Malware Analysis Report

2025-01-22 13:34

Sample ID 210224-e9y2gwkzr6
Target 530000.exe
SHA256 1aa2009bf625cdd1f9fce70863201c2c9fc8624edd89103fda2e49b50ba908f7
Tags
osiris banker botnet
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1aa2009bf625cdd1f9fce70863201c2c9fc8624edd89103fda2e49b50ba908f7

Threat Level: Known bad

The file 530000.exe was found to be: Known bad.

Malicious Activity Summary

osiris banker botnet

Osiris

Executes dropped EXE

Loads dropped DLL

Uses Tor communications

Looks up external IP address via web service

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-02-24 11:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-02-24 11:17

Reported

2021-02-24 11:19

Platform

win7v20201028

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\530000.exe"

Signatures

Osiris

banker botnet osiris

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Uses Tor communications

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\530000.exe

"C:\Users\Admin\AppData\Local\Temp\530000.exe"

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"

Network

Country Destination Domain Proto
N/A 194.109.206.212:80 194.109.206.212 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.225.214.197:443 api.ipify.org tcp
N/A 199.249.230.166:80 199.249.230.166 tcp
N/A 172.105.61.212:443 tcp
N/A 8.8.8.8:53 time-a.nist.gov udp
N/A 129.6.15.28:13 time-a.nist.gov tcp
N/A 185.63.253.130:80 185.63.253.130 tcp
N/A 82.221.128.191:443 tcp
N/A 88.198.91.74:80 88.198.91.74 tcp
N/A 104.244.74.121:80 104.244.74.121 tcp
N/A 185.185.71.69:80 185.185.71.69 tcp
N/A 122.117.91.144:80 122.117.91.144 tcp
N/A 185.225.16.146:80 185.225.16.146 tcp
N/A 178.17.171.39:443 tcp
N/A 199.249.230.144:80 199.249.230.144 tcp
N/A 51.195.136.190:80 51.195.136.190 tcp
N/A 199.249.230.87:80 199.249.230.87 tcp
N/A 51.161.33.20:443 tcp
N/A 87.98.185.5:80 87.98.185.5 tcp
N/A 188.127.69.60:80 188.127.69.60 tcp
N/A 192.42.116.17:80 192.42.116.17 tcp
N/A 178.17.174.13:443 tcp

Files

memory/1968-2-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

memory/1648-4-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5 6dc13875f352d5685b297de103001773
SHA1 84de3498cf19101804a437f576bd7f894682b0be
SHA256 e8af1450405521907e74bcf67dd49c3a9f6288291f5cbb6459ef0de03a2d112f
SHA512 cb4397cb74e6e18c1f0404d2e7971e2b6d9111fd43e929020d6fbb2a269744ac752953ad363aaff94224a1c00aa4f05751eae7b788f7895e651e08dd0da14524

Analysis: behavioral2

Detonation Overview

Submitted

2021-02-24 11:17

Reported

2021-02-24 11:19

Platform

win10v20201028

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\530000.exe"

Signatures

Osiris

banker botnet osiris

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Uses Tor communications

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 796 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\530000.exe C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
PID 796 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\530000.exe C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\530000.exe

"C:\Users\Admin\AppData\Local\Temp\530000.exe"

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"

Network

Country Destination Domain Proto
N/A 66.111.2.131:9030 66.111.2.131 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 23.21.252.4:443 api.ipify.org tcp
N/A 209.141.54.197:80 209.141.54.197 tcp
N/A 195.154.106.60:443 tcp
N/A 8.8.8.8:53 time-a.nist.gov udp
N/A 129.6.15.28:13 time-a.nist.gov tcp
N/A 91.203.144.194:80 91.203.144.194 tcp
N/A 45.76.115.159:80 45.76.115.159 tcp
N/A 46.227.68.106:80 46.227.68.106 tcp
N/A 109.68.191.132:80 109.68.191.132 tcp
N/A 199.249.230.69:80 199.249.230.69 tcp
N/A 85.209.158.221:443 tcp
N/A 87.120.37.79:80 87.120.37.79 tcp
N/A 149.56.94.219:80 149.56.94.219 tcp
N/A 190.10.8.152:80 190.10.8.152 tcp
N/A 199.249.230.165:443 tcp
N/A 109.70.100.18:80 109.70.100.18 tcp
N/A 199.249.230.104:80 199.249.230.104 tcp
N/A 91.121.143.199:80 91.121.143.199 tcp
N/A 95.216.136.34:443 tcp
N/A 91.234.19.55:80 91.234.19.55 tcp
N/A 130.193.15.186:80 130.193.15.186 tcp

Files

memory/2408-2-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5 29e63b87a82abf88b7c73dd3442aed6e
SHA1 ede929efeae67bf5bbb54bd9bb4825e774854b38
SHA256 77f2d0af447eacfa7196c3fdf3f57091168fdd4eb0f9fb9b005a0506346d2e68
SHA512 64dbdc5d63133227293b42ab49c686b5c10640a06bccf377cd7ccba0ce7fde3a952d6fef8e6afe1a03b387aec43cfc81ee9fb0a728c3605240986c781cd84285