Dennis Kontic Cybersecurity Lab Portfolio
Blue Team Project

Oski Stealc Malware Analysis

Back to Projects Main Portfolio DonkeySec YouTube

Oski Stealc Malware Analysis: CyberDefenders

Overview

This project documents my investigation of the CyberDefenders Oski lab. The scenario involved a suspicious PowerPoint file delivered through an email titled Urgent New Order.

After the accountant opened the attached invoice, the SIEM generated an alert for a potentially malicious file download. The investigation focused on using online threat intelligence and sandbox analysis platforms to identify the malware family, extract configuration details, review command and control behavior, and map observed activity to MITRE ATT&CK.

The analysis determined that the malicious executable associated with the PowerPoint file was related to the Stealc malware family.

Video Walkthrough

Watch my Oski Stealc Malware Analysis walkthrough on YouTube

Scenario Summary

An accountant received a suspicious email from a client late in the afternoon. The message was titled:

Urgent New Order

The accountant attempted to open the attached invoice and found that it contained false order information. Shortly after, the SIEM generated an alert for a potentially malicious file download.

Initial investigation suggested that a PowerPoint file was responsible for the download activity.

The goal of the investigation was to analyze the file, identify the malware family, review sandbox behavior, extract important indicators, and understand how the malware attempted to steal data.

Objective

The objective of this investigation was to:

  • Analyze a suspicious PowerPoint related malware sample
  • Use VirusTotal to review detections and file metadata
  • Use ANY.RUN to review sandbox behavior
  • Identify the malware family
  • Identify command and control activity
  • Review requested libraries and malware configuration
  • Extract key indicators from the sandbox report
  • Map observed activity to MITRE ATT&CK
  • Identify credential theft behavior
  • Review malware cleanup and self deletion behavior

Key Investigation Data

Evidence Type Finding
Lab platform CyberDefenders
Lab name Oski
Category Threat Intel
Suspicious email subject Urgent New Order
Initial file type PowerPoint file
Malware family Stealc
Tools used VirusTotal, ANY.RUN
First requested library sqlite3.dll
Credential theft technique T1555: Credentials from Password Stores
File deletion technique T1070.004: Indicator Removal: File Deletion
Directory targeted for deletion C:\ProgramData
Self deletion delay 5 seconds
C2 server Add exact C2 URL from report
Malware creation time Add exact creation time from VirusTotal
RC4 key Add exact RC4 key from ANY.RUN malware configuration

MITRE ATT&CK Mapping

Tactic Technique Evidence
Initial Access Phishing Suspicious email with invoice themed PowerPoint attachment
Execution User Execution User opened the suspicious attachment
Defense Evasion T1070.004: Indicator Removal: File Deletion Malware attempted to delete files from C:\ProgramData
Credential Access T1555: Credentials from Password Stores Malware attempted to steal browser stored credentials
Command and Control Application Layer Protocol Malware communicated with external command and control infrastructure
Exfiltration Exfiltration Over Web Service or C2 Channel Browser artifacts and credential data were sent to attacker infrastructure

Skills Demonstrated

  • Threat intelligence analysis
  • Malware sandbox report analysis
  • VirusTotal investigation
  • ANY.RUN investigation
  • Malware family identification
  • Command and control analysis
  • Indicator extraction
  • Malware configuration review
  • MITRE ATT&CK mapping
  • Credential theft analysis
  • Defense evasion analysis
  • Data exfiltration analysis
  • Incident documentation

Tools and Evidence Used

  • VirusTotal
  • ANY.RUN
  • Malware hash analysis
  • Sandbox network behavior
  • HTTP requests
  • Malware configuration output
  • MITRE ATT&CK mapping
  • Base64 decoding concepts
  • RC4 key review
  • URL and domain indicators
  • Command line behavior
  • Process behavior
  • File deletion evidence

Investigation Methodology

1. Initial Threat Intelligence Review

The investigation began with the hash of the suspicious file. I used VirusTotal to determine whether the file was already known to security vendors and threat intelligence sources.

The sample was detected as malicious and associated with the Stealc malware family.

Stealc is commonly associated with information theft activity, including browser credential theft, cryptocurrency wallet targeting, and data exfiltration.

2. Malware Family Identification

VirusTotal detections and community intelligence helped identify the malware family as:

Stealc

This classification was important because it helped guide the rest of the analysis. Once the sample was identified as Stealc, I focused on credential theft, browser artifact collection, command and control communication, and exfiltration behavior.

3. File Metadata Review

The next step was to review file metadata in VirusTotal.

The creation time was located in the file details and history section.

Malware creation time:
Add exact value from VirusTotal

This timestamp can help support timeline analysis, but it should not be treated as absolute proof because malware compile times can be spoofed or manipulated.

4. Command and Control Review

The malware contacted external infrastructure after execution.

The command and control server was identified by reviewing contacted URLs and sandbox network behavior.

C2 server:
Add exact C2 URL from report

This command and control activity was important because it showed where the malware attempted to retrieve additional resources and send stolen information.

5. First Library Requested

The sandbox and threat intelligence data showed that the malware requested a DLL after execution.

The first requested library was:

sqlite3.dll

This was significant because Stealc commonly targets browser data. SQLite related libraries can support access to browser databases that store artifacts such as cookies, saved credentials, and other browser data.

6. Malware Configuration Review

ANY.RUN was used to review the malware configuration extracted from the sample.

The malware configuration included:

  • Command and control URL
  • RC4 key
  • Encoded strings
  • Network behavior
  • Stealer related indicators

The RC4 key identified in the configuration was:

Add exact RC4 key from ANY.RUN malware configuration

The RC4 key was important because it was used by the malware to decrypt encoded configuration or data.

7. Credential Theft Analysis

The malware behavior aligned with credential theft from browser password stores.

The relevant MITRE ATT&CK technique was:

T1555: Credentials from Password Stores

This technique was supported by evidence showing that the malware collected browser artifacts and sent them back to attacker infrastructure.

The behavior suggested that the malware was attempting to steal saved passwords and other sensitive browser stored data.

8. Exfiltration Review

The sandbox report showed outbound activity consistent with data exfiltration.

The malware appeared to collect user data and send it to the command and control server. The exfiltrated data included browser related artifacts that could contain credentials or session material.

This behavior confirmed that the sample was not only executing on the host, but also attempting to steal and transmit sensitive information.

9. File Deletion and Cleanup Behavior

ANY.RUN showed that the malware attempted to delete files after completing its activity.

The targeted directory was:

C:\ProgramData

The malware used a deletion routine to remove DLL files and clean up evidence of activity.

The behavior mapped to:

T1070.004: Indicator Removal: File Deletion

10. Self Deletion Delay

The malware included a timeout before deletion.

The delay was:

5 seconds

This indicates that after exfiltrating data, the malware waited briefly before attempting to delete itself or related files. This cleanup behavior was likely intended to reduce forensic evidence on the infected host.

Attack Timeline

Phase Activity
Email delivery Accountant received email titled Urgent New Order
User interaction User opened the suspicious invoice attachment
Initial execution PowerPoint related activity triggered a malicious file download
Malware identification Sample identified as Stealc
C2 communication Malware contacted external attacker infrastructure
Library request Malware requested sqlite3.dll
Credential access Malware attempted to collect browser stored credentials
Exfiltration Collected data was sent to command and control infrastructure
Cleanup Malware targeted C:\ProgramData for deletion
Self deletion Malware waited 5 seconds before deleting itself or related files

Key Findings

The investigation found that:

  • The suspicious PowerPoint file was associated with malware activity
  • The malware family was identified as Stealc
  • VirusTotal helped confirm malicious detections and file metadata
  • ANY.RUN provided behavioral analysis and malware configuration details
  • The malware contacted command and control infrastructure
  • The first requested library was sqlite3.dll
  • The malware attempted to steal browser stored credentials
  • The credential theft behavior mapped to T1555: Credentials from Password Stores
  • The malware attempted to delete files from C:\ProgramData
  • The cleanup behavior mapped to T1070.004: Indicator Removal: File Deletion
  • The malware waited 5 seconds before self deletion behavior

Defensive Lessons Learned

This lab reinforced several important defensive lessons:

  • Suspicious office attachments can lead to malware execution
  • SIEM alerts for file downloads should be investigated quickly
  • VirusTotal is useful for initial malware family identification
  • ANY.RUN helps reveal runtime behavior that static analysis may not show
  • Malware configuration data can expose command and control details
  • Browser credential theft is a major risk after information stealer execution
  • File deletion behavior can indicate defense evasion
  • MITRE ATT&CK mapping helps communicate attacker behavior clearly
  • Analysts should correlate file metadata, network behavior, process activity, and sandbox findings

Based on the investigation, recommended actions would include:

  • Block the malware hash across endpoint controls
  • Block identified command and control infrastructure
  • Search SIEM logs for related network connections
  • Hunt for sqlite3.dll retrieval activity from suspicious sources
  • Review hosts for signs of Stealc execution
  • Reset credentials for affected users
  • Revoke active sessions for affected accounts
  • Review browser saved password exposure
  • Disable password saving in browsers where appropriate
  • Review email gateway logs for the original phishing message
  • Add detections for suspicious Office initiated downloads
  • Alert on suspicious deletion activity in C:\ProgramData
  • Educate users about invoice themed phishing lures

What This Project Demonstrates

This project demonstrates my ability to:

  • Analyze a suspicious malware sample using online threat intelligence platforms
  • Use VirusTotal to identify detections and metadata
  • Use ANY.RUN to review sandbox behavior
  • Identify Stealc malware behavior
  • Extract key indicators from malware analysis reports
  • Review command and control behavior
  • Identify credential theft activity
  • Map malware behavior to MITRE ATT&CK
  • Understand file deletion and self cleanup behavior
  • Translate sandbox findings into defensive recommendations

Disclosure Notice

This writeup is based on an authorized CyberDefenders training environment. It is intended to document the investigation process, lab indicators, and defensive concepts learned.

This page does not include private customer data, employer data, production system information, or unauthorized activity.

Back to Projects Portfolio Home