Malware Analysis Report

2025-01-22 13:33

Sample ID 210305-pybmrl84qs
Target 6a0000.exe
SHA256 1bb6fb4d17c2bc64645d9ea67e3f3b34c4cc3b082c70676b202ebcd59762c3c2
Tags
osiris banker botnet
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1bb6fb4d17c2bc64645d9ea67e3f3b34c4cc3b082c70676b202ebcd59762c3c2

Threat Level: Known bad

The file 6a0000.exe was found to be: Known bad.

Malicious Activity Summary

osiris banker botnet

Osiris

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Uses Tor communications

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-03-05 10:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-03-05 10:38

Reported

2021-03-05 10:40

Platform

win7v20201028

Max time kernel

150s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a0000.exe"

Signatures

Osiris

banker botnet osiris

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Uses Tor communications

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6a0000.exe

"C:\Users\Admin\AppData\Local\Temp\6a0000.exe"

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"

Network

Country Destination Domain Proto
N/A 154.35.175.225:80 154.35.175.225 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.225.129.141:443 api.ipify.org tcp
N/A 35.72.91.83:443 35.72.91.83 tcp
N/A 141.255.166.150:443 tcp
N/A 8.8.8.8:53 time-a.nist.gov udp
N/A 129.6.15.28:13 time-a.nist.gov tcp
N/A 185.80.222.158:443 185.80.222.158 tcp
N/A 163.172.213.212:80 163.172.213.212 tcp
N/A 176.10.99.202:80 176.10.99.202 tcp
N/A 176.53.22.142:80 176.53.22.142 tcp
N/A 51.89.143.152:80 51.89.143.152 tcp
N/A 107.189.10.51:80 107.189.10.51 tcp
N/A 83.143.116.16:443 tcp
N/A 23.129.64.223:80 23.129.64.223 tcp
N/A 82.192.94.125:443 tcp
N/A 199.249.230.149:80 199.249.230.149 tcp
N/A 91.192.103.43:80 91.192.103.43 tcp
N/A 109.70.100.19:80 109.70.100.19 tcp
N/A 159.69.191.201:443 tcp
N/A 79.124.7.11:80 79.124.7.11 tcp
N/A 78.47.226.12:443 tcp
N/A 149.56.94.217:80 149.56.94.217 tcp
N/A 178.17.174.198:80 178.17.174.198 tcp

Files

memory/1932-2-0x00000000750C1000-0x00000000750C3000-memory.dmp

\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

memory/1688-4-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5 e6919afdbf29204ebf97a295dfa3e936
SHA1 e7239cdc1446c399b894c096f7b1be598a24b936
SHA256 a0e62a09b52a6a508fc59875486621a377704096ba7a4aa4b3f254f81581405d
SHA512 da35a913fd542f44e474771391facccd3a1dc872c10a04ed914d03153391658420c43c42dc26877a22cf811a3e812a3d211efe76ca9f93ff7b5d024b5b5145c5

Analysis: behavioral2

Detonation Overview

Submitted

2021-03-05 10:38

Reported

2021-03-05 10:40

Platform

win10v20201028

Max time kernel

151s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a0000.exe"

Signatures

Osiris

banker botnet osiris

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Uses Tor communications

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 504 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
PID 504 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\6a0000.exe C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6a0000.exe

"C:\Users\Admin\AppData\Local\Temp\6a0000.exe"

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"

Network

Country Destination Domain Proto
N/A 172.217.168.205:443 tcp
N/A 216.58.211.105:443 tcp
N/A 216.58.211.105:443 tcp
N/A 216.58.211.105:443 tcp
N/A 172.217.17.74:443 tcp
N/A 172.217.168.238:443 tcp
N/A 172.217.17.68:443 tcp
N/A 172.217.20.67:80 tcp
N/A 67.199.248.17:80 tcp
N/A 172.217.20.67:80 tcp
N/A 142.250.179.129:443 tcp
N/A 154.35.175.225:80 154.35.175.225 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.235.83.248:443 api.ipify.org tcp
N/A 62.210.125.130:80 62.210.125.130 tcp
N/A 185.100.84.212:443 tcp
N/A 216.58.211.105:443 tcp
N/A 8.8.8.8:53 time-a.nist.gov udp
N/A 129.6.15.28:13 time-a.nist.gov tcp
N/A 5.2.69.21:80 5.2.69.21 tcp
N/A 103.200.210.66:80 103.200.210.66 tcp
N/A 185.86.148.90:80 185.86.148.90 tcp
N/A 136.244.108.143:80 136.244.108.143 tcp
N/A 97.69.218.38:80 97.69.218.38 tcp
N/A 109.74.195.223:443 tcp
N/A 135.148.33.96:80 135.148.33.96 tcp
N/A 87.120.37.79:80 87.120.37.79 tcp
N/A 195.154.252.88:80 195.154.252.88 tcp
N/A 85.212.18.186:443 tcp
N/A 95.141.36.127:80 95.141.36.127 tcp
N/A 51.77.111.67:80 51.77.111.67 tcp
N/A 179.43.190.10:80 179.43.190.10 tcp
N/A 104.37.193.102:443 tcp
N/A 135.148.33.131:80 135.148.33.131 tcp
N/A 103.35.74.74:80 103.35.74.74 tcp

Files

memory/492-2-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5 efe080540179c771d3f5fb83ed67a6c6
SHA1 880d14b09dd8243bce981a589c8d0ba2d5917247
SHA256 1f04cc948752ccf1534fe74074d043a9acab0c02802d1ba8d1aa5d562779dc7a
SHA512 efac3dfaf3407eaa7604d9ca424f310df103430767e16c91b203d1d3f7a5f31729173d82d709db52f9b12133b16f0b7b2c66344e79c91cde499544c08964e5c1