Malware Analysis Report

2025-01-22 13:30

Sample ID 210504-ea5kd82f4e
Target 2bb0000.exe
SHA256 4bd4ccdaefa72f9326ba93542ddc447f6df1452a6f626a54d43c3a4c37e23968
Tags
osiris banker botnet
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4bd4ccdaefa72f9326ba93542ddc447f6df1452a6f626a54d43c3a4c37e23968

Threat Level: Known bad

The file 2bb0000.exe was found to be: Known bad.

Malicious Activity Summary

osiris banker botnet

Osiris

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Uses Tor communications

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-04 10:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-04 10:03

Reported

2021-05-04 10:07

Platform

win7v20210410

Max time kernel

151s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2bb0000.exe"

Signatures

Osiris

banker botnet osiris

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Uses Tor communications

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2bb0000.exe

"C:\Users\Admin\AppData\Local\Temp\2bb0000.exe"

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"

Network

Country Destination Domain Proto
N/A 131.188.40.189:80 131.188.40.189 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 50.19.96.218:443 api.ipify.org tcp
N/A 23.154.177.3:80 23.154.177.3 tcp
N/A 82.221.131.102:443 tcp
N/A 8.8.8.8:53 time-a.nist.gov udp
N/A 129.6.15.28:13 time-a.nist.gov tcp
N/A 81.7.10.251:80 81.7.10.251 tcp
N/A 198.98.61.131:443 tcp
N/A 198.98.57.207:80 198.98.57.207 tcp
N/A 149.56.94.218:80 149.56.94.218 tcp
N/A 178.254.35.99:80 178.254.35.99 tcp
N/A 185.4.135.157:80 185.4.135.157 tcp
N/A 46.20.35.116:80 46.20.35.116 tcp
N/A 84.16.79.73:443 tcp
N/A 91.64.26.236:80 91.64.26.236 tcp
N/A 185.191.124.143:80 185.191.124.143 tcp
N/A 37.252.191.41:80 37.252.191.41 tcp
N/A 195.154.235.190:80 tcp
N/A 51.161.43.236:80 51.161.43.236 tcp
N/A 86.14.102.99:443 tcp
N/A 91.234.19.55:80 91.234.19.55 tcp
N/A 94.142.244.16:443 tcp
N/A 193.104.220.35:80 193.104.220.35 tcp
N/A 192.42.116.14:80 192.42.116.14 tcp

Files

memory/1964-60-0x0000000076A81000-0x0000000076A83000-memory.dmp

\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

memory/1544-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5 6002fd8ac524366316a8027aabfb052f
SHA1 50ab57ba6e75d6e850e07d87228dbcf82ec6ce8f
SHA256 6ccc06ee6b633f02e48d3103f715051f54fb9162e442c277ab342a6dd77312b1
SHA512 e94d749d9caa4dba672ee053e204b75e297faec2ddf09f409b85031028b75aa22e5153608609c8c5724b1d4cf7914adff3c61feb88798157270669795945f476

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-04 10:03

Reported

2021-05-04 10:07

Platform

win10v20210408

Max time kernel

151s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2bb0000.exe"

Signatures

Osiris

banker botnet osiris

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Uses Tor communications

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 584 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
PID 584 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2bb0000.exe C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2bb0000.exe

"C:\Users\Admin\AppData\Local\Temp\2bb0000.exe"

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"

Network

Country Destination Domain Proto
N/A 193.23.244.244:80 193.23.244.244 tcp
N/A 199.58.81.140:80 199.58.81.140 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.225.165.85:443 api.ipify.org tcp
N/A 185.82.219.109:80 185.82.219.109 tcp
N/A 199.249.230.112:80 199.249.230.112 tcp
N/A 89.236.112.100:443 tcp
N/A 8.8.8.8:53 time-a.nist.gov udp
N/A 129.6.15.28:13 time-a.nist.gov tcp
N/A 193.169.145.194:80 193.169.145.194 tcp
N/A 62.113.227.124:80 62.113.227.124 tcp
N/A 192.42.116.20:443 tcp
N/A 104.206.237.23:80 104.206.237.23 tcp
N/A 94.16.139.151:80 94.16.139.151 tcp
N/A 52.143.157.92:80 52.143.157.92 tcp
N/A 209.141.55.26:80 209.141.55.26 tcp
N/A 46.41.151.135:80 46.41.151.135 tcp
N/A 195.206.105.217:443 tcp
N/A 91.219.239.92:80 91.219.239.92 tcp
N/A 172.241.140.26:80 172.241.140.26 tcp
N/A 199.195.253.26:80 199.195.253.26 tcp
N/A 45.95.235.86:443 tcp
N/A 93.104.209.61:80 93.104.209.61 tcp
N/A 185.4.132.183:80 185.4.132.183 tcp
N/A 109.70.100.23:80 109.70.100.23 tcp
N/A 95.141.83.155:443 tcp
N/A 185.217.0.96:80 185.217.0.96 tcp
N/A 195.123.237.137:80 195.123.237.137 tcp

Files

memory/2708-114-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5 768ffffec4d979de370e42263b8199cb
SHA1 a11c62c9ad578982a33fbe8e82ef47e909994c91
SHA256 bb815f72a0edf5eef7b7f201b8ff3c5d53314b51a0a3abc23040d651d0f8f1e2
SHA512 3293150e0ad5701efc90322cb12308ca99b7ac622acc124d5339b140e045c05f531d1355e0630862c5c3a60e485aadbcce023ece258dc8e326d8c4920b2c2134