Overview

overview

10

Static

static

3

Trusteer.exe

windows7-x64

10

Trusteer.exe

windows10-2004-x64

10

__MACOSX/....er.exe

windows7-x64

__MACOSX/....er.exe

windows10-2004-x64

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    15-03-2024 21:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Trusteer.exe

  • Size

    3.3MB

  • MD5

    30cb49e14aa0f3247110df5dc1a1690b

  • SHA1

    84521809033b25b01338e3087881d4c37b4d0faa

  • SHA256

    2ad801c4a4f232b02c940858d69c3d3608c6df1606b73c76494e1d7d0d30e761

  • SHA512

    c206045d0c2ba0dfc773bb5b41db0802127d86d521b6fe41523d63e59b79a2657dd960b3ca1dc1be31298279d920f3080a5e72803cd11fe261b32e08cd3577e9

  • SSDEEP

    49152:p7RUQh1V1fO/9DA0q3i9aLrsvHyR15U8dJAsgWpyTulz9b9H5vDCjeMeZi7uax:p711TMeS92r1155A/0ysPZvej3

Score
10/10
osirisbankerbotnetevasion

Malware Config

Signatures

  • Osiris
    bankerbotnetosiris
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Trusteer.exe
    "C:\Users\Admin\AppData\Local\Temp\Trusteer.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Users\Admin\AppData\Local\Temp\Trusteer.exe
      "C:\Users\Admin\AppData\Local\Temp\Trusteer.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
        "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
        3⤵
        • Executes dropped EXE
        PID:1560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
    Filesize

    3KB

    MD5

    b4cd27f2b37665f51eb9fe685ec1d373

    SHA1

    7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

    SHA256

    91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

    SHA512

    e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\x64btit.txt
    Filesize

    28B

    MD5

    2f1184446c98a2aa0b839e6ccfa0138d

    SHA1

    1039dbc26b41064cc115e9e9b01a0c87ab3d32c2

    SHA256

    07ca853622f60858c308e3eb566b4b41534bc2b6ad5877967efa89adf0f8f20f

    SHA512

    56abe97f689ba9ef215dac06cf506cf2507c3ab7f4e1b9667a76c34ca13d652fdd6271f5da173101231a86f237e9988fd3a76f1dc18e0c8fe6d278f37787d14d

    Download Submit

  • memory/2044-24-0x00000000012C0000-0x0000000001E3E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/2044-7-0x0000000000450000-0x0000000000451000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2044-3-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2044-2-0x0000000000960000-0x0000000000962000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2044-4-0x0000000001000000-0x0000000001001000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2044-8-0x0000000000970000-0x0000000000971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2044-25-0x00000000012C0000-0x0000000001E3E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/2044-6-0x0000000001070000-0x0000000001071000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2044-5-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2044-9-0x0000000001060000-0x0000000001061000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2044-10-0x0000000000440000-0x0000000000441000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2044-11-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2044-12-0x0000000000430000-0x0000000000431000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2044-13-0x00000000003C0000-0x00000000003C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2044-14-0x00000000006B0000-0x00000000006B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2044-15-0x00000000012C0000-0x0000000001E3E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/2044-16-0x00000000012C0000-0x0000000001E3E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/2044-17-0x00000000012C0000-0x0000000001E3E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/2044-0-0x00000000012C0000-0x0000000001E3E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/2044-19-0x00000000012C0000-0x0000000001E3E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/2044-20-0x00000000012C0000-0x0000000001E3E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/2044-21-0x00000000012C0000-0x0000000001E3E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/2044-22-0x00000000012C0000-0x0000000001E3E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/2044-23-0x00000000012C0000-0x0000000001E3E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/2044-18-0x00000000012C0000-0x0000000001E3E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/2044-1-0x00000000770B0000-0x00000000770B2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2044-26-0x00000000012C0000-0x0000000001E3E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/2044-30-0x00000000012C0000-0x0000000001E3E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/2044-34-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2044-39-0x00000000012C0000-0x0000000001E3E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/2804-28-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2804-32-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2804-27-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2804-44-0x00000000002F0000-0x000000000038F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/2804-37-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2804-33-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2804-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2804-42-0x00000000002F0000-0x000000000038F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/2804-40-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2804-61-0x00000000002F0000-0x000000000038F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/2804-29-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2804-43-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2804-31-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2804-45-0x00000000002F0000-0x000000000038F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/2804-47-0x00000000002F0000-0x000000000038F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/2804-48-0x00000000002F0000-0x000000000038F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/2804-46-0x00000000002F0000-0x000000000038F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/2804-58-0x0000000000080000-0x000000000009E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2804-56-0x0000000010000000-0x0000000010015000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2804-60-0x00000000002F0000-0x000000000038F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/2804-41-0x00000000012C0000-0x0000000001E3E000-memory.dmp

    Filesize

    11.5MB

    Download