MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2aed23ccdcd5c9b2ae03bdf764e971a5ef30d4ef9dfc37f66806a057433c23a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 8


Intelligence 8 IOCs 7 YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2aed23ccdcd5c9b2ae03bdf764e971a5ef30d4ef9dfc37f66806a057433c23a
SHA3-384 hash: 3c38e67265ef67b8e46fff554c162aa119e0e42f6ad6ccde2863d3574c7d30c1d9ce78119bb8b9c38a87bfc9a4258bd2
SHA1 hash: 03fff323686df503349f619be5b6081e0818980b
MD5 hash: b616fd1f7f7feb981184ad846c626b91
humanhash: lake-nine-lactose-early
File name:b616fd1f7f7feb981184ad846c626b91
Download: download sample
Signature OskiStealer
Create hunting rule
File size:1'346'560 bytes
First seen:2021-07-21 23:02:26 UTC
Last seen:2021-07-21 23:48:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4da7a3c908f70c18780a67a792276e49 (2 x OskiStealer)
ssdeep 24576:i7yUiF3RdB5H1DBxJrR4YQmeXtaXfyh+GY6LJxY+hSf8a1SzQWgg74+We1tX:7bFBH91DB54YViyfC+GJyinj+U
Threatray 1'241 similar samples on MalwareBazaar
TLSH T1645533107B4286BFCE894FB653BF1440E924D975A71216CF0F2B2B7AA54332C4C766A7
Reporter zbetcheckin
Tags:32 exe OskiStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://silverscreen.sg/se//6.jpg https://threatfox.abuse.ch/ioc/161980/
http://silverscreen.sg/se//1.jpg https://threatfox.abuse.ch/ioc/161981/
http://silverscreen.sg/se//2.jpg https://threatfox.abuse.ch/ioc/161982/
http://silverscreen.sg/se//3.jpg https://threatfox.abuse.ch/ioc/161983/
http://silverscreen.sg/se//4.jpg https://threatfox.abuse.ch/ioc/161984/
http://silverscreen.sg/se//5.jpg https://threatfox.abuse.ch/ioc/161985/
http://silverscreen.sg/se//7.jpg https://threatfox.abuse.ch/ioc/161986/

Intelligence

File Origin
# of uploads :
2
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b616fd1f7f7feb981184ad846c626b91
Verdict:
Malicious activity
Analysis date:
2021-07-21 23:03:10 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/e02e2df3-40a2-4ba4-a23e-8c92a7e1adc1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173190/
Detection(s):
PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/36f70651-122c-4065-95b0-5188ae27be2a
Result
Threat name:
Oski Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/819822
Signature
Antivirus / Scanner detection for submitted sample
Downloads files with wrong headers with respect to MIME Content-Type
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Posts data to a JPG file (protocol mismatch)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Oski Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2aed23ccdcd5c9b2ae03bdf764e971a5ef30d4ef9dfc37f66806a057433c23a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-07-20 16:12:47 UTC
AV detection:
22 of 46 (47.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6kxnepgnzvojwkxahppxmtuxdjppgdko7hp4g73gqbvak5btyi5a._file
Verdict:
suspicious
Similar samples:
0c38c10261c2ae14822b19d1ebc54ad4ab417961b5f324716bb85a2038e3bb15
OskiStealer
1553300557f17e7cb62c914616267bc733854b98a0edc5215d901cc4f8e4d0f0
OskiStealer
4a440ef3be94895fcaaab5b4ba0755e8350e6131cabd507be510056739601df4
OskiStealer
50cae11649a917039a3fadf933dcf5d724ce0db6fbe4d29cb0aa590896849ca6
OskiStealer
77a04b2b2e8bf13abb35b02d0c9cbbaf76e5be02995d3124f01f641841c280ef
OskiStealer
8b1c960881fc789460b5b274abd43baddb1c92e1a942d3a1080a4adb1f545e50
OskiStealer
a9b0a14beac57ba149a978c8f0996a4f4e70e003b80c67e631947c9dc3590154
OskiStealer
c41aa6d6eeac57851b0a00a619609ed764072881b85b7dad25ac30f2856eda43
OskiStealer
d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e
OskiStealer
dfe493ec90b4d3114618d81d5d222b6919317387445c21bf58e3ca4b26300aef
OskiStealer
+ 1'231 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210721-p46sh4kkn6/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Oski
Unpacked files
SH256 hash:
f2aed23ccdcd5c9b2ae03bdf764e971a5ef30d4ef9dfc37f66806a057433c23a
MD5 hash:
b616fd1f7f7feb981184ad846c626b91
SHA1 hash:
03fff323686df503349f619be5b6081e0818980b
Link:
https://www.unpac.me/results/8842f552-1834-4b4d-92c9-556994ab45da/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2aed23ccdcd5c9b2ae03bdf764e971a5ef30d4ef9dfc37f66806a057433c23a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.smominru.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

OskiStealer

Executable exe f2aed23ccdcd5c9b2ae03bdf764e971a5ef30d4ef9dfc37f66806a057433c23a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1472107/
Cape
Cape
https://www.capesandbox.com/analysis/173190/

Comments


Avatar
zbet commented on 2021-07-21 23:02:27 UTC

url : hxxps://silverscreen.sg/s/secure/scan09.EXE