Play interactive tourEdit tour
Analysis Report New Order PO2193570O1.pdf.exe
Overview
General Information
Detection
Oski Vidar
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Sigma detected: Suspicious Double Extension
Yara detected Oski Stealer
Yara detected Vidar stealer
Downloads files with wrong headers with respect to MIME Content-Type
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Posts data to a JPG file (protocol mismatch)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses an obfuscated file name to hide its real file extension (double extension)
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
Is looking for software installed on the system
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Oski |
---|
{"C2 url": "51.222.56.151/tsc/", "RC4 Key": "056139954853430408"}
Threatname: Vidar |
---|
{"Config": ["00000000 -> System ---------------------------------------------------", "Windows: Windows 10 Pro", "Bit: x64", "User: user", "Computer Name: 066656", "System Language: en-US", "Machine ID: d06ed635-68f6-4e9a-955c-4899f5f57b9a", "GUID: {e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}", "Domain Name: Unknown", "Workgroup: EEGWXUH", "Keyboard Languages: English (United States)", "Hardware -------------------------------------------------", "Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "Logical processors: 4", "Videocard: Microsoft Basic Display Adapter", "Display: 1280x1024", "RAM: 8191 MB", "Laptop: No", "Time -----------------------------------------------------", "Local: 11/6/2021 6:32:4", "Zone: UTC-8", "Network --------------------------------------------------", "IP: IP?", "Country: Country?", "Installed Softwrare --------------------------------------", "Google Chrome 85.0.4183.121", "Microsoft Office Professional Plus 2016 16.0.4266.1001", "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 12.0.30501.0", "Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 12.0.21005", "Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 10.0.30319", "Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 14.21.27702", "Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 14.21.27702", "Java 8 Update 211 8.0.2110.12", "Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 11.0.61030.0", "Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 14.21.27702.2", "Java Auto Updater 2.8.211.12", "Google Update Helper 1.3.35.451", "Microsoft Office Professional Plus 2016 16.0.4266.1001", "Security Update for Microsoft Office 2016 (KB3114690) 32-Bit Edition", "Update for Microsoft Office 2016 (KB2920712) 32-Bit Edition", "Update for Microsoft Office 2016 (KB3141456) 32-Bit Edition", "Update for Microsoft Office 2016 (KB3115081) 32-Bit Edition", "Update for Microsoft Office 2016 (KB2920717) 32-Bit Edition", "Update for Microsoft Office 2016 (KB3114852) 32-Bit Edition", "Update for Microsoft Office 2016 (KB2920720) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4022161) 32-Bit Edition", "Security Update for Microsoft Office 2016 (KB3128012) 32-Bit Edition", "Security Update for Microsoft Word 2016 (KB4484300) 32-Bit Edition", "Security Update for Microsoft PowerPoint 2016 (KB4484246) 32-Bit Edition", "Update for Microsoft Office 2016 (KB3118263) 32-Bit Edition", "Security Update for Microsoft Office 2016 (KB4022176) 32-Bit Edition", "Update for Microsoft Office 2016 (KB3114528) 32-Bit Edition", "Security Update for Microsoft Visio 2016 (KB4484244) 32-Bit Edition", "Security Update for Microsoft Office 2016 (KB4484287) 32-Bit Edition", "Update for Microsoft Office 2016 (KB3118262) 32-Bit Edition", "Update for Skype for Business 2016 (KB4484286) 32-Bit Edition", "Security Update for Microsoft Office 2016 (KB4484214) 32-Bit Edition", "Security Update for Microsoft Office 2016 (KB4011574) 32-Bit Edition", "Update for Microsoft Office 2016 (KB3213650) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4462119) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4032236) 32-Bit Edition", "Security Update for Microsoft Office 2016 (KB3085538) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4484138) 32-Bit Edition", "Definition Update for Microsoft Office 2016 (KB3115407) 32-Bit Edition", "Update for Microsoft Office 2016 (KB2920678) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4475580) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4484248) 32-Bit Edition", "Security Update for Microsoft Excel 2016 (KB4484273) 32-Bit Edition", "Security Update for Microsoft Publisher 2016 (KB4011097) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4464586) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4464538) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4461435) 32-Bit Edition", "Security Update for Microsoft Outlook 2016 (KB4484274) 32-Bit Edition", "Security Update for Microsoft Project 2016 (KB4484269) 32-Bit Edition", "Update for Microsoft Office 2016 (KB3191929) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4011259) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4464535) 32-Bit Edition", "Security Update for Microsoft Office 2016 (KB2920727) 32-Bit Edition", "Update for Microsoft Office 2016 (KB3114903) 32-Bit Edition", "Update for Microsoft Office 2016 (KB2920724) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4484101) 32-Bit Edition", "Update for Microsoft Office 2016 (KB3118264) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4011629) 32-Bit Edition", "Security Update for Microsoft Access 2016 (KB4484167) 32-Bit Edition", "Update for Microsoft OneDrive for Business (KB4022219) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4032254) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4011225) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4484106) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4022193) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4011634) 32-Bit Edition", "Security Update for Microsoft Office 2016 (KB4484258) 32-Bit Edition", "Update for Microsoft Office 2016 (KB3178666) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4011669) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4475588) 32-Bit Edition", "Update for Microsoft OneNote 2016 (KB4475586) 32-Bit Edition", "Security Update for Microsoft Office 2016 (KB3213551) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4484145) 32-Bit Edition", "Update for Microsoft Office 2016 (KB3115276) 32-Bit Edition", "Microsoft Access MUI (English) 2016 16.0.4266.1001", "Microsoft Excel MUI (English) 2016 16.0.4266.1001", "Security Update for Microsoft Excel 2016 (KB4484273) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4011629) 32-Bit Edition", "Microsoft PowerPoint MUI (English) 2016 16.0.4266.1001", "Security Update for Microsoft PowerPoint 2016 (KB4484246) 32-Bit Edition", "Security Update for Microsoft Excel 2016 (KB4484273) 32-Bit Edition", "Microsoft Publisher MUI (English) 2016 16.0.4266.1001", "Security Update for Microsoft Publisher 2016 (KB4011097) 32-Bit Edition", "Microsoft Outlook MUI (English) 2016 16.0.4266.1001", "Security Update for Microsoft Word 2016 (KB4484300) 32-Bit Edition", "Security Update for Microsoft Outlook 2016 (KB4484274) 32-Bit Edition", "Microsoft Word MUI (English) 2016 16.0.4266.1001", "Security Update for Microsoft Word 2016 (KB4484300) 32-Bit Edition", "Security Update for Microsoft Excel 2016 (KB4484273) 32-Bit Edition", "Microsoft Office Proofing Tools 2016 - English 16.0.4266.1001", "Update for Microsoft Office 2016 (KB4464538) 32-Bit Edition", "Outils de v", "00001965 -> rification linguistique 2016 de Microsoft Office", "00001996 -> - Fran", "0000199d -> ais 16.0.4266.1001", "Update for Microsoft Office 2016 (KB4464538) 32-Bit Edition", "Herramientas de correcci", "00001a07 -> n de Microsoft Office 2016: espa", "00001a28 -> ol 16.0.4266.1001", "Update for Microsoft Office 2016 (KB4464538) 32-Bit Edition", "Update for Microsoft Office 2016 (KB3114528) 32-Bit Edition", "Update for Skype for Business 2016 (KB4484286) 32-Bit Edition", "Update for Microsoft Office 2016 (KB3213650) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4462119) 32-Bit Edition", "Security Update for Microsoft Office 2016 (KB3085538) 32-Bit Edition", "Security Update for Microsoft Office 2016 (KB4022162) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4484248) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4464586) 32-Bit Edition", "Security Update for Microsoft Project 2016 (KB4484269) 32-Bit Edition", "Update for Microsoft OneDrive for Business (KB4022219) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4484106) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4011634) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4475588) 32-Bit Edition", "Update for Microsoft OneNote 2016 (KB4475586) 32-Bit Edition", "Update for Microsoft OneDrive for Business (KB4022219) 32-Bit Edition", "Microsoft Office Proofing (English) 2016 16.0.4266.1001", "Microsoft InfoPath MUI (English) 2016 16.0.4266.1001", "Microsoft Office Shared MUI (English) 2016 16.0.4266.1001", "Security Update for Microsoft Office 2016 (KB4022176) 32-Bit Edition", "Security Update for Microsoft Office 2016 (KB4484214) 32-Bit Edition", "Security Update for Microsoft Office 2016 (KB4011574) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4475580) 32-Bit Edition", "Update for Microsoft Office 2016 (KB4484106) 32-Bit Edition", "Security Update for Microsoft Office 2016 (KB3213551) 32-Bit Edition", "Microsoft DCF MUI (English) 2016 16.0.4266.1001", "Microsoft OneNote MUI (English) 2016 16.0.4266.1001", "Update for Microsoft OneNote 2016 (KB4475586) 32-Bit Edition", "Microsoft Groove MUI (English) 2016 16.0.4266.1001", "Update for Microsoft OneDrive for Business (KB4022219) 32-Bit Edition", "Microsoft Office OSM MUI (English) 2016 16.0.4266.1001", "Microsoft Office OSM UX MUI (English) 2016 16.0.4266.1001", "Microsoft Office Shared Setup Metadata MUI (English) 2016 16.0.4266.1001", "Microsoft Access Setup Metadata MUI (English) 2016 16.0.4266.1001", "Microsoft Skype for Business MUI (English) 2016 16.0.4266.1001", "Security Update for Microsoft Word 2016 (KB4484300) 32-Bit Edition", "Update for Skype for Business 2016 (KB4484286) 32-Bit Edition", "Adobe Acrobat Reader DC 19.012.20035", "Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 11.0.61030", "Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 11.0.61030", "Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 11.0.61030.0", "Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 14.21.27702.2", "Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 12.0.30501.0", "Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 12.0.21005"]}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Oski | Yara detected Oski Stealer | Joe Security | ||
JoeSecurity_Oski | Yara detected Oski Stealer | Joe Security | ||
JoeSecurity_Oski | Yara detected Oski Stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Oski | Yara detected Oski Stealer | Joe Security | ||
JoeSecurity_Oski | Yara detected Oski Stealer | Joe Security | ||
JoeSecurity_Oski | Yara detected Oski Stealer | Joe Security | ||
JoeSecurity_Oski | Yara detected Oski Stealer | Joe Security | ||
JoeSecurity_Oski | Yara detected Oski Stealer | Joe Security | ||
Click to see the 1 entries |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Suspicious Double Extension | Show sources |
Source: | Author: Florian Roth (rule), @blu3_team (idea): |
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |