osiris | b3b3a4a9ac1cc6715d8c875ac34f92708d0b9f91104b793768ed90baa57c97d0

General

Target

Trusteer.exe
Size

3.3MB
MD5

30cb49e14aa0f3247110df5dc1a1690b
SHA1

84521809033b25b01338e3087881d4c37b4d0faa
SHA256

2ad801c4a4f232b02c940858d69c3d3608c6df1606b73c76494e1d7d0d30e761
SHA512

c206045d0c2ba0dfc773bb5b41db0802127d86d521b6fe41523d63e59b79a2657dd960b3ca1dc1be31298279d920f3080a5e72803cd11fe261b32e08cd3577e9
SSDEEP

49152:p7RUQh1V1fO/9DA0q3i9aLrsvHyR15U8dJAsgWpyTulz9b9H5vDCjeMeZi7uax:p711TMeS92r1155A/0ysPZvej3

Score

10^/10

osiris banker botnet evasion

Malware Config

Signatures

Osiris
banker botnet osiris
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Trusteer.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Trusteer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Trusteer.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Trusteer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Trusteer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Trusteer.exe

Executes dropped EXE 1 IoCs

Processes:

GetX64BTIT.exe

pid process

1560 GetX64BTIT.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Trusteer.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine Trusteer.exe
Loads dropped DLL 1 IoCs

Processes:

Trusteer.exe

pid process

2804 Trusteer.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Trusteer.exe

pid process

2044 Trusteer.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Trusteer.exe

description pid process target process

PID 2044 set thread context of 2804 2044 Trusteer.exe Trusteer.exe

pid	process
1560	GetX64BTIT.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine	Trusteer.exe

pid	process
2804	Trusteer.exe

description	pid	process	target process
PID 2044 set thread context of 2804	2044	Trusteer.exe	Trusteer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Trusteer.exeTrusteer.exe

pid	process
2044	Trusteer.exe
2044	Trusteer.exe
2044	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe
2804	Trusteer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Trusteer.exe

pid process

2804 Trusteer.exe

pid	process
2804	Trusteer.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Trusteer.exeTrusteer.exe

description	pid	process	target process
PID 2044 wrote to memory of 2804	2044	Trusteer.exe	Trusteer.exe
PID 2044 wrote to memory of 2804	2044	Trusteer.exe	Trusteer.exe
PID 2044 wrote to memory of 2804	2044	Trusteer.exe	Trusteer.exe
PID 2044 wrote to memory of 2804	2044	Trusteer.exe	Trusteer.exe
PID 2044 wrote to memory of 2804	2044	Trusteer.exe	Trusteer.exe
PID 2044 wrote to memory of 2804	2044	Trusteer.exe	Trusteer.exe
PID 2044 wrote to memory of 2804	2044	Trusteer.exe	Trusteer.exe
PID 2044 wrote to memory of 2804	2044	Trusteer.exe	Trusteer.exe
PID 2044 wrote to memory of 2804	2044	Trusteer.exe	Trusteer.exe
PID 2044 wrote to memory of 2804	2044	Trusteer.exe	Trusteer.exe
PID 2044 wrote to memory of 2804	2044	Trusteer.exe	Trusteer.exe
PID 2804 wrote to memory of 1560	2804	Trusteer.exe	GetX64BTIT.exe
PID 2804 wrote to memory of 1560	2804	Trusteer.exe	GetX64BTIT.exe
PID 2804 wrote to memory of 1560	2804	Trusteer.exe	GetX64BTIT.exe
PID 2804 wrote to memory of 1560	2804	Trusteer.exe	GetX64BTIT.exe

C:\Users\Admin\AppData\Local\Temp\Trusteer.exe
"C:\Users\Admin\AppData\Local\Temp\Trusteer.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\Trusteer.exe
"C:\Users\Admin\AppData\Local\Temp\Trusteer.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
3⤵
- Executes dropped EXE
PID:1560

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
Filesize
28B

MD5
2f1184446c98a2aa0b839e6ccfa0138d

SHA1
1039dbc26b41064cc115e9e9b01a0c87ab3d32c2

SHA256
07ca853622f60858c308e3eb566b4b41534bc2b6ad5877967efa89adf0f8f20f

SHA512
56abe97f689ba9ef215dac06cf506cf2507c3ab7f4e1b9667a76c34ca13d652fdd6271f5da173101231a86f237e9988fd3a76f1dc18e0c8fe6d278f37787d14d

Download Submit
memory/2044-24-0x00000000012C0000-0x0000000001E3E000-memory.dmp

Filesize
11.5MB

Download
memory/2044-7-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2044-3-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/2044-2-0x0000000000960000-0x0000000000962000-memory.dmp

Filesize
8KB

Download
memory/2044-4-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/2044-8-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/2044-25-0x00000000012C0000-0x0000000001E3E000-memory.dmp

Filesize
11.5MB

Download
memory/2044-6-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/2044-5-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/2044-9-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/2044-10-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2044-11-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2044-12-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2044-13-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2044-14-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/2044-15-0x00000000012C0000-0x0000000001E3E000-memory.dmp

Filesize
11.5MB

Download
memory/2044-16-0x00000000012C0000-0x0000000001E3E000-memory.dmp

Filesize
11.5MB

Download
memory/2044-17-0x00000000012C0000-0x0000000001E3E000-memory.dmp

Filesize
11.5MB

Download
memory/2044-0-0x00000000012C0000-0x0000000001E3E000-memory.dmp

Filesize
11.5MB

Download
memory/2044-19-0x00000000012C0000-0x0000000001E3E000-memory.dmp

Filesize
11.5MB

Download
memory/2044-20-0x00000000012C0000-0x0000000001E3E000-memory.dmp

Filesize
11.5MB

Download
memory/2044-21-0x00000000012C0000-0x0000000001E3E000-memory.dmp

Filesize
11.5MB

Download
memory/2044-22-0x00000000012C0000-0x0000000001E3E000-memory.dmp

Filesize
11.5MB

Download
memory/2044-23-0x00000000012C0000-0x0000000001E3E000-memory.dmp

Filesize
11.5MB

Download
memory/2044-18-0x00000000012C0000-0x0000000001E3E000-memory.dmp

Filesize
11.5MB

Download
memory/2044-1-0x00000000770B0000-0x00000000770B2000-memory.dmp

Filesize
8KB

Download
memory/2044-26-0x00000000012C0000-0x0000000001E3E000-memory.dmp

Filesize
11.5MB

Download
memory/2044-30-0x00000000012C0000-0x0000000001E3E000-memory.dmp

Filesize
11.5MB

Download
memory/2044-34-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2044-39-0x00000000012C0000-0x0000000001E3E000-memory.dmp

Filesize
11.5MB

Download
memory/2804-28-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2804-32-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2804-27-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2804-44-0x00000000002F0000-0x000000000038F000-memory.dmp

Filesize
636KB

Download
memory/2804-37-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2804-33-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2804-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2804-42-0x00000000002F0000-0x000000000038F000-memory.dmp

Filesize
636KB

Download
memory/2804-40-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2804-61-0x00000000002F0000-0x000000000038F000-memory.dmp

Filesize
636KB

Download
memory/2804-29-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2804-43-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2804-31-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2804-45-0x00000000002F0000-0x000000000038F000-memory.dmp

Filesize
636KB

Download
memory/2804-47-0x00000000002F0000-0x000000000038F000-memory.dmp

Filesize
636KB

Download
memory/2804-48-0x00000000002F0000-0x000000000038F000-memory.dmp

Filesize
636KB

Download
memory/2804-46-0x00000000002F0000-0x000000000038F000-memory.dmp

Filesize
636KB

Download
memory/2804-58-0x0000000000080000-0x000000000009E000-memory.dmp

Filesize
120KB

Download
memory/2804-56-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2804-60-0x00000000002F0000-0x000000000038F000-memory.dmp

Filesize
636KB

Download
memory/2804-41-0x00000000012C0000-0x0000000001E3E000-memory.dmp

Filesize
11.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads