osiris | 7131d78da58eb6b54db8466e0c09d7173da6f05c5615841a73dc6a032648a217

Target

SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe
Size

1.4MB
MD5

793707365df26450bc8642f518a540f0
SHA1

66649127ad784288c393992971a197c10f86a8eb
SHA256

7131d78da58eb6b54db8466e0c09d7173da6f05c5615841a73dc6a032648a217
SHA512

550374f2b3963e99bbfa445236e2921d288e67e00b4425a3bfedba0b72bd2fe6027af484c8f7e143471e16738dd9f129c91e467e157e29a911f1ad44d2775695

Score

10^/10

osiris banker botnet spyware stealer

Malware Config

Signatures

Osiris
banker botnet osiris

Nirsoft 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\{4CDEEA8A-4AE5-42DE-AB09-BD4527C1808D}\1991806312.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\{4CDEEA8A-4AE5-42DE-AB09-BD4527C1808D}\1991806312.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\{4CDEEA8A-4AE5-42DE-AB09-BD4527C1808D}\1991806312.exe	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

cmd.exeGetX64BTIT.exe1991806312.exe

pid process

748 cmd.exe
1600 GetX64BTIT.exe
1244 1991806312.exe
Loads dropped DLL 4 IoCs

Processes:

ipconfig.execmd.exe

pid process

2016 ipconfig.exe
748 cmd.exe
748 cmd.exe
748 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 api.ipify.org
15 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090
Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\lvp.job cmd.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

2016 ipconfig.exe

pid	process
748	cmd.exe
1600	GetX64BTIT.exe
1244	1991806312.exe

pid	process
2016	ipconfig.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe

flow	ioc
14	api.ipify.org
15	api.ipify.org

description	ioc	process
File created	C:\Windows\Tasks\lvp.job	cmd.exe

pid	process
2016	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exeipconfig.execmd.exe

pid	process
1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe
2016	ipconfig.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe
748	cmd.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ipconfig.exe

pid process

2016 ipconfig.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

748 cmd.exe

pid	process
2016	ipconfig.exe

pid	process
748	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exeipconfig.exe

description	pid	process	target process
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 1208 wrote to memory of 2016	1208	SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe	ipconfig.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 748	2016	ipconfig.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Rat.281.18292.12946.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe"
2⤵
- Loads dropped DLL
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:748

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
4⤵
- Executes dropped EXE
PID:1600

C:\Users\Admin\AppData\Local\Temp\{4CDEEA8A-4AE5-42DE-AB09-BD4527C1808D}\1991806312.exe
C:\Users\Admin\AppData\Local\Temp\{4CDEEA8A-4AE5-42DE-AB09-BD4527C1808D}\1991806312.exe /sjson C:\Users\Admin\AppData\Local\Temp\{4CDEEA8A-4AE5-42DE-AB09-BD4527C1808D}\book.json
4⤵
- Executes dropped EXE
PID:1244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Connection Proxy

T1090

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe
MD5
ad7b9c14083b52bc532fba5948342b98

SHA1
ee8cbf12d87c4d388f09b4f69bed2e91682920b5

SHA256
17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae

SHA512
e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
MD5
92d10117b36a02cd37bf926cbfd2cb21

SHA1
508c0d9f675fd6923c71de8844febae45d257e34

SHA256
859cc85cd2af5f2cdab1415cdbf7f1d7bcd01bb94cd34188cf00e3b62cc438be

SHA512
1ac24c7d7333cbfb4d45b3f1bfff16fb9813ddfa1519be6186c7d95d9827fa60c1b3d8c63a6cefefa3133b36539a1d8c098821e72c651ec3bd86fa31b593cf58

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4CDEEA8A-4AE5-42DE-AB09-BD4527C1808D}\1991806312.exe
MD5
b94350c5a57401721ce013c1a76c2727

SHA1
f0e946cf41e3c11d7f84736a365ec3d0b173fef4

SHA256
e6f88219fde1d526253de53f06fdb95ad08704c4dedbcdcf062d09db69754a58

SHA512
0b3622a799f46bf3023a7ff0afde855261f2cc1a42b19c625f17333b480bd90eddb20f61a436724065c9b5372c4beee66366bfd6f3dd5aacfb5bbaa73a022193

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4CDEEA8A-4AE5-42DE-AB09-BD4527C1808D}\book.json
MD5
f3a55ae79aa1a18000ccac4d16761dcd

SHA1
7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

SHA256
a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

SHA512
5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

Download Submit
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe
MD5
ad7b9c14083b52bc532fba5948342b98

SHA1
ee8cbf12d87c4d388f09b4f69bed2e91682920b5

SHA256
17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae

SHA512
e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1

Download Submit
\Users\Admin\AppData\Local\Temp\{4CDEEA8A-4AE5-42DE-AB09-BD4527C1808D}\1991806312.exe
MD5
b94350c5a57401721ce013c1a76c2727

SHA1
f0e946cf41e3c11d7f84736a365ec3d0b173fef4

SHA256
e6f88219fde1d526253de53f06fdb95ad08704c4dedbcdcf062d09db69754a58

SHA512
0b3622a799f46bf3023a7ff0afde855261f2cc1a42b19c625f17333b480bd90eddb20f61a436724065c9b5372c4beee66366bfd6f3dd5aacfb5bbaa73a022193

Download Submit
\Users\Admin\AppData\Local\Temp\{4CDEEA8A-4AE5-42DE-AB09-BD4527C1808D}\1991806312.exe
MD5
b94350c5a57401721ce013c1a76c2727

SHA1
f0e946cf41e3c11d7f84736a365ec3d0b173fef4

SHA256
e6f88219fde1d526253de53f06fdb95ad08704c4dedbcdcf062d09db69754a58

SHA512
0b3622a799f46bf3023a7ff0afde855261f2cc1a42b19c625f17333b480bd90eddb20f61a436724065c9b5372c4beee66366bfd6f3dd5aacfb5bbaa73a022193

Download Submit
memory/748-72-0x0000000077001000-0x000000007710127A-memory.dmp

Filesize
1.0MB

Download
memory/748-67-0x0000000000000000-mapping.dmp

Download
memory/748-71-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/748-70-0x0000000077000000-0x00000000771A9000-memory.dmp

Filesize
1.7MB

Download
memory/748-76-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1208-62-0x00000000002F0000-0x00000000002F9000-memory.dmp

Filesize
36KB

Download
memory/1208-61-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1244-83-0x0000000000000000-mapping.dmp

Download
memory/1244-86-0x0000000072421000-0x0000000072423000-memory.dmp

Filesize
8KB

Download
memory/1600-78-0x0000000000000000-mapping.dmp

Download
memory/2016-65-0x0000000077000000-0x00000000771A9000-memory.dmp

Filesize
1.7MB

Download
memory/2016-64-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/2016-59-0x0000000000000000-mapping.dmp

Download
memory/2016-63-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/2016-60-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download