Overview

overview

10

Static

static

osiris.js

windows7_x64

5

osiris.js

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    osiris.js

  • Size

    2.5MB

  • Sample

    210126-s38wqqsbx6

  • MD5

    e00ccaf47b31887d18ccc6d80aaa2a39

  • SHA1

    60b574bcda0024cf90ec3f7e97db28c58cc79552

  • SHA256

    20d1df07b4e17ee0821043733106bd179a520acd9ec307bdb1703df17cbf6ee7

  • SHA512

    5c3181b5440ac31079c8651d752ad890d84b5ee692b37168866e8c0bef1abfcc8d77311c5df7a7e0e72ad33c9ab999e4b096a199c832e42778565be2ede9c4c6

Score
10/10
osirisbankerbotnetransomware

Malware Config

Targets

    • Target

      osiris.js

    • Size

      2.5MB

    • MD5

      e00ccaf47b31887d18ccc6d80aaa2a39

    • SHA1

      60b574bcda0024cf90ec3f7e97db28c58cc79552

    • SHA256

      20d1df07b4e17ee0821043733106bd179a520acd9ec307bdb1703df17cbf6ee7

    • SHA512

      5c3181b5440ac31079c8651d752ad890d84b5ee692b37168866e8c0bef1abfcc8d77311c5df7a7e0e72ad33c9ab999e4b096a199c832e42778565be2ede9c4c6

    Score
    10/10
    ransomwareosirisbankerbotnet

    • Osiris

      bankerbotnetosiris

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Uses Tor communications

      Malware can proxy its traffic through Tor for more anonymity.

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

1
T1090

Impact

Tasks