osiris | 6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239

Resubmissions

22-09-2021 14:13

210922-rjttqachf8 10

Analysis

max time kernel
301s
max time network
274s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-04-2024 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
Size

434KB
MD5

556c756b428b0a6f1516de031c3bfdb3
SHA1

d4a8195611ac93a268b0ebdc14319a75de856725
SHA256

6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239
SHA512

0e6ffc8dd5dda62a3936a5ea311a9e7007f27ead2f86f9f3f17510a78d2181b16473c69b3b5aa465f68042adef0d95fa8403f9d5bb106dbb4896750caef60a26
SSDEEP

12288:rXPcLcbGfVylwG/ZDCK/ScBXo8TsyMkKMY8m7WOK9SATTsx/SA/WegYfdNbrqnuh:rXh6XcBXo8TsL8Y8m/ATTySA/DrfdNb7

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris

Executes dropped EXE 1 IoCs

pid	Process
4668	GetX64BTIT.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
43	api.ipify.org
44	api.ipify.org

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 4668	5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe	90
PID 5080 wrote to memory of 4668	5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe	90
PID 5080 wrote to memory of 4568	5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe	77
PID 5080 wrote to memory of 4848	5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe	78
PID 5080 wrote to memory of 3340	5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe	79
PID 5080 wrote to memory of 3996	5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe	80
PID 5080 wrote to memory of 4744	5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe	81
PID 5080 wrote to memory of 2924	5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe	83
PID 5080 wrote to memory of 3624	5080	6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe	84
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99
PID 4568 wrote to memory of 1528	4568	msedge.exe	99

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ffc479f2e98,0x7ffc479f2ea4,0x7ffc479f2eb0
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2248 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:2
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3316 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:3
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3324 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5404 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5508 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3632 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3528 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:3
  2⤵
  PID:4080

C:\Users\Admin\AppData\Local\Temp\6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe
"C:\Users\Admin\AppData\Local\Temp\6b64ec1c1ec9e8eb486f721c283d377a2e52f177e9f947d0d217ce84685ed239.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
  "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
  2⤵
  - Executes dropped EXE
  PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
36KB

MD5
aea93405108f047a4fd4d57e299045af

SHA1
16ca0dce6847e94aacce4b48406681fcdfd61ca4

SHA256
a4dcd92f60953806e494fcd8ea5c40f68d2b19433e744cacefec258636051767

SHA512
5dd5ba0a270eeb0eba36a2de3c523973808943195c01eb40db7c6d679c95a5f50ddc21bac956b4cb4c17a10bbf65bf4f34d6706b3ffbe5290c8bbfef55ef964d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt

Filesize
28B

MD5
ea5ae38ea1840c98d85cfc21672f82eb

SHA1
6f0a523ca623d87289f9c3e411710fd1fb2a98b1

SHA256
cfddf64b1f58920041f3d16b5f45a461b2053656c55a01dda5c6c4df2ec12177

SHA512
8b029480bf090fa4229a663037d5509cae4c7fb87f83ee2d1c0f881fab231074cc3fb08ac6f73d9a39c4c03bfe4dbbe5d575faaccf377f0be3d3a1e6e07bac2b

Download Submit