Malware Analysis Report

2025-01-22 13:30

Sample ID 210224-ha2qcvqlm6
Target 530000.exe
SHA256 1aa2009bf625cdd1f9fce70863201c2c9fc8624edd89103fda2e49b50ba908f7
Tags
osiris banker botnet
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1aa2009bf625cdd1f9fce70863201c2c9fc8624edd89103fda2e49b50ba908f7

Threat Level: Known bad

The file 530000.exe was found to be: Known bad.

Malicious Activity Summary

osiris banker botnet

Osiris

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Uses Tor communications

Program crash

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-02-24 12:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-02-24 12:17

Reported

2021-02-24 12:19

Platform

win7v20201028

Max time kernel

150s

Max time network

91s

Command Line

"C:\Users\Admin\AppData\Local\Temp\530000.exe"

Signatures

Osiris

banker botnet osiris

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Uses Tor communications

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\530000.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\530000.exe

"C:\Users\Admin\AppData\Local\Temp\530000.exe"

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 616

Network

Country Destination Domain Proto
N/A 199.58.81.140:80 199.58.81.140 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.225.214.197:443 api.ipify.org tcp
N/A 195.144.21.219:80 195.144.21.219 tcp

Files

memory/892-2-0x0000000074D91000-0x0000000074D93000-memory.dmp

\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

memory/852-4-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5 7828ee989c987b0813c32eca232e1fd2
SHA1 4b04eccd6922a7f5a9870f57811fbebfc96b622b
SHA256 b1e615bde333d20ec1340d41b2eff61fdc5eca7f4bff0281a442b8a1be44d3c8
SHA512 c97bf3a3b3efd198df9ebca1e1b8508179151714002b42c286785517bf5668d5c296558f716846a579d970bc53954758f7422c02455a03ef1dbc834256d3d939

memory/1328-7-0x0000000000000000-mapping.dmp

memory/1328-8-0x0000000001E30000-0x0000000001E41000-memory.dmp

memory/1328-9-0x0000000000320000-0x0000000000321000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-02-24 12:17

Reported

2021-02-24 12:19

Platform

win10v20201028

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\530000.exe"

Signatures

Osiris

banker botnet osiris

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Uses Tor communications

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\530000.exe C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
PID 1152 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\530000.exe C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\530000.exe

"C:\Users\Admin\AppData\Local\Temp\530000.exe"

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"

Network

Country Destination Domain Proto
N/A 131.188.40.189:80 131.188.40.189 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.235.189.250:443 api.ipify.org tcp
N/A 54.36.120.156:80 54.36.120.156 tcp
N/A 199.249.230.158:443 tcp
N/A 8.8.8.8:53 time-a.nist.gov udp
N/A 129.6.15.28:13 time-a.nist.gov tcp
N/A 93.56.117.22:80 93.56.117.22 tcp
N/A 135.148.33.144:80 135.148.33.144 tcp
N/A 75.163.71.105:443 tcp
N/A 94.23.150.81:80 94.23.150.81 tcp
N/A 45.133.192.39:80 45.133.192.39 tcp
N/A 192.42.116.28:80 192.42.116.28 tcp
N/A 104.244.79.196:80 104.244.79.196 tcp
N/A 135.148.32.139:80 135.148.32.139 tcp
N/A 199.249.230.65:443 tcp
N/A 82.223.14.245:80 82.223.14.245 tcp
N/A 209.141.45.189:80 209.141.45.189 tcp
N/A 185.220.103.9:80 185.220.103.9 tcp
N/A 91.199.223.8:443 tcp
N/A 185.82.127.48:80 185.82.127.48 tcp
N/A 185.220.103.9:80 185.220.103.9 tcp
N/A 91.219.28.211:80 91.219.28.211 tcp
N/A 188.209.52.31:443 tcp
N/A 185.4.132.183:80 185.4.132.183 tcp
N/A 129.13.131.140:80 129.13.131.140 tcp
N/A 80.127.137.14:80 80.127.137.14 tcp
N/A 198.245.49.141:443 tcp
N/A 101.100.146.147:80 101.100.146.147 tcp
N/A 62.112.10.154:80 62.112.10.154 tcp

Files

memory/2736-2-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5 d1c02f6859d5c284a8261d9512055171
SHA1 4715f22df9252ca4da5a0f284d4f70e57f53487d
SHA256 28171ae508df8c1daf009e096a908cdf6792ec735c3367208abb6fd9837d66d2
SHA512 376a05aad8aaa74f379c48a77f258b04982067687abee8616679e00b6dda52187d2447888fd3a59c9c89339db51e113a58dbfc920dd720379c9d09eeac52e30f