osiris | 07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce

General

Target

07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
Size

804KB
MD5

779c916f06f8af3285ee0f68c885e190
SHA1

ed7148c43abe6c5e5245e87f2a2d9d15472c2322
SHA256

07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce
SHA512

ba4dd27afab32ac376dbc357c94dccf3a2f8409eb485f7891dad66ea7dc27419cea5c012b0534b983f0fb5e8e084d3e0660854e3f7e4ac094e3c644d284707dd

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris
Executes dropped EXE 1 IoCs

Processes:

GetX64BTIT.exe

pid process

4544 GetX64BTIT.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 api.ipify.org
14 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
4544	GetX64BTIT.exe

flow	ioc
15	api.ipify.org
14	api.ipify.org

Program crash 21 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4892	4064	WerFault.exe	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
2172	4064	WerFault.exe	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
3112	4064	WerFault.exe	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4636	4064	WerFault.exe	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4928	4064	WerFault.exe	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4764	4064	WerFault.exe	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
1432	4064	WerFault.exe	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
1336	4064	WerFault.exe	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
212	4064	WerFault.exe	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
1996	4064	WerFault.exe	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
3124	4064	WerFault.exe	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
3524	4064	WerFault.exe	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4740	4064	WerFault.exe	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4516	4064	WerFault.exe	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
3140	4064	WerFault.exe	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4116	4064	WerFault.exe	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
2500	4064	WerFault.exe	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
2528	4064	WerFault.exe	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
3716	4064	WerFault.exe	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
824	4064	WerFault.exe	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
5100	4064	WerFault.exe	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe

pid	process
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe

pid process

4064 07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe

description	pid	process	target process
PID 4064 wrote to memory of 4544	4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe	GetX64BTIT.exe
PID 4064 wrote to memory of 4544	4064	07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe	GetX64BTIT.exe

C:\Users\Admin\AppData\Local\Temp\07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe
"C:\Users\Admin\AppData\Local\Temp\07a18b754b23c2c60611157505d1f5bb4f5632c7759f5dc1de210b345a6041ce.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 484
2⤵
- Program crash
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 536
2⤵
- Program crash
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 576
2⤵
- Program crash
PID:3112

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
2⤵
- Executes dropped EXE
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 836
2⤵
- Program crash
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 920
2⤵
- Program crash
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 956
2⤵
- Program crash
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 964
2⤵
- Program crash
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1088
2⤵
- Program crash
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1108
2⤵
- Program crash
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1092
2⤵
- Program crash
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1088
2⤵
- Program crash
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1140
2⤵
- Program crash
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1132
2⤵
- Program crash
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1080
2⤵
- Program crash
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1132
2⤵
- Program crash
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1136
2⤵
- Program crash
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 836
2⤵
- Program crash
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1108
2⤵
- Program crash
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 836
2⤵
- Program crash
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1104
2⤵
- Program crash
PID:824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1160
2⤵
- Program crash
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4064 -ip 4064
1⤵
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4064 -ip 4064
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4064 -ip 4064
1⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4064 -ip 4064
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4064 -ip 4064
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4064 -ip 4064
1⤵
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4064 -ip 4064
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4064 -ip 4064
1⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4064 -ip 4064
1⤵
PID:176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4064 -ip 4064
1⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4064 -ip 4064
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4064 -ip 4064
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4064 -ip 4064
1⤵
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4064 -ip 4064
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4064 -ip 4064
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4064 -ip 4064
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4064 -ip 4064
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4064 -ip 4064
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4064 -ip 4064
1⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4064 -ip 4064
1⤵
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4064 -ip 4064
1⤵
PID:1048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

1

T1090

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
Filesize
28B

MD5
eee033665e5e6483aa175b6587d3c4cc

SHA1
6efdd028575acc7dba464e690ca17fba256ce4b7

SHA256
99980ecf0feb81d8e4d11a0342d1a89d3a75ae9d9f77ee59877ad17f6701133a

SHA512
2ec3ab857c4d8dae8e8407de0b4ec1ee54c5645ac75b4218f3ab13eb6e72d4f829902efd9d318dde2ad20991943ed1934c2915de14be2e78e3e1de16992c5bd0

Download Submit
memory/4064-130-0x00000000079F4000-0x0000000007A49000-memory.dmp

Filesize
340KB

Download
memory/4064-131-0x0000000007D10000-0x0000000007D64000-memory.dmp

Filesize
336KB

Download
memory/4064-132-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4064-133-0x0000000007D70000-0x0000000007E0F000-memory.dmp

Filesize
636KB

Download
memory/4544-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads