osiris | 5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565

General

Target

5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
Size

811KB
MD5

4dde427954743432f72829b418141855
SHA1

2ccb255990d65d18d6be680300f9b8249092f532
SHA256

5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565
SHA512

c370192e94a43fd0f4da2981395332d775be823b8fca128c95990cd9937fea28fb6ac1e1860096184cda82dc6d3e3c04fa167e6cea721bc0a459b25af05d84de

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris
Executes dropped EXE 1 IoCs

Processes:

GetX64BTIT.exe

pid process

5052 GetX64BTIT.exe
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
5052	GetX64BTIT.exe

Program crash 14 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2808	3124	WerFault.exe	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
4752	3124	WerFault.exe	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3936	3124	WerFault.exe	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
4224	3124	WerFault.exe	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
5080	3124	WerFault.exe	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
1200	3124	WerFault.exe	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
1944	3124	WerFault.exe	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
608	3124	WerFault.exe	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
4784	3124	WerFault.exe	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3840	3124	WerFault.exe	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
4368	3124	WerFault.exe	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3844	3124	WerFault.exe	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
1832	3124	WerFault.exe	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
2384	3124	WerFault.exe	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe

pid	process
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe

pid process

3124 5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe

description	pid	process	target process
PID 3124 wrote to memory of 5052	3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe	GetX64BTIT.exe
PID 3124 wrote to memory of 5052	3124	5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe	GetX64BTIT.exe

C:\Users\Admin\AppData\Local\Temp\5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe
"C:\Users\Admin\AppData\Local\Temp\5d779c5adeeea47cdfe6561bbb8c8a4a2d7e9eeab12b0482208be845be933565.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 532
2⤵
- Program crash
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 536
2⤵
- Program crash
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 552
2⤵
- Program crash
PID:3936

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
2⤵
- Executes dropped EXE
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 648
2⤵
- Program crash
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 712
2⤵
- Program crash
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 948
2⤵
- Program crash
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 956
2⤵
- Program crash
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1088
2⤵
- Program crash
PID:608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1108
2⤵
- Program crash
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1100
2⤵
- Program crash
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1132
2⤵
- Program crash
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 796
2⤵
- Program crash
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1124
2⤵
- Program crash
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 736
2⤵
- Program crash
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3124 -ip 3124
1⤵
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3124 -ip 3124
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3124 -ip 3124
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3124 -ip 3124
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3124 -ip 3124
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3124 -ip 3124
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3124 -ip 3124
1⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3124 -ip 3124
1⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3124 -ip 3124
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3124 -ip 3124
1⤵
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3124 -ip 3124
1⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3124 -ip 3124
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3124 -ip 3124
1⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3124 -ip 3124
1⤵
PID:3452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

1

T1090

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
Filesize
28B

MD5
2d5f04335639b8364d1ea837fabd25aa

SHA1
8903ee53408cbcf293cb386287bad79427485d22

SHA256
d3fea1c057b4b15599029e0b0c04d0356740d7eafd6aeaa64ea1acea51a9f487

SHA512
778cf5ede96d4f54886c81c9b6c9859a4e2684c53d4d5308a1e06001ec8b8bde42c3b5779535506cd2d16226adc974c17879b9c3579a1bcac5817b5e93044b9b

Download Submit
memory/3124-130-0x0000000007A9B000-0x0000000007AEF000-memory.dmp

Filesize
336KB

Download
memory/3124-131-0x0000000009820000-0x0000000009874000-memory.dmp

Filesize
336KB

Download
memory/3124-133-0x0000000009880000-0x000000000991F000-memory.dmp

Filesize
636KB

Download
memory/3124-132-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/5052-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads