Play interactive tourEdit tour
Windows Analysis Report gunzipped.exe
Overview
General Information
Detection
Oski Stealer Vidar
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Yara detected Oski Stealer
Yara detected Vidar stealer
Tries to steal Crypto Currency Wallets
Downloads files with wrong headers with respect to MIME Content-Type
Machine Learning detection for sample
Injects a PE file into a foreign processes
Posts data to a JPG file (protocol mismatch)
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Enables debug privileges
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Uses taskkill to terminate processes
PE file contains more sections than normal
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Oski |
---|
{"C2 url": "http://2.56.57.108/osk/", "RC4 Key": "056139954853430408"}
Threatname: Vidar |
---|
{"C2 url": "http://2.56.57.108/osk/", "RC4 Key": "056139954853430408"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Oski | Yara detected Oski Stealer | Joe Security | ||
JoeSecurity_Oski | Yara detected Oski Stealer | Joe Security | ||
JoeSecurity_Oski | Yara detected Oski Stealer | Joe Security | ||
JoeSecurity_Oski_1 | Yara detected Oski Stealer | Joe Security | ||
JoeSecurity_Oski | Yara detected Oski Stealer | Joe Security | ||
Click to see the 5 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Oski | Yara detected Oski Stealer | Joe Security | ||
JoeSecurity_Oski | Yara detected Oski Stealer | Joe Security | ||
JoeSecurity_Oski | Yara detected Oski Stealer | Joe Security | ||
JoeSecurity_Oski | Yara detected Oski Stealer | Joe Security | ||
JoeSecurity_Oski | Yara detected Oski Stealer | Joe Security | ||
Click to see the 10 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | Code function: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: |
Downloads files with wrong headers with respect to MIME Content-Type | Show sources |
Source: | Image file has PE prefix: |