Malware Analysis Report

2025-01-22 13:31

Sample ID 210211-2ervgkx7px
Target osiris.exe
SHA256 01d5f1b32235b5d5ba5970d56639d82aa3d83b57ec08c79b3580fd0c88ef1c29
Tags
osiris banker botnet
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

01d5f1b32235b5d5ba5970d56639d82aa3d83b57ec08c79b3580fd0c88ef1c29

Threat Level: Known bad

The file osiris.exe was found to be: Known bad.

Malicious Activity Summary

osiris banker botnet

Osiris

Executes dropped EXE

Loads dropped DLL

Uses Tor communications

Looks up external IP address via web service

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-02-11 12:07

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-02-11 12:07

Reported

2021-02-11 12:09

Platform

win10v20201028

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\osiris.exe"

Signatures

Osiris

banker botnet osiris

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Uses Tor communications

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4808 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
PID 4808 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\osiris.exe

"C:\Users\Admin\AppData\Local\Temp\osiris.exe"

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"

Network

Country Destination Domain Proto
N/A 193.23.244.244:80 tcp
N/A 194.109.206.212:80 tcp
N/A 193.23.244.244:80 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.243.164.148:443 api.ipify.org tcp
N/A 193.23.244.244:80 tcp
N/A 128.31.0.34:9131 128.31.0.34 tcp
N/A 37.120.174.249:80 37.120.174.249 tcp
N/A 45.128.133.242:443 tcp
N/A 8.8.8.8:53 time-a.nist.gov udp
N/A 129.6.15.28:13 time-a.nist.gov tcp
N/A 209.141.59.180:80 209.141.59.180 tcp
N/A 195.80.151.30:80 195.80.151.30 tcp
N/A 185.4.132.148:80 185.4.132.148 tcp
N/A 209.141.53.10:80 209.141.53.10 tcp
N/A 193.218.118.62:80 193.218.118.62 tcp
N/A 172.104.136.137:443 tcp
N/A 178.162.194.210:443 178.162.194.210 tcp
N/A 193.234.15.60:80 193.234.15.60 tcp
N/A 54.39.16.73:80 54.39.16.73 tcp
N/A 50.7.74.171:80 50.7.74.171 tcp
N/A 149.56.233.142:443 tcp
N/A 192.160.102.164:80 192.160.102.164 tcp
N/A 109.70.100.13:80 109.70.100.13 tcp
N/A 172.81.131.111:80 172.81.131.111 tcp
N/A 141.98.136.79:443 tcp
N/A 185.80.222.164:80 185.80.222.164 tcp
N/A 23.81.66.90:80 23.81.66.90 tcp

Files

memory/3424-2-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5 86b4b4bb58e9b33f53de7ae2260835c3
SHA1 55e17d13537076d5c267dc3c6572ff653e0591e2
SHA256 8826ea90454c3a3c566c243fcc2ce5e528006c7cbc925a4fc79cc8c7f9327630
SHA512 79103136af90443917f2666920c08aceffe52730b9da2a98514f8296a0a296ea081fdefd34d4aa3ccdec68e2d2256cb26160639e7d0091af289044dd84b08d9c

Analysis: behavioral1

Detonation Overview

Submitted

2021-02-11 12:07

Reported

2021-02-11 12:09

Platform

win7v20201028

Max time kernel

151s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\osiris.exe"

Signatures

Osiris

banker botnet osiris

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Uses Tor communications

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\osiris.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\osiris.exe

"C:\Users\Admin\AppData\Local\Temp\osiris.exe"

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"

Network

Country Destination Domain Proto
N/A 199.58.81.140:80 199.58.81.140 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 23.21.140.41:443 api.ipify.org tcp
N/A 109.70.100.24:80 109.70.100.24 tcp
N/A 79.134.235.243:443 tcp
N/A 8.8.8.8:53 time-a.nist.gov udp
N/A 129.6.15.28:13 time-a.nist.gov tcp
N/A 109.70.100.20:80 109.70.100.20 tcp
N/A 104.218.63.74:80 104.218.63.74 tcp
N/A 178.17.170.149:80 178.17.170.149 tcp
N/A 104.244.73.85:80 104.244.73.85 tcp
N/A 135.148.33.112:80 135.148.33.112 tcp
N/A 192.52.167.71:443 tcp
N/A 54.38.219.251:80 54.38.219.251 tcp
N/A 193.29.35.205:80 193.29.35.205 tcp
N/A 107.189.10.143:80 107.189.10.143 tcp
N/A 109.248.149.155:443 tcp
N/A 130.193.15.49:80 130.193.15.49 tcp
N/A 46.166.161.21:443 tcp
N/A 89.35.34.33:80 89.35.34.33 tcp
N/A 149.202.208.203:443 tcp

Files

memory/792-2-0x00000000765E1000-0x00000000765E3000-memory.dmp

\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

memory/1268-4-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5 b72a722fcb48f103a08800a76dc0dbf4
SHA1 e2192ef4d2abf227843ebca141b5ab358a4f941e
SHA256 319d60c12cf2e7997bb15859b7096869f2eaa015569c203c2c122a8b35daa8a9
SHA512 ac1f86ae7010ff483951fdbe3669b2039c47463ec834c22f426c3f763abba408d7aee5d43c7c3e166872102ae48c497a343ab42aa5bfef53dd0f31f9ffd2d916