osiris | 2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632

General

Target

2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
Size

573KB
MD5

8b16960a57d58c33caaa19bc139e3ebb
SHA1

f86cad09d3e1502f1b441148ea4c2bb47d3e6d38
SHA256

2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632
SHA512

53dd710d1c2f2f9a996065f03000b617466ff25d26d109c1fe35e0a1a88f7a54dcd2e982bd44d39d52e5cf2ce6857ea4fa0f659b26a53034c7a762920be16085

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris
Executes dropped EXE 1 IoCs

Processes:

GetX64BTIT.exe

pid process

4432 GetX64BTIT.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 api.ipify.org
14 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
4432	GetX64BTIT.exe

flow	ioc
15	api.ipify.org
14	api.ipify.org

Program crash 19 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2480	2676	WerFault.exe	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
1652	2676	WerFault.exe	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
4248	2676	WerFault.exe	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
4300	2676	WerFault.exe	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
4728	2676	WerFault.exe	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2704	2676	WerFault.exe	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
328	2676	WerFault.exe	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
3840	2676	WerFault.exe	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
1204	2676	WerFault.exe	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
1264	2676	WerFault.exe	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
3004	2676	WerFault.exe	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
1196	2676	WerFault.exe	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
4256	2676	WerFault.exe	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2208	2676	WerFault.exe	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2312	2676	WerFault.exe	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
1984	2676	WerFault.exe	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2476	2676	WerFault.exe	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
4304	2676	WerFault.exe	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
1744	2676	WerFault.exe	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe

pid	process
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe

pid process

2676 2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe

description	pid	process	target process
PID 2676 wrote to memory of 4432	2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe	GetX64BTIT.exe
PID 2676 wrote to memory of 4432	2676	2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe	GetX64BTIT.exe

C:\Users\Admin\AppData\Local\Temp\2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe
"C:\Users\Admin\AppData\Local\Temp\2fc09dd0129e630bd1ab8e6e7406dedab6a21d366bfabf207b6085c8eb478632.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 612
2⤵
- Program crash
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 644
2⤵
- Program crash
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 644
2⤵
- Program crash
PID:4248

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
2⤵
- Executes dropped EXE
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 884
2⤵
- Program crash
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 932
2⤵
- Program crash
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1084
2⤵
- Program crash
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1092
2⤵
- Program crash
PID:328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1088
2⤵
- Program crash
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1092
2⤵
- Program crash
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1088
2⤵
- Program crash
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 668
2⤵
- Program crash
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1096
2⤵
- Program crash
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1100
2⤵
- Program crash
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1132
2⤵
- Program crash
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1080
2⤵
- Program crash
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1172
2⤵
- Program crash
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1180
2⤵
- Program crash
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1180
2⤵
- Program crash
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1156
2⤵
- Program crash
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2676 -ip 2676
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2676 -ip 2676
1⤵
PID:1212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2676 -ip 2676
1⤵
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2676 -ip 2676
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2676 -ip 2676
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2676 -ip 2676
1⤵
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2676 -ip 2676
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2676 -ip 2676
1⤵
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2676 -ip 2676
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2676 -ip 2676
1⤵
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2676 -ip 2676
1⤵
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2676 -ip 2676
1⤵
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2676 -ip 2676
1⤵
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2676 -ip 2676
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2676 -ip 2676
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2676 -ip 2676
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2676 -ip 2676
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2676 -ip 2676
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2676 -ip 2676
1⤵
PID:4260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

1

T1090

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
Filesize
28B

MD5
c9f149dce94b8e990fcb9db13ec43b65

SHA1
fd70e696306ae1bed76506bbfe36f8b4a9d496a0

SHA256
6990661403d1164469f338f711bce0287f8242f0fea99c5caddb15e7e3387947

SHA512
c636d951938b2e93e9f80d64ffb1209f30fb13e2b1d9f35ff9f4d0f1daba76502d242ed3c9fb1dffb1577c144a17b5cc57d84c0ac7ea3207fc8d7627ab297b23

Download Submit
memory/2676-133-0x0000000000897000-0x00000000008EB000-memory.dmp

Filesize
336KB

Download
memory/2676-134-0x0000000000980000-0x00000000009D4000-memory.dmp

Filesize
336KB

Download
memory/2676-135-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2676-136-0x00000000009E0000-0x0000000000A7F000-memory.dmp

Filesize
636KB

Download
memory/2676-141-0x0000000000897000-0x00000000008EB000-memory.dmp

Filesize
336KB

Download
memory/2676-142-0x00000000009E0000-0x0000000000A7F000-memory.dmp

Filesize
636KB

Download
memory/4432-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads