Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

a55da20fb4...f3.exe

windows7-x64

10

a55da20fb4...f3.exe

windows10-1703-x64

10

a55da20fb4...f3.exe

windows10-2004-x64

10

a55da20fb4...f3.exe

windows11-21h2-x64

3

Analysis

  • max time kernel
    300s
  • max time network
    284s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16/04/2024, 13:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe

  • Size

    1.3MB

  • MD5

    b56f2fa2ff6e06da3932ffa70b8440c5

  • SHA1

    9136b20d2fd9d4ea09981df6552f2691f13ab997

  • SHA256

    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3

  • SHA512

    dad969a36e05dfff7c62ec4b74986a2b71f0d7e2d64208e9c0bbbd9cf945c238d82f13bbeb56cf1336fc9078ed10ef0ab6d376546f8e9880f5d94f9004d90ccb

  • SSDEEP

    12288:hD0Yxtmgcj3DKjs16MKYIjhy+AC5j6vfNqn:hQYxtmiEEYIjhyQj6vfNqn

Score
10/10
osirisbankerbotnet

Malware Config

Signatures

  • Osiris
    bankerbotnetosiris
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Uses Tor communications 1 TTPs

    Malware can proxy its traffic through Tor for more anonymity.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    "C:\Users\Admin\AppData\Local\Temp\a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
      "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
      2⤵
      • Executes dropped EXE
      PID:2736

Network

  • flag-us
    GET
    http://66.111.2.131/tor/status-vote/current/consensus
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    Remote address:
    66.111.2.131:9030
    Request
    GET /tor/status-vote/current/consensus HTTP/1.0
    Host: 66.111.2.131
    Response
    HTTP/1.0 503 Directory busy, try again later
    Date: Tue, 16 Apr 2024 13:56:53 GMT
  • flag-us
    DNS
    api.ipify.org
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    Remote address:
    8.8.8.8:53
    Request
    api.ipify.org
    IN A
    Response
    api.ipify.org
    IN A
    104.26.12.205
    api.ipify.org
    IN A
    104.26.13.205
    api.ipify.org
    IN A
    172.67.74.152
  • flag-ca
    GET
    http://199.58.81.140/tor/status-vote/current/consensus
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    Remote address:
    199.58.81.140:80
    Request
    GET /tor/status-vote/current/consensus HTTP/1.0
    Host: 199.58.81.140
    Response
    HTTP/1.0 200 OK
    Date: Tue, 16 Apr 2024 13:57:36 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 191.101.209.39
    Content-Encoding: identity
    Expires: Tue, 16 Apr 2024 14:00:00 GMT
    Vary: X-Or-Diff-From-Consensus
  • flag-de
    GET
    http://193.23.244.244/tor/server/fp/be2b68b8b88bfc353302360d58acf9bd9ba98024
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    Remote address:
    193.23.244.244:80
    Request
    GET /tor/server/fp/be2b68b8b88bfc353302360d58acf9bd9ba98024 HTTP/1.0
    Host: 193.23.244.244
    Response
    HTTP/1.0 200 OK
    Date: Tue, 16 Apr 2024 13:57:38 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 191.101.209.39
    Content-Encoding: identity
    Expires: Thu, 18 Apr 2024 13:57:38 GMT
  • flag-us
    DNS
    time-a.nist.gov
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    Remote address:
    8.8.8.8:53
    Request
    time-a.nist.gov
    IN A
    Response
    time-a.nist.gov
    IN CNAME
    time-a-g.nist.gov
    time-a-g.nist.gov
    IN A
    129.6.15.28
  • flag-de
    GET
    http://193.23.244.244/tor/server/fp/566068b738ee8067e42520934004fb6b486951c1
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    Remote address:
    193.23.244.244:80
    Request
    GET /tor/server/fp/566068b738ee8067e42520934004fb6b486951c1 HTTP/1.0
    Host: 193.23.244.244
    Response
    HTTP/1.0 200 OK
    Date: Tue, 16 Apr 2024 13:58:09 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 191.101.209.39
    Content-Encoding: identity
    Expires: Thu, 18 Apr 2024 13:58:09 GMT
  • flag-us
    GET
    http://216.218.219.41/tor/server/fp/b4e3546b058feb655a6d8698d97c1459a2df8e77
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    Remote address:
    216.218.219.41:80
    Request
    GET /tor/server/fp/b4e3546b058feb655a6d8698d97c1459a2df8e77 HTTP/1.0
    Host: 216.218.219.41
    Response
    HTTP/1.0 200 OK
    Date: Tue, 16 Apr 2024 13:58:40 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 191.101.209.39
    Content-Encoding: identity
    Expires: Thu, 18 Apr 2024 13:58:40 GMT
  • flag-de
    GET
    http://193.23.244.244/tor/server/fp/e5c28466622071117c8c036873d3fcab74a7c480
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    Remote address:
    193.23.244.244:80
    Request
    GET /tor/server/fp/e5c28466622071117c8c036873d3fcab74a7c480 HTTP/1.0
    Host: 193.23.244.244
    Response
    HTTP/1.0 200 OK
    Date: Tue, 16 Apr 2024 13:59:20 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 191.101.209.39
    Content-Encoding: identity
    Expires: Thu, 18 Apr 2024 13:59:20 GMT
  • flag-us
    GET
    http://216.218.219.41/tor/server/fp/3e60e5a31c58f30f9e5a2a2686cd2e20ff54b4fa
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    Remote address:
    216.218.219.41:80
    Request
    GET /tor/server/fp/3e60e5a31c58f30f9e5a2a2686cd2e20ff54b4fa HTTP/1.0
    Host: 216.218.219.41
    Response
    HTTP/1.0 200 OK
    Date: Tue, 16 Apr 2024 13:59:51 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 191.101.209.39
    Content-Encoding: identity
    Expires: Thu, 18 Apr 2024 13:59:51 GMT
  • flag-de
    GET
    http://193.23.244.244/tor/server/fp/4d3a3e3f98ceaef2e25a957574190c1ea6a7f7d1
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    Remote address:
    193.23.244.244:80
    Request
    GET /tor/server/fp/4d3a3e3f98ceaef2e25a957574190c1ea6a7f7d1 HTTP/1.0
    Host: 193.23.244.244
    Response
    HTTP/1.0 200 OK
    Date: Tue, 16 Apr 2024 14:00:22 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 191.101.209.39
    Content-Encoding: identity
    Expires: Thu, 18 Apr 2024 14:00:22 GMT
  • flag-us
    GET
    http://216.218.219.41/tor/server/fp/0a8a7fca7b87d7da66609aa5574983d86ae31fb8
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    Remote address:
    216.218.219.41:80
    Request
    GET /tor/server/fp/0a8a7fca7b87d7da66609aa5574983d86ae31fb8 HTTP/1.0
    Host: 216.218.219.41
    Response
    HTTP/1.0 200 OK
    Date: Tue, 16 Apr 2024 14:01:04 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 191.101.209.39
    Content-Encoding: identity
    Expires: Thu, 18 Apr 2024 14:01:04 GMT
  • flag-us
    GET
    http://216.218.219.41/tor/server/fp/07c17931ae2e17f95681fa2a91c7f7cdb068bf48
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    Remote address:
    216.218.219.41:80
    Request
    GET /tor/server/fp/07c17931ae2e17f95681fa2a91c7f7cdb068bf48 HTTP/1.0
    Host: 216.218.219.41
    Response
    HTTP/1.0 200 OK
    Date: Tue, 16 Apr 2024 14:01:35 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 191.101.209.39
    Content-Encoding: identity
    Expires: Thu, 18 Apr 2024 14:01:35 GMT
  • 66.111.2.131:9030
    http://66.111.2.131/tor/status-vote/current/consensus
    http
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    302 B
     257 B
     5
    4

    HTTP Request

    GET http://66.111.2.131/tor/status-vote/current/consensus

    HTTP Response

    503
  • 128.31.0.34:9131
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    152 B
     3
  • 154.35.175.225:80
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    152 B
     3
  • 104.26.12.205:443
    api.ipify.org
    tls
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    394 B
     259 B
     6
    6
  • 199.58.81.140:80
    http://199.58.81.140/tor/status-vote/current/consensus
    http
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    91.0kB
     3.3MB
     1699
    2370

    HTTP Request

    GET http://199.58.81.140/tor/status-vote/current/consensus

    HTTP Response

    200
  • 193.23.244.244:80
    http://193.23.244.244/tor/server/fp/be2b68b8b88bfc353302360d58acf9bd9ba98024
    http
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    371 B
     3.0kB
     6
    5

    HTTP Request

    GET http://193.23.244.244/tor/server/fp/be2b68b8b88bfc353302360d58acf9bd9ba98024

    HTTP Response

    200
  • 89.58.3.114:443
    tls
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    372 B
     259 B
     6
    6
  • 129.6.15.28:13
    time-a.nist.gov
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    190 B
     223 B
     4
    4
  • 193.23.244.244:80
    http://193.23.244.244/tor/server/fp/566068b738ee8067e42520934004fb6b486951c1
    http
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    371 B
     3.5kB
     6
    5

    HTTP Request

    GET http://193.23.244.244/tor/server/fp/566068b738ee8067e42520934004fb6b486951c1

    HTTP Response

    200
  • 146.56.99.34:443
    tls
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    372 B
     259 B
     6
    6
  • 216.218.219.41:80
    http://216.218.219.41/tor/server/fp/b4e3546b058feb655a6d8698d97c1459a2df8e77
    http
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    371 B
     3.4kB
     6
    6

    HTTP Request

    GET http://216.218.219.41/tor/server/fp/b4e3546b058feb655a6d8698d97c1459a2df8e77

    HTTP Response

    200
  • 130.225.244.90:443
    tls
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    372 B
     259 B
     6
    6
  • 193.23.244.244:80
    http://193.23.244.244/tor/server/fp/e5c28466622071117c8c036873d3fcab74a7c480
    http
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    371 B
     2.7kB
     6
    5

