started        70 cdn.discordapp.com 162.159.133.233, 443, 49735, 49736 CLOUDFLARENETUS United States 12->70 64 C:\Users\Public\Libraries\Jepdqqdn.exe, PE32 12->64 dropped 94 Injects a PE file into a foreign processes 12->94 20 Gatdhaozmwzqbfqrwgmuappjkqvltpfcxj.exe 196 12->20         started        23 cmd.exe 1 12->23         started        25 cmd.exe 1 12->25         started        72 162.159.130.233, 443, 49750 CLOUDFLARENETUS United States 15->72 27 Jepdqqdn.exe 15->27         started        file5 signatures6 process7 dnsIp8 74 Tries to harvest and steal browser information (history, passwords, etc) 17->74 76 Tries to steal Crypto Currency Wallets 17->76 30 cmd.exe 17->30         started        66 103.141.138.110, 49740, 49751, 49784 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 20->66 32 cmd.exe 1 20->32         started        34 reg.exe 1 23->34         started        36 conhost.exe 23->36         started        38 cmd.exe 1 25->38         started        40 conhost.exe 25->40         started        56 C:\ProgramData\vcruntime140.dll, PE32 27->56 dropped 58 C:\ProgramData\sqlite3.dll, PE32 27->58 dropped 60 C:\ProgramData\softokn3.dll, PE32 27->60 dropped 62 4 other files (none is malicious) 27->62 dropped 42 WerFault.exe 27->42         started        file9 signatures10 process11 process12 44 conhost.exe 30->44         started        46 taskkill.exe 30->46         started        48 taskkill.exe 1 32->48         started        50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 conhost.exe 38->54         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e65c6e141516a7d76fe7c1e3bcc5433758fa627dfd6c18f65504efcfa62d4855/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-09-16 02:13:20 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4zog4favc2t5o37hyhr3zrkdg5mpuyt57vwbr5svatx47jrnjbkq._file
Verdict:
malicious
Similar samples:
10410848d808e42758883ff2045ac5b10d16ad3d4155771483f0aba1f245a6e4
OskiStealer
42c682af79cf1b73127ebf00349a8c4cabccdf42d2e14f77cda67121f870d8bf
OskiStealer
5953d0e6904dcb824fe1afde62ed8c2e2266f9f074514d395a31b759013e846f
OskiStealer
a03b45dabcaf812402454befd876b2eafbdf9e967f3bb01e66f33f3cabbdebd5
OskiStealer
c254079e9a75cb708e28deb9c72c77689c53425f8256338343c06285bed8ebbe
OskiStealer
d950a4ee53971eb72e947a01bb1093a04676b7587fc0c6ccc26d9c964b1fc916
OskiStealer
dd01ca4b5bfbe8ef00d23fd0c1227d58e7d6169a89e3f1ae9bbb4fbae46bfe21
OskiStealer
+ 3'743 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer persistence spyware stealer suricata
Link:
https://tria.ge/reports/210916-pxb5qagcfl/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Oski
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
103.141.138.110/p1/
Unpacked files
SH256 hash:
519197f521aa39b7a7ab34b4500a304a7329d967115c2e48fe1b6eb201e39af1
MD5 hash:
3da921c9355d01d335cf03159a950030
SHA1 hash:
3be3f4ea8f289a123dcd1f6ac97c6f34a503c9cf
Link:
https://www.unpac.me/results/4482ff8b-1d21-4620-82d7-3389192391da/
SH256 hash:
e65c6e141516a7d76fe7c1e3bcc5433758fa627dfd6c18f65504efcfa62d4855
MD5 hash:
5d8d890614b10708afe877fb67a3e65b
SHA1 hash:
102b326899fbb5a2e6c03fcfb8e401c5c3a72f78
Link:
https://www.unpac.me/results/4482ff8b-1d21-4620-82d7-3389192391da/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e65c6e141516/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e65c6e141516a7d76fe7c1e3bcc5433758fa627dfd6c18f65504efcfa62d4855

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.oski.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/188427/

Comments