osiris | b8f765e5e9932ebe8820755b8d75eb00eb6b097316d98cd38bf9224fbf7fb82d

General

Target

SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
Size

329KB
MD5

37c564ae4779a505b190aa2520bb7266
SHA1

ef79b2bf788efc094b391f938c326ab61f17237b
SHA256

b8f765e5e9932ebe8820755b8d75eb00eb6b097316d98cd38bf9224fbf7fb82d
SHA512

eda61c01b97d8031bd6a0f4c22e3eeaff0a18d1f9ca8836b76c6ca97cf06f48384df4827e40e2ead03d6b9c7a916f5c8939186ab10731893334988eebac5b3a5

Score

10^/10

osiris banker botnet spyware stealer

Malware Config

Signatures

Osiris
banker botnet osiris

Nirsoft 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\{A7D3922A-1424-4848-9456-C6B102471981}\155514377.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\{A7D3922A-1424-4848-9456-C6B102471981}\155514377.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\{A7D3922A-1424-4848-9456-C6B102471981}\155514377.exe	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

GetX64BTIT.exe1084477194.exe155514377.exe

pid process

1116 GetX64BTIT.exe
912 1084477194.exe
940 155514377.exe

pid	process
1116	GetX64BTIT.exe
912	1084477194.exe
940	155514377.exe

Loads dropped DLL 4 IoCs

Processes:

SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe

pid	process
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
6 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

flow	ioc
5	api.ipify.org
6	api.ipify.org

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe

pid	process
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe

pid process

1044 SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe

description	pid	process	target process
PID 1044 wrote to memory of 1116	1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe	GetX64BTIT.exe
PID 1044 wrote to memory of 1116	1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe	GetX64BTIT.exe
PID 1044 wrote to memory of 1116	1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe	GetX64BTIT.exe
PID 1044 wrote to memory of 1116	1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe	GetX64BTIT.exe
PID 1044 wrote to memory of 912	1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe	1084477194.exe
PID 1044 wrote to memory of 912	1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe	1084477194.exe
PID 1044 wrote to memory of 912	1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe	1084477194.exe
PID 1044 wrote to memory of 912	1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe	1084477194.exe
PID 1044 wrote to memory of 940	1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe	155514377.exe
PID 1044 wrote to memory of 940	1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe	155514377.exe
PID 1044 wrote to memory of 940	1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe	155514377.exe
PID 1044 wrote to memory of 940	1044	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe	155514377.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1044

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
2⤵
- Executes dropped EXE
PID:1116

C:\Users\Admin\AppData\Local\Temp\{A7D3922A-1424-4848-9456-C6B102471981}\1084477194.exe
"1084477194.exe"
2⤵
- Executes dropped EXE
PID:912

C:\Users\Admin\AppData\Local\Temp\{A7D3922A-1424-4848-9456-C6B102471981}\155514377.exe
C:\Users\Admin\AppData\Local\Temp\{A7D3922A-1424-4848-9456-C6B102471981}\155514377.exe /sjson C:\Users\Admin\AppData\Local\Temp\{A7D3922A-1424-4848-9456-C6B102471981}\book.json
2⤵
- Executes dropped EXE
PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
MD5
8e02df4b54e4444e9812ead4fabe7a28

SHA1
a7715b3098c2fa02adaced93a613963c39bb1d5d

SHA256
d52167b633008ec6311264c9e0c0bc93c91640e503d37b695db4177e4e1bcd2b

SHA512
2b4c0d7f3e3457ec90a3e1a87e3e6747f9b26692875b587485f012d411d5865b10d4a4265d5285e46bf38bc1a236b7a0fc73fe1273982e864022c8b4840b2fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A7D3922A-1424-4848-9456-C6B102471981}\1084477194.exe
MD5
9f385a9a69a4d9e18055743f0694976b

SHA1
2c2385ea964a33f803e96e364d4a05771c733921

SHA256
45f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216

SHA512
e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A7D3922A-1424-4848-9456-C6B102471981}\155514377.exe
MD5
b94350c5a57401721ce013c1a76c2727

SHA1
f0e946cf41e3c11d7f84736a365ec3d0b173fef4

SHA256
e6f88219fde1d526253de53f06fdb95ad08704c4dedbcdcf062d09db69754a58

SHA512
0b3622a799f46bf3023a7ff0afde855261f2cc1a42b19c625f17333b480bd90eddb20f61a436724065c9b5372c4beee66366bfd6f3dd5aacfb5bbaa73a022193

Download Submit
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
\Users\Admin\AppData\Local\Temp\{A7D3922A-1424-4848-9456-C6B102471981}\1084477194.exe
MD5
9f385a9a69a4d9e18055743f0694976b

SHA1
2c2385ea964a33f803e96e364d4a05771c733921

SHA256
45f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216

SHA512
e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c

Download Submit
\Users\Admin\AppData\Local\Temp\{A7D3922A-1424-4848-9456-C6B102471981}\155514377.exe
MD5
b94350c5a57401721ce013c1a76c2727

SHA1
f0e946cf41e3c11d7f84736a365ec3d0b173fef4

SHA256
e6f88219fde1d526253de53f06fdb95ad08704c4dedbcdcf062d09db69754a58

SHA512
0b3622a799f46bf3023a7ff0afde855261f2cc1a42b19c625f17333b480bd90eddb20f61a436724065c9b5372c4beee66366bfd6f3dd5aacfb5bbaa73a022193

Download Submit
\Users\Admin\AppData\Local\Temp\{A7D3922A-1424-4848-9456-C6B102471981}\155514377.exe
MD5
b94350c5a57401721ce013c1a76c2727

SHA1
f0e946cf41e3c11d7f84736a365ec3d0b173fef4

SHA256
e6f88219fde1d526253de53f06fdb95ad08704c4dedbcdcf062d09db69754a58

SHA512
0b3622a799f46bf3023a7ff0afde855261f2cc1a42b19c625f17333b480bd90eddb20f61a436724065c9b5372c4beee66366bfd6f3dd5aacfb5bbaa73a022193

Download Submit
memory/912-11-0x0000000000000000-mapping.dmp

Download
memory/940-20-0x00000000723F1000-0x00000000723F3000-memory.dmp

Filesize
8KB

Download
memory/940-17-0x0000000000000000-mapping.dmp

Download
memory/1008-8-0x000007FEF77C0000-0x000007FEF7A3A000-memory.dmp

Filesize
2.5MB

Download
memory/1044-2-0x00000000760A1000-0x00000000760A3000-memory.dmp

Filesize
8KB

Download
memory/1044-3-0x0000000000310000-0x00000000003AF000-memory.dmp

Filesize
636KB

Download
memory/1116-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads