osiris | 0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69

General

Target

0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
Size

507KB
MD5

e38d0d5ef1f8dd657479d08248dd83a1
SHA1

85df1e4f362b0bd9f48016b7f155aa757f7bc1d7
SHA256

0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69
SHA512

212d9a356406bacc8f8f388b195fd22fcf02757da5543e7a5f5d66d09b84ee310a9359cf8f979ee0923889862b48ba1ed02fb60fea0b4bd3486a930f4a3d690b

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

flow	ioc
19	api.ipify.org

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe

pid	process
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
2360	0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe

pid process

2360 0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe

C:\Users\Admin\AppData\Local\Temp\0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe
"C:\Users\Admin\AppData\Local\Temp\0664c46691135a3d6015354e0f0c54fd09fed20ab5b8b2582c799dfe35d2dd69.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

1

T1090

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2360-130-0x0000000000660000-0x00000000006B3000-memory.dmp

Filesize
332KB

Download
memory/2360-131-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2360-133-0x0000000000600000-0x0000000000605000-memory.dmp

Filesize
20KB

Download
memory/2360-132-0x00000000021C0000-0x0000000002265000-memory.dmp

Filesize
660KB

Download

Analysis

Sharing