Malware Analysis Report

2025-01-22 13:33

Sample ID 210910-lpzn9shhc6
Target test.txt
SHA256 2fc970b717486762f6c890f525329962662074eb632f0827c901fb1081cbd98f
Tags
osiris banker botnet
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2fc970b717486762f6c890f525329962662074eb632f0827c901fb1081cbd98f

Threat Level: Known bad

The file test.txt was found to be: Known bad.

Malicious Activity Summary

osiris banker botnet

Osiris

Executes dropped EXE

Loads dropped DLL

Uses Tor communications

Looks up external IP address via web service

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-10 09:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-10 09:43

Reported

2021-09-10 09:46

Platform

win7v20210408

Max time kernel

153s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\test.txt.exe"

Signatures

Osiris

banker botnet osiris

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Uses Tor communications

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\test.txt.exe

"C:\Users\Admin\AppData\Local\Temp\test.txt.exe"

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"

Network

Country Destination Domain Proto
CA 199.58.81.140:80 199.58.81.140 tcp
US 8.8.8.8:53 api.ipify.org udp
US 54.235.247.117:443 api.ipify.org tcp
GB 109.148.154.231:80 109.148.154.231 tcp
US 23.129.64.135:443 tcp
RO 93.115.95.38:80 93.115.95.38 tcp
SI 212.44.103.59:443 tcp
US 8.8.8.8:53 time-a.nist.gov udp
US 129.6.15.28:13 time-a.nist.gov tcp
US 45.79.177.190:80 45.79.177.190 tcp
JP 172.105.207.42:443 tcp
RU 88.214.35.40:80 88.214.35.40 tcp
BG 195.34.103.142:443 tcp
UA 193.218.118.167:80 193.218.118.167 tcp
LU 91.243.85.168:443 tcp
US 199.249.230.86:80 199.249.230.86 tcp
DE 91.143.87.51:443 91.143.87.51 tcp
UA 91.229.76.124:80 91.229.76.124 tcp
FR 62.210.205.228:80 62.210.205.228 tcp
LU 107.189.31.102:80 107.189.31.102 tcp
MY 202.87.221.231:443 tcp

Files

memory/1828-60-0x0000000075801000-0x0000000075803000-memory.dmp

memory/1828-61-0x00000000000F0000-0x000000000018F000-memory.dmp

\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

memory/1728-63-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5 e5366a5ead8bf0ec08f9e3f4438eaff2
SHA1 ce3c49a04fea3c359481e28e6a0b19b3da8c7a43
SHA256 479c23364dc24b0896cad7371b3fb35e6d167a38a0f1d567659210364f8ca2b9
SHA512 bd6aa869e7f2dd2a8f8bd73bece7d03c810a65af6addef1bc97a8b7f5d8972575b3e870499f52cbc30d1c7d05170ffbd2227d09f17d440d21bfaf694c27ee24a

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-10 09:43

Reported

2021-09-10 09:45

Platform

win10-en

Max time kernel

150s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\test.txt.exe"

Signatures

Osiris

banker botnet osiris

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Uses Tor communications

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4744 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
PID 4744 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\test.txt.exe C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\test.txt.exe

"C:\Users\Admin\AppData\Local\Temp\test.txt.exe"

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"

Network

Country Destination Domain Proto
US 128.31.0.34:9131 128.31.0.34 tcp
US 8.8.8.8:53 api.ipify.org udp
US 50.16.248.208:443 api.ipify.org tcp
VN 123.30.128.138:80 123.30.128.138 tcp
US 208.68.4.129:443 tcp
US 8.8.8.8:53 time-a.nist.gov udp
US 129.6.15.28:13 time-a.nist.gov tcp
US 8.8.8.8:53 time-a-g.nist.gov udp
US 129.6.15.28:13 time-a-g.nist.gov tcp
MY 124.217.246.96:80 124.217.246.96 tcp
SE 213.164.204.171:80 213.164.204.171 tcp
DE 91.143.88.62:80 91.143.88.62 tcp
RU 2.56.241.243:80 2.56.241.243 tcp
SG 27.122.59.100:80 27.122.59.100 tcp
AT 195.144.21.182:443 tcp
US 199.249.230.121:80 199.249.230.121 tcp
DE 5.100.130.237:80 5.100.130.237 tcp
CH 176.10.99.201:80 176.10.99.201 tcp
RO 193.169.145.202:443 tcp
FR 178.20.55.18:80 178.20.55.18 tcp
US 198.98.61.131:80 198.98.61.131 tcp
LU 104.244.77.73:80 104.244.77.73 tcp
ES 31.13.188.43:443 tcp
GR 185.4.132.135:80 185.4.132.135 tcp
PL 192.166.245.82:80 192.166.245.82 tcp

Files

memory/4744-115-0x0000000000400000-0x000000000049F000-memory.dmp

memory/4792-116-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5 15d539e8e79b3c548351c6aef6af719b
SHA1 ecc3ee4883d96ddf84119e43a89f0ff3679a2acc
SHA256 9536b44d18032470ab3c8dc961932d1be985efe84db4f533fbe60e050fcaa425
SHA512 fba69b5fb3c538d435b965387d5fd27d71b16df22df957d1e7545ea3df517d284775d270808718f51251b0031dafb76ca20022f7705f768fda880531db8b0893