MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f98f307a6a414fcbe42e1017d720f1ed8c9e0df21b703f74e94dbe1afa8b32ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 7


Intelligence 7 IOCs 7 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f98f307a6a414fcbe42e1017d720f1ed8c9e0df21b703f74e94dbe1afa8b32ff
SHA3-384 hash: 9b9d2ce550c40e5607422458b681d2f1a646bed7726b724dbf5f7762f0554c2ca16fc1e935c1d51b178b8dafd1e03ca4
SHA1 hash: 9bb35f35f97839e4c995ab39246a5caac983c928
MD5 hash: 9b807ec7d5c9fa755cd95453f9a7c0d0
humanhash: moon-chicken-sodium-romeo
File name:PLI5130745618.exe
Download: download sample
Signature OskiStealer
Create hunting rule
File size:232'248 bytes
First seen:2021-05-03 02:25:30 UTC
Last seen:2021-05-03 03:06:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:8kcmAGOyF6ulHNStfzoeAWRfS8ypYAxBWA3VcuVdxvNmT9PQdseKzxEfggIYS:8kcmflQtfUeAIQHuA36cdROPSEEf
Threatray 97 similar samples on MalwareBazaar
TLSH 3E3402409AC4C705C9B4063A9EF1C134BBB0AF01DD22E6E38C5FF2955B357D46899EAB
Reporter abuse_ch
Tags:exe OskiStealer


Avatar
abuse_ch
OskiStealer C2:
http://31.210.21.231/6.jpg

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://31.210.21.231/6.jpg https://threatfox.abuse.ch/ioc/28093/
http://31.210.21.231/1.jpg https://threatfox.abuse.ch/ioc/28094/
http://31.210.21.231/2.jpg https://threatfox.abuse.ch/ioc/28095/
http://31.210.21.231/3.jpg https://threatfox.abuse.ch/ioc/28096/
http://31.210.21.231/4.jpg https://threatfox.abuse.ch/ioc/28097/
http://31.210.21.231/5.jpg https://threatfox.abuse.ch/ioc/28098/
http://31.210.21.231/7.jpg https://threatfox.abuse.ch/ioc/28099/

Intelligence

File Origin
# of uploads :
3
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/148084/
Detection(s):
SecuriteInfo.com.Trojan.CryptA.13561.24119.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Connection attempt
Deleting a recently created file
Reading critical registry keys
Replacing files
Creating a window
Delayed writing of the file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Launching a tool to kill processes
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/706909
Signature
Creates an undocumented autostart registry key
Downloads files with wrong headers with respect to MIME Content-Type
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Posts data to a JPG file (protocol mismatch)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 402375 Sample: PLI5130745618.exe Startdate: 03/05/2021 Architecture: WINDOWS Score: 88 46 Found malware configuration 2->46 48 Yara detected Vidar stealer 2->48 50 Downloads files with wrong headers with respect to MIME Content-Type 2->50 52 2 other signatures 2->52 8 PLI5130745618.exe 15 8 2->8         started        process3 dnsIp4 40 launcher.worldofwarcraft.com 137.221.106.103, 49714, 80 BLIZZARDEU United Kingdom 8->40 26 C:\Users\user\AppData\...\PLI5130745618.exe, PE32 8->26 dropped 28 C:\...\PLI5130745618.exe:Zone.Identifier, ASCII 8->28 dropped 30 C:\Users\user\AppData\Roaming\...\notpad.exe, PE32 8->30 dropped 54 Creates an undocumented autostart registry key 8->54 56 Writes to foreign memory regions 8->56 58 Injects a PE file into a foreign processes 8->58 13 PLI5130745618.exe 193 8->13         started        18 PLI5130745618.exe 8->18         started        file5 signatures6 process7 dnsIp8 42 31.210.21.231, 49725, 80 PLUSSERVER-ASN1DE Netherlands 13->42 44 192.168.2.1 unknown unknown 13->44 32 C:\ProgramData\vcruntime140.dll, PE32 13->32 dropped 34 C:\ProgramData\sqlite3.dll, PE32 13->34 dropped 36 C:\ProgramData\softokn3.dll, PE32 13->36 dropped 38 4 other files (none is malicious) 13->38 dropped 60 Tries to harvest and steal browser information (history, passwords, etc) 13->60 62 Tries to steal Crypto Currency Wallets 13->62 20 cmd.exe 1 13->20         started        file9 signatures10 process11 process12 22 taskkill.exe 1 20->22         started        24 conhost.exe 20->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f98f307a6a414fcbe42e1017d720f1ed8c9e0df21b703f74e94dbe1afa8b32ff/
Threat name:
Win32.Trojan.Oskistealer
Create hunting rule
Status:
Malicious
First seen:
2021-05-03 02:25:51 UTC
AV detection:
16 of 47 (34.04%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ghta6tkifh4xzbocal5oihr5wgj4dpsdnyd65hjjw7bv6ulgl7q._file
Verdict:
unknown
Similar samples:
381d4a53dc6d69491c703d2f35888b64a675c2b3de8f6572720828dd428a359b
OskiStealer
4a126dd572e4e9683ee2c10df9415488da67ba17fb5319082af4f89ae8224a5f
OskiStealer
654fee180d29661e28f504f62affb32a366e1ba97b01cc8de69854e8bc032b63
OskiStealer
77d3172d77aa45c61b8563dcb13b26bd2f8f9fb4cbc2fcc966966a26f316ba56
OskiStealer
82426d67e219a1d9ac41d9bd9e3d4a74beb90472176320a5ace56d295ce3dd9c
OskiStealer
a9a3bb0f7160512839169fd9095821469bbfd54228b6c4c7dc9da4a53cafffb9
OskiStealer
c8f09665c4c94041dd63191d0ea1b0f5092dc636eea7191242a7d7da9d7fa8b6
OskiStealer
ea31b5ce4282473fcb609cdc4c66649b2e79bbe96125b35954c015266f22a95c
OskiStealer
f132a49b6940edaa008fdf3b73fb80ffec67e83ff8ffd8eec657386fda9c48a5
OskiStealer
fb91f67073fef8d391ccb08c31183ff2ff00e8a8ca0f71fb5bfce17fb0ddbd26
OskiStealer
+ 87 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210503-dtx8clwq9s/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Oski
Unpacked files
SH256 hash:
4296511e7086428d57331e3071d9fe4b9888e3cf68a411a2a9e8a5c0789ff45a
MD5 hash:
bb10f690d5fd7e236f5bcab346c4c54b
SHA1 hash:
ec7929e12eb4cbc05169d935a08f016db6277815
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/53a83d71-47b9-4b86-8908-96b62aa2c123/
SH256 hash:
3ad73a5276cb14839129b4222dca2820a37ff3f646efce0d5f21f00676684e82
MD5 hash:
f68dfce132faca62d1d7d1d19fe11108
SHA1 hash:
a5528bd5f3d3120c69e418efcd79a15f87a2ff87
Link:
https://www.unpac.me/results/53a83d71-47b9-4b86-8908-96b62aa2c123/
SH256 hash:
32f37430bc3733f6eadcdbbd5afe2acd21a2d65c3671dcf09b2adb1d62214549
MD5 hash:
30312fb17a5f0a3c958a5bf014b96187
SHA1 hash:
81ad1d2b03121e9d034756018433c165d0712737
Link:
https://www.unpac.me/results/53a83d71-47b9-4b86-8908-96b62aa2c123/
SH256 hash:
f98f307a6a414fcbe42e1017d720f1ed8c9e0df21b703f74e94dbe1afa8b32ff
MD5 hash:
9b807ec7d5c9fa755cd95453f9a7c0d0
SHA1 hash:
9bb35f35f97839e4c995ab39246a5caac983c928
Link:
https://www.unpac.me/results/53a83d71-47b9-4b86-8908-96b62aa2c123/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.31
Link:
https://yomi.yoroi.company/submissions/f98f307a6a414fcbe42e1017d720f1ed8c9e0df21b703f74e94dbe1afa8b32ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:INDICATOR_KB_CERT_04f131322cc31d92c849fca351d2f141
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

OskiStealer

Executable exe f98f307a6a414fcbe42e1017d720f1ed8c9e0df21b703f74e94dbe1afa8b32ff

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/148084/
  
URLhaus
https://urlhaus.abuse.ch/url/1187754/
  
Delivery method
Distributed via web download

Comments