osiris | b8f765e5e9932ebe8820755b8d75eb00eb6b097316d98cd38bf9224fbf7fb82d

General

Target

SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
Size

329KB
MD5

37c564ae4779a505b190aa2520bb7266
SHA1

ef79b2bf788efc094b391f938c326ab61f17237b
SHA256

b8f765e5e9932ebe8820755b8d75eb00eb6b097316d98cd38bf9224fbf7fb82d
SHA512

eda61c01b97d8031bd6a0f4c22e3eeaff0a18d1f9ca8836b76c6ca97cf06f48384df4827e40e2ead03d6b9c7a916f5c8939186ab10731893334988eebac5b3a5

Score

10^/10

osiris banker botnet spyware stealer

Malware Config

Signatures

Osiris
banker botnet osiris

Nirsoft 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\{8081378E-5036-45D9-BE0A-9A65BEF632D0}\1977912674.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\{8081378E-5036-45D9-BE0A-9A65BEF632D0}\1977912674.exe	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

GetX64BTIT.exe1054361754.exe1977912674.exe

pid process

3640 GetX64BTIT.exe
772 1054361754.exe
408 1977912674.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 api.ipify.org
9 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
3640	GetX64BTIT.exe
772	1054361754.exe
408	1977912674.exe

flow	ioc
8	api.ipify.org
9	api.ipify.org

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe

pid	process
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe

pid process

1192 SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe

pid process

1192 SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe

description	pid	process	target process
PID 1192 wrote to memory of 3640	1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe	GetX64BTIT.exe
PID 1192 wrote to memory of 3640	1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe	GetX64BTIT.exe
PID 1192 wrote to memory of 772	1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe	1054361754.exe
PID 1192 wrote to memory of 772	1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe	1054361754.exe
PID 1192 wrote to memory of 408	1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe	1977912674.exe
PID 1192 wrote to memory of 408	1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe	1977912674.exe
PID 1192 wrote to memory of 408	1192	SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe	1977912674.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Kronos.21.31435.19434.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
2⤵
- Executes dropped EXE
PID:3640

C:\Users\Admin\AppData\Local\Temp\{8081378E-5036-45D9-BE0A-9A65BEF632D0}\1054361754.exe
"1054361754.exe"
2⤵
- Executes dropped EXE
PID:772

C:\Users\Admin\AppData\Local\Temp\{8081378E-5036-45D9-BE0A-9A65BEF632D0}\1977912674.exe
C:\Users\Admin\AppData\Local\Temp\{8081378E-5036-45D9-BE0A-9A65BEF632D0}\1977912674.exe /sjson C:\Users\Admin\AppData\Local\Temp\{8081378E-5036-45D9-BE0A-9A65BEF632D0}\book.json
2⤵
- Executes dropped EXE
PID:408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
MD5
789146fcf8b2e069217aa9b249b53afe

SHA1
5ac0c230e70009b4a1e7ba2d512e7803c1bb9ec4

SHA256
c3c372660e6eee7b6aed9f56417f6ab8ef7f170a0435f87e35fd28175af81a4b

SHA512
c33ea0b3521781a55f2be5ae2237dd105ea56a2e9f6e187de779a7495a5f481bef424125554eb5b0be036e7b922cad0317eca3fd6e725d7321ea1430ed3c45cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8081378E-5036-45D9-BE0A-9A65BEF632D0}\1054361754.exe
MD5
9f385a9a69a4d9e18055743f0694976b

SHA1
2c2385ea964a33f803e96e364d4a05771c733921

SHA256
45f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216

SHA512
e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8081378E-5036-45D9-BE0A-9A65BEF632D0}\1054361754.exe
MD5
9f385a9a69a4d9e18055743f0694976b

SHA1
2c2385ea964a33f803e96e364d4a05771c733921

SHA256
45f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216

SHA512
e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8081378E-5036-45D9-BE0A-9A65BEF632D0}\1977912674.exe
MD5
b94350c5a57401721ce013c1a76c2727

SHA1
f0e946cf41e3c11d7f84736a365ec3d0b173fef4

SHA256
e6f88219fde1d526253de53f06fdb95ad08704c4dedbcdcf062d09db69754a58

SHA512
0b3622a799f46bf3023a7ff0afde855261f2cc1a42b19c625f17333b480bd90eddb20f61a436724065c9b5372c4beee66366bfd6f3dd5aacfb5bbaa73a022193

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8081378E-5036-45D9-BE0A-9A65BEF632D0}\1977912674.exe
MD5
b94350c5a57401721ce013c1a76c2727

SHA1
f0e946cf41e3c11d7f84736a365ec3d0b173fef4

SHA256
e6f88219fde1d526253de53f06fdb95ad08704c4dedbcdcf062d09db69754a58

SHA512
0b3622a799f46bf3023a7ff0afde855261f2cc1a42b19c625f17333b480bd90eddb20f61a436724065c9b5372c4beee66366bfd6f3dd5aacfb5bbaa73a022193

Download Submit
memory/408-10-0x0000000000000000-mapping.dmp

Download
memory/772-7-0x0000000000000000-mapping.dmp

Download
memory/1192-2-0x0000000000340000-0x00000000003DF000-memory.dmp

Filesize
636KB

Download
memory/3640-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads