Overview

overview

10

Static

static

58a27637b0...63.exe

windows7_x64

10

58a27637b0...63.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    173s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-06-2022 06:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    58a27637b08f3e978f732e938868f4af3efcf80ac786bdbdcfb00a7a3dd39363.exe

  • Size

    604KB

  • MD5

    64c9a022dc31aa09718455c6a128c4a0

  • SHA1

    6d90828a3b4f2b4469cb87ce4aba6f51e689bb65

  • SHA256

    58a27637b08f3e978f732e938868f4af3efcf80ac786bdbdcfb00a7a3dd39363

  • SHA512

    209ba13229acbe7453c83c2e7a8b01dbeb805347d2e9a2b3fa81822bde538b4a5e013b28439315e54de7e6278a5fce1b07d98ebb27661c4c089735e38c1d659a

Score
10/10
osirisbankerbotnet

Malware Config

Signatures

  • Osiris
    bankerbotnetosiris
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Uses Tor communications 1 TTPs

    Malware can proxy its traffic through Tor for more anonymity.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58a27637b08f3e978f732e938868f4af3efcf80ac786bdbdcfb00a7a3dd39363.exe
    "C:\Users\Admin\AppData\Local\Temp\58a27637b08f3e978f732e938868f4af3efcf80ac786bdbdcfb00a7a3dd39363.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Users\Admin\AppData\Local\Temp\58a27637b08f3e978f732e938868f4af3efcf80ac786bdbdcfb00a7a3dd39363.exe
      C:\Users\Admin\AppData\Local\Temp\58a27637b08f3e978f732e938868f4af3efcf80ac786bdbdcfb00a7a3dd39363.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4340
      • C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
        "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
        3⤵
        • Executes dropped EXE
        PID:2536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

1
T1090

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
    Filesize

    3KB

    MD5

    b4cd27f2b37665f51eb9fe685ec1d373

    SHA1

    7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

    SHA256

    91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

    SHA512

    e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
    Filesize

    3KB

    MD5

    b4cd27f2b37665f51eb9fe685ec1d373

    SHA1

    7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

    SHA256

    91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

    SHA512

    e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\x64btit.txt
    Filesize

    28B

    MD5

    fc4681eefc52582d7a52662b660e2081

    SHA1

    f1bb584ef3d1eda70e2aecbe410495875f184628

    SHA256

    9097eacf973387f33e2b46dadc706ce712c6cf9143454db8b1e16f98cd1d93f1

    SHA512

    6d2226dc23c9d06311969eacf45fe1c771df1e62ed0ad56d74ed847dbdd80d53e8084ffb85bc5f23f18db4c0ebbc5975c775265966f204a94e9d9786f76eef40

    Download Submit
  • memory/2536-142-0x0000000000000000-mapping.dmp
    Download
  • memory/2712-136-0x0000000077AC0000-0x0000000077C63000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2712-132-0x00000000022D0000-0x00000000022D7000-memory.dmp
    Filesize

    28KB

    Download
  • memory/2712-134-0x00000000022D0000-0x00000000022D7000-memory.dmp
    Filesize

    28KB

    Download
  • memory/2712-135-0x00007FF93B270000-0x00007FF93B465000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/4340-140-0x0000000000400000-0x000000000049D000-memory.dmp
    Filesize

    628KB

    Download
  • memory/4340-141-0x0000000000060000-0x00000000000FF000-memory.dmp
    Filesize

    636KB

    Download
  • memory/4340-137-0x00007FF93B270000-0x00007FF93B465000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/4340-139-0x0000000000400000-0x0000000000456000-memory.dmp
    Filesize

    344KB

    Download
  • memory/4340-138-0x0000000077AC0000-0x0000000077C63000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4340-133-0x0000000000000000-mapping.dmp
    Download
  • memory/4340-146-0x00000000005B0000-0x00000000005B7000-memory.dmp
    Filesize

    28KB

    Download
  • memory/4340-147-0x00007FF93B270000-0x00007FF93B465000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/4340-148-0x0000000077AC0000-0x0000000077C63000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4340-149-0x0000000000060000-0x00000000000FF000-memory.dmp
    Filesize

    636KB

    Download