MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f85de586c3a33df88ebb5493c0bbcbd18c9f732e201c4c1604f2b2779976434e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 9


Intelligence 9 IOCs 7 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f85de586c3a33df88ebb5493c0bbcbd18c9f732e201c4c1604f2b2779976434e
SHA3-384 hash: e10984cd3108a346301d580994d8a05ed1f319c07e74b49567b39bed9d4f033654ffec748a043f636063f83f6b241202
SHA1 hash: 0faeb359703506fd0e0fa21ab3b23dda5ea868e6
MD5 hash: e330461dfd3ff5099a0b05e06bc4bda9
humanhash: india-moon-cola-speaker
File name:GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
Download: download sample
Signature OskiStealer
Create hunting rule
File size:1'270'784 bytes
First seen:2021-07-28 08:05:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:ZYRTCm4w3OsBgo0q4wMycBBsMbsYglmejvo7:ZVwuoHMyc8QsJmejQ
Threatray 9'325 similar samples on MalwareBazaar
TLSH T105456A747BFD2A0AF0BB567E5074C1B14574B4AAEA12C73D792272CB0A32359C25C72B
dhash icon 92aeae8eb682b2b2 (3 x AgentTesla, 2 x OskiStealer, 1 x QuasarRAT)
Reporter abuse_ch
Tags:exe OskiStealer


Avatar
abuse_ch
OskiStealer C2:
http://fine.le-pearl.com/6.jpg

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://fine.le-pearl.com/6.jpg https://threatfox.abuse.ch/ioc/163128/
http://fine.le-pearl.com/1.jpg https://threatfox.abuse.ch/ioc/163129/
http://fine.le-pearl.com/2.jpg https://threatfox.abuse.ch/ioc/163130/
http://fine.le-pearl.com/3.jpg https://threatfox.abuse.ch/ioc/163131/
http://fine.le-pearl.com/4.jpg https://threatfox.abuse.ch/ioc/163132/
http://fine.le-pearl.com/5.jpg https://threatfox.abuse.ch/ioc/163133/
http://fine.le-pearl.com/7.jpg https://threatfox.abuse.ch/ioc/163134/

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
Verdict:
Malicious activity
Analysis date:
2021-07-28 08:06:43 UTC
Tags:
loader
Link:
https://app.any.run/tasks/1d6e09c9-2203-4ccd-95d4-6544ce97cf99

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174592/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.953-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/44f054cf-bd6d-484e-b725-341c2416ac07
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/822951
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 455363 Sample: GHAI SHIPMENT SCHEDULE 28TH... Startdate: 28/07/2021 Architecture: WINDOWS Score: 100 72 themainreport.co.nz 2->72 74 mail.themainreport.co.nz 2->74 76 Found malware configuration 2->76 78 Multi AV Scanner detection for dropped file 2->78 80 Yara detected AgentTesla 2->80 82 6 other signatures 2->82 9 GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe 7 2->9         started        13 FsYYqg.exe 2->13         started        15 FsYYqg.exe 2->15         started        signatures3 process4 file5 64 C:\Users\user\AppData\Roaming\ayFJdzpy.exe, PE32 9->64 dropped 66 C:\Users\user\AppData\Local\...\tmp4FC8.tmp, XML 9->66 dropped 86 Adds a directory exclusion to Windows Defender 9->86 88 Injects a PE file into a foreign processes 9->88 17 GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe 9->17         started        22 schtasks.exe 9->22         started        24 powershell.exe 22 9->24         started        34 2 other processes 9->34 90 Multi AV Scanner detection for dropped file 13->90 26 powershell.exe 13->26         started        28 schtasks.exe 13->28         started        30 powershell.exe 13->30         started        32 FsYYqg.exe 13->32         started        36 2 other processes 15->36 signatures6 process7 dnsIp8 68 swsaseguranca.com.br 162.241.203.110, 49752, 80 OIS1US United States 17->68 70 192.168.2.1 unknown unknown 17->70 58 C:\Users\user\AppData\Roaming\...\FsYYqg.exe, PE32 17->58 dropped 60 C:\Users\user\...\FsYYqg.exe:Zone.Identifier, ASCII 17->60 dropped 62 C:\Users\user\AppData\Local\Temp\apwxc.exe, PE32 17->62 dropped 84 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->84 38 apwxc.exe 17->38         started        40 MpCmdRun.exe 22->40         started        42 conhost.exe 22->42         started        44 conhost.exe 24->44         started        46 conhost.exe 26->46         started        48 conhost.exe 28->48         started        50 conhost.exe 30->50         started        52 2 other processes 34->52 54 2 other processes 36->54 file9 signatures10 process11 process12 56 conhost.exe 40->56         started       
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 08:06:09 UTC
AV detection:
6 of 46 (13.04%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7bo6lbwdum67rdv3ksj4bo6l2ggj64zoeaoeyfqe6kzhpglwinha._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
061a17b2f76f71715dc416c7fa1baa215fa0b9437ebf14fa95a2a16208fc4e8d
OskiStealer
112f248bd983696a69465381b2ddadd26bb41419c649b54afd83db67bef21e37
OskiStealer
20c348d09305a7aff80b3967175a4f7a3c7debfa8a9ae7fbf3dc4bf31f0ec9f6
OskiStealer
77dafc4c23c98c2d0518eb6bcee7cfc13128c249dafc4d5faefbfb67425f40e1
OskiStealer
8408707aaa2dc1118bda9431f110e265d716b5cb5bc0ca8a9655828cad8b7b0e
OskiStealer
996c7d7177a30556d65872fdff745dd5adcfd6742dea6f71318e8cbc7d4cca26
OskiStealer
cb145909667bd181409f1e14b6b2fd00ec9f8894ffaba82bd2b1888065e6a22a
OskiStealer
d022b7b48419dbef83e9d084602cbb5b10566d193db01248a72be46251669a97
OskiStealer
f6a7a0bf925b8afa5152db2c60403056b5d8e53d1daa948be46b123f35e3af90
OskiStealer
+ 9'315 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210728-vwwykhf78s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Downloads MZ/PE file
Executes dropped EXE
AgentTesla Payload
CustAttr .NET packer
AgentTesla
Unpacked files
SH256 hash:
4a0f07c3960217bcc25a335d3fa6bd848c4012d2639b0366807565512f0b953c
MD5 hash:
95b8239a2ccf72b6314dbc83add60f6a
SHA1 hash:
ab4a95b82a8587cdcde90a35f0efcb466a25593d
Link:
https://www.unpac.me/results/31994bfd-56ce-4309-8bae-232b9486d7f4/
SH256 hash:
cf10c0025ad1c027b0d75c36149d6a6acd2cd05c30ddd9c7724a855ce92b7ca7
MD5 hash:
a5ccaf238e51572140fe5827db879208
SHA1 hash:
53fb227eaea07897412f9958e1a4be5bbcc6654d
Link:
https://www.unpac.me/results/31994bfd-56ce-4309-8bae-232b9486d7f4/
SH256 hash:
598356980b9bb883f230549f68bd3d6b55f97fbcc4325efa838704d378ff42ec
MD5 hash:
3674f7e909a587f38e0292c3b5a7ce49
SHA1 hash:
4f8709028ee2ba8892bcb2acb6333be7350f15dd
Link:
https://www.unpac.me/results/31994bfd-56ce-4309-8bae-232b9486d7f4/
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/31994bfd-56ce-4309-8bae-232b9486d7f4/
SH256 hash:
f85de586c3a33df88ebb5493c0bbcbd18c9f732e201c4c1604f2b2779976434e
MD5 hash:
e330461dfd3ff5099a0b05e06bc4bda9
SHA1 hash:
0faeb359703506fd0e0fa21ab3b23dda5ea868e6
Link:
https://www.unpac.me/results/31994bfd-56ce-4309-8bae-232b9486d7f4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/f85de586c3a33df88ebb5493c0bbcbd18c9f732e201c4c1604f2b2779976434e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/174592/

Comments