    HTTP Request

    GET http://193.23.244.244/tor/server/fp/e5c28466622071117c8c036873d3fcab74a7c480

    HTTP Response

    200
  • 195.90.217.16:443
    tls
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    372 B
     259 B
     6
    6
  • 216.218.219.41:80
    http://216.218.219.41/tor/server/fp/3e60e5a31c58f30f9e5a2a2686cd2e20ff54b4fa
    http
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    371 B
     3.5kB
     6
    6

    HTTP Request

    GET http://216.218.219.41/tor/server/fp/3e60e5a31c58f30f9e5a2a2686cd2e20ff54b4fa

    HTTP Response

    200
  • 143.47.35.181:443
    tls
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    507 B
     271 B
     7
    6
  • 193.23.244.244:80
    http://193.23.244.244/tor/server/fp/4d3a3e3f98ceaef2e25a957574190c1ea6a7f7d1
    http
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    371 B
     2.8kB
     6
    5

    HTTP Request

    GET http://193.23.244.244/tor/server/fp/4d3a3e3f98ceaef2e25a957574190c1ea6a7f7d1

    HTTP Response

    200
  • 58.185.69.245:443
    tls
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    372 B
     259 B
     6
    6
  • 216.218.219.41:80
    http://216.218.219.41/tor/server/fp/0a8a7fca7b87d7da66609aa5574983d86ae31fb8
    http
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    371 B
     3.1kB
     6
    6

    HTTP Request

    GET http://216.218.219.41/tor/server/fp/0a8a7fca7b87d7da66609aa5574983d86ae31fb8

    HTTP Response

    200
  • 176.123.4.96:443
    tls
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    507 B
     259 B
     7
    6
  • 216.218.219.41:80
    http://216.218.219.41/tor/server/fp/07c17931ae2e17f95681fa2a91c7f7cdb068bf48
    http
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    417 B
     2.8kB
     7
    6

    HTTP Request

    GET http://216.218.219.41/tor/server/fp/07c17931ae2e17f95681fa2a91c7f7cdb068bf48

    HTTP Response

    200
  • 77.68.20.86:443
    tls
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    279 B
     179 B
     4
    4
  • 8.8.8.8:53
    api.ipify.org
    dns
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    59 B
     107 B
     1
    1

    DNS Request

    api.ipify.org

    DNS Response

    104.26.12.205
    104.26.13.205
    172.67.74.152

  • 8.8.8.8:53
    time-a.nist.gov
    dns
    a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
    61 B
     100 B
     1
    1

    DNS Request

    time-a.nist.gov

    DNS Response

    129.6.15.28

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
    Filesize

    3KB

    MD5

    b4cd27f2b37665f51eb9fe685ec1d373

    SHA1

    7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

    SHA256

    91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

    SHA512

    e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\x64btit.txt
    Filesize

    28B

    MD5

    9a28d8f80a3bd43191a83f9801035486

    SHA1

    b4f1a0d6bc9b6bb954b4ad05aa0f54865ec18eb6

    SHA256

    3843c40ddd9a54d89f56b73e04c93fdb6fbe8a4d55982dee494d236be0ec312d

    SHA512

    efb93f8cf8a2c66f7a732cf792461faf097125a086f782a69a81ab8a1ed108352c0ea01e2a9f55011635b8210fdff54e9d3de17a8befed75b43146dc67330b06

    Download Submit

  • memory/2884-18-0x0000000000290000-0x00000000002AF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2884-54-0x0000000000330000-0x00000000003F6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/2884-5-0x0000000000330000-0x00000000003F6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/2884-6-0x0000000000330000-0x00000000003F6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/2884-7-0x0000000000330000-0x00000000003F6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/2884-8-0x0000000000330000-0x00000000003F6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/2884-2-0x0000000000220000-0x0000000000287000-memory.dmp

    Filesize

    412KB

    Download

  • memory/2884-3-0x0000000000330000-0x00000000003F6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/2884-21-0x0000000000330000-0x00000000003F6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/2884-20-0x0000000000330000-0x00000000003F6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/2884-1-0x00000000052C0000-0x00000000053C0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2884-16-0x0000000010000000-0x0000000010016000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2884-4-0x0000000000330000-0x00000000003F6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/2884-27-0x0000000000330000-0x00000000003F6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/2884-22-0x0000000000400000-0x00000000051BC000-memory.dmp

    Filesize

    77.7MB

    Download

  • memory/2884-28-0x0000000000330000-0x00000000003F6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/2884-33-0x0000000000330000-0x00000000003F6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/2884-38-0x0000000000330000-0x00000000003F6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/2884-43-0x0000000000330000-0x00000000003F6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/2884-44-0x0000000000330000-0x00000000003F6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/2884-49-0x0000000000330000-0x00000000003F6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/2884-24-0x00000000052C0000-0x00000000053C0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2884-60-0x0000000000330000-0x00000000003F6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/2884-61-0x0000000000330000-0x00000000003F6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/2884-66-0x0000000000330000-0x00000000003F6000-memory.dmp

    Filesize

    792KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.