Overview

overview

10

Static

static

3

Trusteer.exe

windows7-x64

10

Trusteer.exe

windows10-2004-x64

10

__MACOSX/....er.exe

windows7-x64

__MACOSX/....er.exe

windows10-2004-x64

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/03/2024, 21:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Trusteer.exe

  • Size

    3.3MB

  • MD5

    30cb49e14aa0f3247110df5dc1a1690b

  • SHA1

    84521809033b25b01338e3087881d4c37b4d0faa

  • SHA256

    2ad801c4a4f232b02c940858d69c3d3608c6df1606b73c76494e1d7d0d30e761

  • SHA512

    c206045d0c2ba0dfc773bb5b41db0802127d86d521b6fe41523d63e59b79a2657dd960b3ca1dc1be31298279d920f3080a5e72803cd11fe261b32e08cd3577e9

  • SSDEEP

    49152:p7RUQh1V1fO/9DA0q3i9aLrsvHyR15U8dJAsgWpyTulz9b9H5vDCjeMeZi7uax:p711TMeS92r1155A/0ysPZvej3

Score
10/10
osirisbankerbotnetevasion

Malware Config

Signatures

  • Osiris
    bankerbotnetosiris
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Trusteer.exe
    "C:\Users\Admin\AppData\Local\Temp\Trusteer.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Users\Admin\AppData\Local\Temp\Trusteer.exe
      "C:\Users\Admin\AppData\Local\Temp\Trusteer.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3848
      • C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
        "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
        3⤵
        • Executes dropped EXE
        PID:3692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
    Filesize

    3KB

    MD5

    b4cd27f2b37665f51eb9fe685ec1d373

    SHA1

    7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

    SHA256

    91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

    SHA512

    e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\x64btit.txt
    Filesize

    28B

    MD5

    789e87462a40fc88463756828e3188a8

    SHA1

    aef5c5169d30a711c4f2752f73363d93875943a0

    SHA256

    b96c85480cfb60b82d95fcf6135a1efca96437553fed56228fbb87e85e89bedd

    SHA512

    7afb1ca75cd529192126cf153cc90137573d83c7d2bc90ea4e7fdbd2180cf9b3f4210bcacc5fb24c95a1d2423af947a0cd50bcfd043df109161c2036b9606b54

    Download Submit

  • memory/540-18-0x00000000006E0000-0x000000000125E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/540-19-0x00000000006E0000-0x000000000125E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/540-4-0x0000000005380000-0x0000000005381000-memory.dmp

    Filesize

    4KB

    Download

  • memory/540-5-0x0000000005330000-0x0000000005331000-memory.dmp

    Filesize

    4KB

    Download

  • memory/540-6-0x00000000053B0000-0x00000000053B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/540-7-0x00000000053A0000-0x00000000053A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/540-8-0x0000000005370000-0x0000000005371000-memory.dmp

    Filesize

    4KB

    Download

  • memory/540-9-0x0000000005320000-0x0000000005321000-memory.dmp

    Filesize

    4KB

    Download

  • memory/540-10-0x00000000006E0000-0x000000000125E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/540-11-0x00000000006E0000-0x000000000125E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/540-12-0x00000000006E0000-0x000000000125E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/540-13-0x00000000006E0000-0x000000000125E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/540-14-0x00000000006E0000-0x000000000125E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/540-15-0x00000000006E0000-0x000000000125E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/540-16-0x00000000006E0000-0x000000000125E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/540-17-0x00000000006E0000-0x000000000125E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/540-3-0x0000000005350000-0x0000000005351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/540-0-0x00000000006E0000-0x000000000125E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/540-20-0x00000000006E0000-0x000000000125E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/540-21-0x00000000006E0000-0x000000000125E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/540-1-0x00000000779D4000-0x00000000779D6000-memory.dmp

    Filesize

    8KB

    Download

  • memory/540-23-0x00000000006E0000-0x000000000125E000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/540-2-0x0000000005340000-0x0000000005341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3848-27-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/3848-28-0x0000000001890000-0x000000000192F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/3848-29-0x0000000001890000-0x000000000192F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/3848-30-0x0000000001890000-0x000000000192F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/3848-31-0x0000000001890000-0x000000000192F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/3848-33-0x0000000001890000-0x000000000192F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/3848-25-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/3848-22-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/3848-40-0x0000000001890000-0x000000000192F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/3848-41-0x0000000001890000-0x000000000192F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/3848-42-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/3848-43-0x0000000001890000-0x000000000192F000-memory.dmp

    Filesize

    636KB

    Download