analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://www33.zippyshare.com/d/hvc6SWB0/405227/Oski_Stealer.rar

Full analysis: https://app.any.run/tasks/0a9f39aa-4344-4831-a050-516a53895606
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 08, 2020, 22:24:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
stealer
vidar
loader
Indicators:
MD5:

A138A5930D5276201C879E7C3BFED75F

SHA1:

C83E711BD6E6DCB069DAA7113D48A917FCC2FE21

SHA256:

02337B79270D62AABEA81A58880135CD84A18CB29AE35361FC567ACD1D022EED

SSDEEP:

3:N8DSWWrM/hGKxKBE2ynRWDgAK:2O+/hGNBEVnRWDFK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3248)
      • WinRAR.exe (PID: 2504)
      • bat.exe (PID: 3088)

    • Application was dropped or rewritten from another process

      • bot.exe (PID: 3008)
      • Oski Cracked.exe (PID: 3084)
      • bat.exe (PID: 3088)

    • VIDAR was detected

      • bot.exe (PID: 3008)
      • bat.exe (PID: 3088)

    • Loads dropped or rewritten executable

      • bot.exe (PID: 3008)

    • Stealing of credential data

      • bot.exe (PID: 3008)

    • Steals credentials from Web Browsers

      • bot.exe (PID: 3008)

    • Actions looks like stealing of personal data

      • bot.exe (PID: 3008)

  • SUSPICIOUS

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 3248)
      • WinRAR.exe (PID: 2504)
      • bot.exe (PID: 3008)
      • bat.exe (PID: 3088)

    • Drops a file with a compile date too recent

      • chrome.exe (PID: 2168)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3248)
      • WinRAR.exe (PID: 2504)
      • bot.exe (PID: 3008)
      • bat.exe (PID: 3088)

    • Reads internet explorer settings

      • Oski Cracked.exe (PID: 3084)

    • Creates files in the program directory

      • bot.exe (PID: 3008)
      • bat.exe (PID: 3088)

    • Reads the cookies of Google Chrome

      • bot.exe (PID: 3008)
      • bat.exe (PID: 3088)

    • Reads the cookies of Mozilla Firefox

      • bot.exe (PID: 3008)

    • Searches for installed software

      • bot.exe (PID: 3008)

    • Starts CMD.EXE for commands execution

      • bot.exe (PID: 3008)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3596)

  • INFO

    • Reads settings of System Certificates

      • chrome.exe (PID: 1236)

    • Reads the hosts file

      • chrome.exe (PID: 1236)
      • chrome.exe (PID: 2168)

    • Manual execution by user

      • WinRAR.exe (PID: 3248)
      • WinRAR.exe (PID: 2504)
      • Oski Cracked.exe (PID: 3084)
      • bot.exe (PID: 3008)
      • bat.exe (PID: 3088)

    • Application launched itself

      • chrome.exe (PID: 2168)

    • Creates files in the user directory

      • chrome.exe (PID: 2168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
80
Monitored processes
34
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe winrar.exe oski cracked.exe no specs #VIDAR bot.exe #VIDAR bat.exe cmd.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2168"C:\Program Files\Google\Chrome\Application\chrome.exe" --disk-cache-dir=null --disk-cache-size=1 --media-cache-size=1 --disable-gpu-shader-disk-cache --disable-background-networking "https://www33.zippyshare.com/d/hvc6SWB0/405227/Oski_Stealer.rar"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2952"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x71aca9d0,0x71aca9e0,0x71aca9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
884"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1336 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3976"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1036,11111778140911358356,15971515497626970565,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=4896228609142219612 --mojo-platform-channel-handle=1052 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
1236"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1036,11111778140911358356,15971515497626970565,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=8332938868143408030 --mojo-platform-channel-handle=1552 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3600"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1036,11111778140911358356,15971515497626970565,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=10619351076357443054 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2156 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2648"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1036,11111778140911358356,15971515497626970565,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=4517262604812693768 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2140 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3036"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1036,11111778140911358356,15971515497626970565,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=4127302294569716074 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2420 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2456"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1036,11111778140911358356,15971515497626970565,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8527688375669500731 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
672"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1036,11111778140911358356,15971515497626970565,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=13857645200197170388 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
1 257
Read events
1 151
Write events
103
Delete events
3

Modification events

(PID) Process:(2168) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(2168) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(2168) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(2168) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(2168) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(2168) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:Key:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:writeName:2168-13251939890370750
Value:
259
(PID) Process:(2168) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(2168) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:delete valueName:3252-13245750958665039
Value:
0
(PID) Process:(2168) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:delete valueName:2168-13251939890370750
Value:
259
Executable files
33
Suspicious files
108
Text files
4 222
Unknown types
59

Dropped files

PID
Process
Filename
Type
2168chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5FCFFD33-878.pma
MD5:
SHA256:
2168chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old
MD5:
SHA256:
2168chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\c807e45d-9ee7-46f9-a9c0-5838c78dd1a3.tmp
MD5:
SHA256:
2168chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000048.dbtmp
MD5:
SHA256:
2168chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Last Tabsbinary
MD5:E815400F953EA8DB8A98D52737C9A50D
SHA256:E9F064927A191500B7365F51C9CD0763A6A8E68A8B866ACED39AA0E72C3EAD85
2168chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.oldtext
MD5:1C97B70A4BAD7C026F79467C7D496AFA
SHA256:C5A02E4984DE3F30DADFC0A89A93F45418C06653C3962EAA94C93909E51D272D
2168chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF13fea7.TMPtext
MD5:D33038DC70A58F2AC0EA1823980691AE
SHA256:6EE5DB5588EB879D13CE5A0DB3CA1744079C1BE3F73959A3B900684C56061D97
2168chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.old~RF13ff33.TMPtext
MD5:1C97B70A4BAD7C026F79467C7D496AFA
SHA256:C5A02E4984DE3F30DADFC0A89A93F45418C06653C3962EAA94C93909E51D272D
2168chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.oldtext
MD5:67F45CAA18C889645F50CD6216C81E65
SHA256:33ED82CDDDFFD55A5059C147C6CD20F66C6712314F890A39576D3C10914D0029
2168chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:C2DDBA63E4A2BD2E39A8B6C2C6384AAE
SHA256:6D5C1C78341C6F84911055D970ADDB0EC3499F8BF7FADE062122A22209CE67D9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
119
DNS requests
86
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3008
bot.exe
POST
200
62.77.159.212:80
http://62.77.159.212/5.jpg
HU
executable
1.19 Mb
malicious
3008
bot.exe
POST
200
62.77.159.212:80
http://62.77.159.212/3.jpg
HU
executable
133 Kb
malicious
1236
chrome.exe
GET
304
93.184.221.240:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
57.5 Kb
whitelisted
3008
bot.exe
POST
200
62.77.159.212:80
http://62.77.159.212/1.jpg
HU
executable
630 Kb
malicious
3008
bot.exe
POST
200
62.77.159.212:80
http://62.77.159.212/2.jpg
HU
executable
326 Kb
malicious
3008
bot.exe
POST
200
62.77.159.212:80
http://62.77.159.212/6.jpg
HU
executable
141 Kb
malicious
3088
bat.exe
POST
200
62.77.159.212:80
http://62.77.159.212/6.jpg
HU
executable
141 Kb
malicious
3088
bat.exe
POST
200
62.77.159.212:80
http://62.77.159.212/1.jpg
HU
executable
630 Kb
malicious
3008
bot.exe
POST
200
62.77.159.212:80
http://62.77.159.212/main.php
HU
text
28 b
malicious
3008
bot.exe
POST
200
62.77.159.212:80
http://62.77.159.212/7.jpg
HU
executable
81.8 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1236
chrome.exe
172.217.18.109:443
accounts.google.com
Google Inc.
US
suspicious
1236
chrome.exe
46.166.139.188:443
www33.zippyshare.com
NForce Entertainment B.V.
NL
unknown
1236
chrome.exe
104.75.88.112:443
s7.addthis.com
Akamai Technologies, Inc.
NL
suspicious
1236
chrome.exe
54.237.125.12:443
aphycolourses.info
Amazon.com, Inc.
US
suspicious
1236
chrome.exe
13.35.253.46:443
d10lumateci472.cloudfront.net
US
malicious
1236
chrome.exe
173.192.101.24:443
p232207.clksite.com
SoftLayer Technologies Inc.
US
suspicious
1236
chrome.exe
172.217.4.196:443
www.google.com
Google Inc.
US
whitelisted
1236
chrome.exe
139.45.195.81:443
louchees.net
US
suspicious
1236
chrome.exe
35.190.68.123:443
www.maxonclick.com
Google Inc.
US
whitelisted
1236
chrome.exe
99.84.156.113:443
hmonstabb.fun
AT&T Services, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
www33.zippyshare.com
  • 46.166.139.188
unknown
accounts.google.com
  • 172.217.18.109
shared
d10lumateci472.cloudfront.net
  • 13.35.253.46
  • 13.35.253.83
  • 13.35.253.24
  • 13.35.253.230
whitelisted
ds88pc0kw6cvc.cloudfront.net
  • 13.35.253.196
  • 13.35.253.131
  • 13.35.253.11
  • 13.35.253.15
whitelisted
s7.addthis.com
  • 104.75.88.112
whitelisted
safebrowsing.googleapis.com
  • 209.85.146.95
whitelisted
p232207.clksite.com
  • 173.192.101.24
whitelisted
www.maxonclick.com
  • 35.190.68.123
whitelisted
www.google.com
  • 172.217.4.196
whitelisted
louchees.net
  • 139.45.195.81
  • 139.45.195.142
  • 139.45.196.3
  • 139.45.195.16
  • 139.45.196.67
  • 139.45.197.9
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
1236
chrome.exe
Potentially Bad Traffic
ET INFO Observed ZeroSSL SSL/TLS Certificate
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
1236
chrome.exe
Potentially Bad Traffic
ET INFO Observed ZeroSSL SSL/TLS Certificate
1236
chrome.exe
Potentially Bad Traffic
ET INFO Observed ZeroSSL SSL/TLS Certificate
3008
bot.exe
A Network Trojan was detected
ET POLICY Data POST to an image file (jpg)
3008
bot.exe
A Network Trojan was detected
SUSPICIOUS [PTsecurity] Possible Generic.Trojan Boundary
3008
bot.exe
A Network Trojan was detected
STEALER [PTsecurity] Arkei/Vidar Stealer
3008
bot.exe
unknown
SUSPICIOUS [PTsecurity] HTTP POST to .jpg
3008
bot.exe
Potential Corporate Privacy Violation
ET POLICY Suspicious EXE Download Content-Type image/jpeg
15 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www33.zippyshare.com/d/hvc6SWB0/405227/Oski_Stealer.rar