osiris | a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3

Resubmissions

17-04-2024 08:47

240417-kp44baac28 10

17-04-2024 08:47

17-04-2024 08:47

17-04-2024 08:47

17-04-2024 08:47

17-04-2024 06:23

Analysis

max time kernel
300s
max time network
298s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
17-04-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
Size

1.3MB
MD5

b56f2fa2ff6e06da3932ffa70b8440c5
SHA1

9136b20d2fd9d4ea09981df6552f2691f13ab997
SHA256

a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3
SHA512

dad969a36e05dfff7c62ec4b74986a2b71f0d7e2d64208e9c0bbbd9cf945c238d82f13bbeb56cf1336fc9078ed10ef0ab6d376546f8e9880f5d94f9004d90ccb
SSDEEP

12288:hD0Yxtmgcj3DKjs16MKYIjhy+AC5j6vfNqn:hQYxtmiEEYIjhyQj6vfNqn

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris

Executes dropped EXE 1 IoCs

pid	Process
3264	GetX64BTIT.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 3264	4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe	73
PID 4424 wrote to memory of 3264	4424	a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe	73

C:\Users\Admin\AppData\Local\Temp\a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe
"C:\Users\Admin\AppData\Local\Temp\a55da20fb4e6a4a88b2eef5b7c68146c2f33ffca24571a95ee7d29b638aa48f3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
  "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
  2⤵
  - Executes dropped EXE
  PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt

Filesize
28B

MD5
65f0f7363a7f99042b019a3394d49727

SHA1
22de97c46630056ae9a95f7449f3cf287a619ece

SHA256
ae58da75524854909712e5cc69e276f1751a99eaa9da2b5d302a5256d1b35397

SHA512
9614dbac0193737efdb8649fa693090fa2f7a7997b2887729b5f7a211851c4b4be1aa241e98f7ec8ac32adfbced00245f73265d8f1f1e9913a0618017759ec26

Download Submit
memory/4424-18-0x0000000000400000-0x00000000051BC000-memory.dmp

Filesize
77.7MB

Download
memory/4424-46-0x0000000005710000-0x00000000057D6000-memory.dmp

Filesize
792KB

Download
memory/4424-5-0x0000000005710000-0x00000000057D6000-memory.dmp

Filesize
792KB

Download
memory/4424-6-0x0000000005710000-0x00000000057D6000-memory.dmp

Filesize
792KB

Download
memory/4424-8-0x0000000005710000-0x00000000057D6000-memory.dmp

Filesize
792KB

Download
memory/4424-3-0x0000000005710000-0x00000000057D6000-memory.dmp

Filesize
792KB

Download
memory/4424-2-0x0000000005620000-0x0000000005687000-memory.dmp

Filesize
412KB

Download
memory/4424-15-0x0000000005710000-0x00000000057D6000-memory.dmp

Filesize
792KB

Download
memory/4424-16-0x0000000005710000-0x00000000057D6000-memory.dmp

Filesize
792KB

Download
memory/4424-17-0x0000000005710000-0x00000000057D6000-memory.dmp

Filesize
792KB

Download
memory/4424-51-0x0000000005710000-0x00000000057D6000-memory.dmp

Filesize
792KB

Download
memory/4424-4-0x0000000005710000-0x00000000057D6000-memory.dmp

Filesize
792KB

Download
memory/4424-25-0x0000000005710000-0x00000000057D6000-memory.dmp

Filesize
792KB

Download
memory/4424-23-0x0000000005710000-0x00000000057D6000-memory.dmp

Filesize
792KB

Download
memory/4424-22-0x0000000005250000-0x0000000005350000-memory.dmp

Filesize
1024KB

Download
memory/4424-27-0x0000000005710000-0x00000000057D6000-memory.dmp

Filesize
792KB

Download
memory/4424-29-0x0000000005710000-0x00000000057D6000-memory.dmp

Filesize
792KB

Download
memory/4424-33-0x0000000005710000-0x00000000057D6000-memory.dmp

Filesize
792KB

Download
memory/4424-36-0x0000000005710000-0x00000000057D6000-memory.dmp

Filesize
792KB

Download
memory/4424-42-0x0000000005710000-0x00000000057D6000-memory.dmp

Filesize
792KB

Download
memory/4424-44-0x0000000005710000-0x00000000057D6000-memory.dmp

Filesize
792KB

Download
memory/4424-19-0x0000000005710000-0x00000000057D6000-memory.dmp

Filesize
792KB

Download
memory/4424-48-0x0000000005710000-0x00000000057D6000-memory.dmp

Filesize
792KB

Download
memory/4424-1-0x0000000005250000-0x0000000005350000-memory.dmp

Filesize
1024KB

Download