Malware Analysis Report

2025-01-22 13:29

Sample ID 210926-gesezsedg8
Target 0430.exe
SHA256 f919093797c9392b74e2c55de01ae57892d871a11752b945e291b270c076b732
Tags
osiris banker botnet
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f919093797c9392b74e2c55de01ae57892d871a11752b945e291b270c076b732

Threat Level: Known bad

The file 0430.exe was found to be: Known bad.

Malicious Activity Summary

osiris banker botnet

Osiris

Executes dropped EXE

Loads dropped DLL

Uses Tor communications

Looks up external IP address via web service

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-26 05:43

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-26 05:43

Reported

2021-09-26 05:46

Platform

win10v20210408

Max time kernel

151s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0430.exe"

Signatures

Osiris

banker botnet osiris

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Uses Tor communications

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3716 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\0430.exe C:\windows\hh.exe
PID 3716 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\0430.exe C:\windows\hh.exe
PID 3716 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\0430.exe C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
PID 3716 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\0430.exe C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0430.exe

"C:\Users\Admin\AppData\Local\Temp\0430.exe"

C:\windows\hh.exe

"C:\windows\hh.exe"

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"

Network

Country Destination Domain Proto
US 66.111.2.131:9030 66.111.2.131 tcp
US 8.8.8.8:53 api.ipify.org udp
US 54.243.29.214:443 api.ipify.org tcp
DE 37.120.174.249:80 37.120.174.249 tcp
US 23.129.64.193:443 tcp
US 8.8.8.8:53 time-a.nist.gov udp
US 129.6.15.28:13 time-a.nist.gov tcp
RU 46.38.51.18:80 46.38.51.18 tcp
HK 91.245.255.4:80 91.245.255.4 tcp
US 23.129.64.237:80 23.129.64.237 tcp
DE 37.157.255.118:80 37.157.255.118 tcp
BG 45.141.157.50:80 45.141.157.50 tcp
SE 213.164.206.127:80 213.164.206.127 tcp
CH 45.90.59.63:80 45.90.59.63 tcp
DE 173.212.225.208:80 173.212.225.208 tcp
FR 93.118.32.51:80 93.118.32.51 tcp
DE 130.61.51.183:443 tcp
ES 82.223.14.245:80 82.223.14.245 tcp
FR 51.254.143.96:80 51.254.143.96 tcp
LU 104.244.72.248:80 104.244.72.248 tcp
US 199.249.230.83:443 tcp
US 23.154.177.70:80 23.154.177.70 tcp
PL 192.166.245.121:80 192.166.245.121 tcp
US 205.185.117.149:80 205.185.117.149 tcp
FI 185.204.1.239:443 tcp
DE 178.254.35.99:80 178.254.35.99 tcp
US 205.185.120.183:80 205.185.120.183 tcp
RO 185.225.17.3:80 185.225.17.3 tcp
LU 107.189.14.247:443 tcp
FR 158.255.215.193:80 158.255.215.193 tcp
NO 185.83.214.69:80 185.83.214.69 tcp
DE 185.220.101.63:80 185.220.101.63 tcp
US 104.149.129.254:443 tcp
CR 190.10.8.50:80 190.10.8.50 tcp
DE 91.143.87.51:443 91.143.87.51 tcp

Files

memory/3716-114-0x0000000000600000-0x0000000000601000-memory.dmp

memory/4012-115-0x0000000000000000-mapping.dmp

memory/3716-116-0x00000000029A0000-0x0000000002A82000-memory.dmp

memory/3716-117-0x0000000000400000-0x0000000000545000-memory.dmp

memory/3716-118-0x0000000002AF0000-0x0000000002B8F000-memory.dmp

memory/784-119-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5 2e98da1f5140ccffb0f95fdd3224d9f1
SHA1 85a0f735625731ea599371b7b89b0d39b629dea6
SHA256 cc947fad01a6a93943b221db7d82573f6b254df8fbe512509e510171755a8a66
SHA512 1433b52c6949345d18ea853e8c1b8af009f3d5119c7f4ef5127e53d4ce20af0ec408597d90f861418431ce3b935e0831f4f6785fdd12c8024e1d5866b072343e

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-26 05:43

Reported

2021-09-26 05:44

Platform

win7-en-20210920

Max time kernel

30s

Max time network

13s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0430.exe"

Signatures

Osiris

banker botnet osiris

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Uses Tor communications

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0430.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0430.exe

"C:\Users\Admin\AppData\Local\Temp\0430.exe"

C:\windows\hh.exe

"C:\windows\hh.exe"

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"

Network

Country Destination Domain Proto
DE 131.188.40.189:80 131.188.40.189 tcp
US 8.8.8.8:53 api.ipify.org udp
US 54.243.45.255:443 api.ipify.org tcp
LU 104.244.73.85:80 104.244.73.85 tcp
AT 195.144.21.188:443 tcp
US 8.8.8.8:53 time-a.nist.gov udp
US 129.6.15.28:13 time-a.nist.gov tcp
US 8.8.8.8:53 time-a-g.nist.gov udp
US 129.6.15.28:13 time-a-g.nist.gov tcp
MD 178.17.174.164:80 178.17.174.164 tcp
BG 79.124.7.11:80 79.124.7.11 tcp
CH 176.10.99.207:80 176.10.99.207 tcp
US 199.249.230.101:80 199.249.230.101 tcp
RO 193.169.145.194:80 193.169.145.194 tcp
CR 179.48.251.188:80 179.48.251.188 tcp

Files

memory/856-53-0x0000000074C71000-0x0000000074C73000-memory.dmp

memory/856-54-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1320-55-0x0000000000000000-mapping.dmp

memory/856-57-0x0000000000400000-0x0000000000545000-memory.dmp

memory/856-56-0x0000000002D80000-0x0000000002E62000-memory.dmp

memory/856-58-0x0000000002ED0000-0x0000000002F6F000-memory.dmp

\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

memory/1252-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5 f6910c569cc96569de243aafefa83322
SHA1 dc416b9e7405ffb5987522f7be9fc929488563af
SHA256 211c35115088f57811e17dfb6fd68391f12d468b866d2736d88ece063436eff0
SHA512 f8cdcf38b63e101dfbd6eec62ae348993434dff4b7216387487c2b5a97c00142a6b22ff98fe8ee170013fce225bbea4aacd128e13b0a80e6e77846f1759f991a