MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fac2fa827e763dfcc0b5baf189dd050db2dae4d731ec54a208c2238d4f7b55e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 9


Intelligence 9 IOCs 7 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fac2fa827e763dfcc0b5baf189dd050db2dae4d731ec54a208c2238d4f7b55e9
SHA3-384 hash: 62c9da91942cadd94032c5ffd498fadf05788a36d52bd3b11d14d9e86b516372f45af7d338194dd78e1af42ebe21dfb2
SHA1 hash: 1d3d073bdaac0cb8e59f90e13bb686a9602f6da6
MD5 hash: 9f6f8cb5647da0fc5df0142e82ac12ee
humanhash: michigan-illinois-kentucky-vermont
File name:9f6f8cb5647da0fc5df0142e82ac12ee
Download: download sample
Signature OskiStealer
Create hunting rule
File size:284'656 bytes
First seen:2021-06-14 08:00:21 UTC
Last seen:2021-06-14 08:48:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 6144:45RjoQoNNBeGjaWYfIyp/5IO30Z/mPhy7NEU1:ehodKGuWYAypmA0hMHU1
TLSH C954026791C76141D8C60FB56EA18D2FB8FCEF04142F86E7790B293FC949AC6DB06126
Reporter zbetcheckin
Tags:32 exe OskiStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://136.144.41.233/6.jpg https://threatfox.abuse.ch/ioc/105100/
http://136.144.41.233/1.jpg https://threatfox.abuse.ch/ioc/105101/
http://136.144.41.233/2.jpg https://threatfox.abuse.ch/ioc/105102/
http://136.144.41.233/3.jpg https://threatfox.abuse.ch/ioc/105104/
http://136.144.41.233/4.jpg https://threatfox.abuse.ch/ioc/105105/
http://136.144.41.233/5.jpg https://threatfox.abuse.ch/ioc/105106/
http://136.144.41.233/7.jpg https://threatfox.abuse.ch/ioc/105107/

Intelligence

File Origin
# of uploads :
2
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9f6f8cb5647da0fc5df0142e82ac12ee
Verdict:
No threats detected
Analysis date:
2021-06-14 08:07:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a71f5faf-45ee-4fc0-9719-7f6168f3077a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.835.27193.29375.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a7135c50-9424-4cc5-8b4d-b6cb66da05c6
Result
Threat name:
Oski Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/801687
Signature
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Downloads files with wrong headers with respect to MIME Content-Type
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Oski Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 434081 Sample: ckI9qszXDW Startdate: 14/06/2021 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 8 other signatures 2->47 8 ckI9qszXDW.exe 28 2->8         started        process3 file4 23 C:\Users\user\AppData\Roaming\...\notpad.exe, PE32 8->23 dropped 25 C:\Users\user\AppData\...\ckI9qszXDW.exe, PE32 8->25 dropped 27 C:\Users\user\...\notpad.exe:Zone.Identifier, ASCII 8->27 dropped 29 2 other malicious files 8->29 dropped 49 Creates an undocumented autostart registry key 8->49 51 Writes to foreign memory regions 8->51 53 Allocates memory in foreign processes 8->53 55 Injects a PE file into a foreign processes 8->55 12 ckI9qszXDW.exe 193 8->12         started        signatures5 process6 dnsIp7 39 136.144.41.233, 49751, 80 WORLDSTREAMNL Netherlands 12->39 31 C:\ProgramData\vcruntime140.dll, PE32 12->31 dropped 33 C:\ProgramData\sqlite3.dll, PE32 12->33 dropped 35 C:\ProgramData\softokn3.dll, PE32 12->35 dropped 37 4 other files (none is malicious) 12->37 dropped 57 Multi AV Scanner detection for dropped file 12->57 59 Machine Learning detection for dropped file 12->59 61 Tries to harvest and steal browser information (history, passwords, etc) 12->61 63 Tries to steal Crypto Currency Wallets 12->63 17 cmd.exe 1 12->17         started        file8 signatures9 process10 process11 19 taskkill.exe 1 17->19         started        21 conhost.exe 17->21         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fac2fa827e763dfcc0b5baf189dd050db2dae4d731ec54a208c2238d4f7b55e9/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7lbpvat6oy67zqfvxlyytxifbwznvzgxghwfjiqiyiry2t33kxuq._file
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210614-na23t4qxma/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Oski
Malware Config
C2 Extraction:
136.144.41.233
Unpacked files
SH256 hash:
c762847ed4416c67a1062b2dcdbf131b142de59ae81fc9b3ee11c14f3bb990d8
MD5 hash:
c1ce047d05958d3e0a12f1771d6c85cc
SHA1 hash:
9ea2959061eae3ed5b8bc340d2dde9736adf7d12
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/c8f84a75-e5ec-49ed-8efe-decff17eba6c/
SH256 hash:
a3074da95fc1b06b63e71a29edf72d9e1a333d595e9a2a5b14b85ff27d74012f
MD5 hash:
6edc9ebd57cd22f14f9ed85dbec503b9
SHA1 hash:
75e3e680e4ca1cfddfeb14de0a1f357b11154ec5
Link:
https://www.unpac.me/results/c8f84a75-e5ec-49ed-8efe-decff17eba6c/
SH256 hash:
e5fffc8df816f732cfb5f0fa3d32eb5f3edb16b8066ebb93edf10bc5b27fd65c
MD5 hash:
09125c9b174f7d9be890c02ca3f4888e
SHA1 hash:
0b4f1de471cf622f5a47dac7e06f20038defe062
Link:
https://www.unpac.me/results/c8f84a75-e5ec-49ed-8efe-decff17eba6c/
SH256 hash:
fac2fa827e763dfcc0b5baf189dd050db2dae4d731ec54a208c2238d4f7b55e9
MD5 hash:
9f6f8cb5647da0fc5df0142e82ac12ee
SHA1 hash:
1d3d073bdaac0cb8e59f90e13bb686a9602f6da6
Link:
https://www.unpac.me/results/c8f84a75-e5ec-49ed-8efe-decff17eba6c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fac2fa827e763dfcc0b5baf189dd050db2dae4d731ec54a208c2238d4f7b55e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_1f3216f428f850be2c66caa056f6d821
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

OskiStealer

Executable exe fac2fa827e763dfcc0b5baf189dd050db2dae4d731ec54a208c2238d4f7b55e9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1364329/

Comments