Malware Analysis Report

2025-01-22 13:33

Sample ID 210224-v9f1mdct3n
Target 530000.exe
SHA256 1aa2009bf625cdd1f9fce70863201c2c9fc8624edd89103fda2e49b50ba908f7
Tags
osiris banker botnet
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1aa2009bf625cdd1f9fce70863201c2c9fc8624edd89103fda2e49b50ba908f7

Threat Level: Known bad

The file 530000.exe was found to be: Known bad.

Malicious Activity Summary

osiris banker botnet

Osiris

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Uses Tor communications

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-02-24 14:13

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-02-24 14:13

Reported

2021-02-24 14:15

Platform

win7v20201028

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\530000.exe"

Signatures

Osiris

banker botnet osiris

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Uses Tor communications

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\530000.exe

"C:\Users\Admin\AppData\Local\Temp\530000.exe"

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"

Network

Country Destination Domain Proto
N/A 131.188.40.189:80 131.188.40.189 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 50.19.96.218:443 api.ipify.org tcp
N/A 45.77.137.44:80 45.77.137.44 tcp
N/A 142.4.213.90:443 tcp
N/A 8.8.8.8:53 time-a.nist.gov udp
N/A 129.6.15.28:13 time-a.nist.gov tcp
N/A 185.100.84.251:80 185.100.84.251 tcp
N/A 185.113.143.86:443 tcp
N/A 198.16.92.157:80 198.16.92.157 tcp
N/A 51.68.182.30:443 tcp
N/A 37.252.191.41:80 37.252.191.41 tcp
N/A 103.35.74.74:443 tcp
N/A 147.135.78.157:80 147.135.78.157 tcp
N/A 149.56.94.216:443 tcp
N/A 83.136.106.136:80 83.136.106.136 tcp
N/A 82.103.140.87:80 82.103.140.87 tcp
N/A 172.98.193.43:80 172.98.193.43 tcp
N/A 185.100.84.212:80 185.100.84.212 tcp
N/A 185.4.132.148:80 185.4.132.148 tcp
N/A 192.42.115.102:80 192.42.115.102 tcp

Files

memory/1964-2-0x00000000750C1000-0x00000000750C3000-memory.dmp

\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

memory/1768-4-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5 e6919afdbf29204ebf97a295dfa3e936
SHA1 e7239cdc1446c399b894c096f7b1be598a24b936
SHA256 a0e62a09b52a6a508fc59875486621a377704096ba7a4aa4b3f254f81581405d
SHA512 da35a913fd542f44e474771391facccd3a1dc872c10a04ed914d03153391658420c43c42dc26877a22cf811a3e812a3d211efe76ca9f93ff7b5d024b5b5145c5

Analysis: behavioral2

Detonation Overview

Submitted

2021-02-24 14:13

Reported

2021-02-24 14:15

Platform

win10v20201028

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\530000.exe"

Signatures

Osiris

banker botnet osiris

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Uses Tor communications

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\530000.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 640 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\530000.exe C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
PID 640 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\530000.exe C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\530000.exe

"C:\Users\Admin\AppData\Local\Temp\530000.exe"

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"

Network

Country Destination Domain Proto
N/A 154.35.175.225:80 154.35.175.225 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.225.129.141:443 api.ipify.org tcp
N/A 212.47.236.95:80 212.47.236.95 tcp
N/A 198.245.49.10:443 tcp
N/A 8.8.8.8:53 time-a.nist.gov udp
N/A 129.6.15.28:13 time-a.nist.gov tcp
N/A 185.125.206.186:80 185.125.206.186 tcp
N/A 85.159.237.210:80 85.159.237.210 tcp
N/A 135.148.33.74:80 135.148.33.74 tcp
N/A 185.130.44.124:80 185.130.44.124 tcp
N/A 46.36.39.134:80 46.36.39.134 tcp
N/A 37.157.253.35:443 tcp
N/A 172.107.96.70:80 172.107.96.70 tcp
N/A 103.234.220.195:80 103.234.220.195 tcp
N/A 172.104.177.103:443 tcp
N/A 195.154.179.3:80 195.154.179.3 tcp
N/A 91.203.145.116:80 91.203.145.116 tcp
N/A 23.129.64.221:80 23.129.64.221 tcp
N/A 178.164.214.33:443 tcp
N/A 135.148.32.122:80 135.148.32.122 tcp
N/A 193.70.112.165:80 193.70.112.165 tcp
N/A 178.254.22.21:80 178.254.22.21 tcp
N/A 162.247.74.204:443 tcp
N/A 185.165.240.126:80 185.165.240.126 tcp
N/A 46.22.212.230:80 46.22.212.230 tcp

Files

memory/3732-2-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5 2f2a1d82d27eb6db4a4f8b5c864e02ec
SHA1 ba6a6ef448be3c9f32ba8b4678297c8a137fd135
SHA256 cd9da7a912a78920636a88b375807dd78364b5bbf8c6b480b2d0e39c8b3ec47b
SHA512 e3a91468745b3ed2d368bb9641e34a4544efbfebc8f595eae03b006bcc39f27cd197398eade3e0b0d8e68735d5c4ec9ac27c1801dd967f9d9147d92d5d2bea81