osiris | 5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132

Resubmissions

17-04-2024 11:52

240417-n169ladg88 10

17-04-2024 11:52

17-04-2024 11:52

17-04-2024 11:52

17-04-2024 11:52

16-04-2024 13:36

Analysis

max time kernel
1210s
max time network
1221s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
Size

1.3MB
MD5

02f1eaa4a9a976453c2edcdf35eb5267
SHA1

8dcc6ef3efb3a468457f0eacac4916b4de1a269a
SHA256

5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132
SHA512

de2454c505d6d45163ab985e16ec57146753d2f521eac9cf6f944604740c408e2ef749a6a0eb04e8cdd5f3fc39ce5327916fa07a6e91f46e4c296bb81e064362
SSDEEP

12288:hD0Yxtmgcj3DKjs16MKYIjhy+AC5j6vfNqM:hQYxtmiEEYIjhyQj6vfNqM

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris

Executes dropped EXE 1 IoCs

pid	Process
2656	GetX64BTIT.exe

Loads dropped DLL 1 IoCs

pid	Process
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2656	2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe	30
PID 2664 wrote to memory of 2656	2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe	30
PID 2664 wrote to memory of 2656	2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe	30
PID 2664 wrote to memory of 2656	2664	5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe	30

C:\Users\Admin\AppData\Local\Temp\5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe
"C:\Users\Admin\AppData\Local\Temp\5cb37592f7d36143707c41a09c92f511323eae1fadfa1dc116d4099e27f11132.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
  "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
  2⤵
  - Executes dropped EXE
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

Filesize
28B

MD5
ae4c09b44064603ba637e8c842454393

SHA1
e782727dabb03a03b45e9e8f012d15648a96f590

SHA256
5a741086bc7fb2980291b06c8f45eea41fa2912d4dafad2a3a4cb2b6927ce514

SHA512
7ec20183e20864f67161b595270214332a0bbf3a6c8d16ae4555aec4ce5c30a009145185f8e7b538c05b3a03e40056df204515ae13728b771630cd6bc1e17e12

Download Submit
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
memory/2664-24-0x00000000052C0000-0x00000000053C0000-memory.dmp

Filesize
1024KB

Download
memory/2664-5-0x00000000053C0000-0x0000000005486000-memory.dmp

Filesize
792KB

Download
memory/2664-26-0x00000000053C0000-0x0000000005486000-memory.dmp

Filesize
792KB

Download
memory/2664-29-0x00000000053C0000-0x0000000005486000-memory.dmp

Filesize
792KB

Download
memory/2664-8-0x00000000053C0000-0x0000000005486000-memory.dmp

Filesize
792KB

Download
memory/2664-3-0x00000000053C0000-0x0000000005486000-memory.dmp

Filesize
792KB

Download
memory/2664-2-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2664-16-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2664-18-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/2664-20-0x00000000053C0000-0x0000000005486000-memory.dmp

Filesize
792KB

Download
memory/2664-21-0x00000000053C0000-0x0000000005486000-memory.dmp

Filesize
792KB

Download
memory/2664-22-0x0000000000400000-0x00000000051BC000-memory.dmp

Filesize
77.7MB

Download
memory/2664-75-0x00000000053C0000-0x0000000005486000-memory.dmp

Filesize
792KB

Download
memory/2664-4-0x00000000053C0000-0x0000000005486000-memory.dmp

Filesize
792KB

Download
memory/2664-6-0x00000000053C0000-0x0000000005486000-memory.dmp

Filesize
792KB

Download
memory/2664-31-0x00000000053C0000-0x0000000005486000-memory.dmp

Filesize
792KB

Download
memory/2664-34-0x00000000053C0000-0x0000000005486000-memory.dmp

Filesize
792KB

Download
memory/2664-39-0x00000000053C0000-0x0000000005486000-memory.dmp

Filesize
792KB

Download
memory/2664-44-0x00000000053C0000-0x0000000005486000-memory.dmp

Filesize
792KB

Download
memory/2664-48-0x00000000053C0000-0x0000000005486000-memory.dmp

Filesize
792KB

Download
memory/2664-51-0x00000000053C0000-0x0000000005486000-memory.dmp

Filesize
792KB

Download
memory/2664-56-0x00000000053C0000-0x0000000005486000-memory.dmp

Filesize
792KB

Download
memory/2664-63-0x00000000053C0000-0x0000000005486000-memory.dmp

Filesize
792KB

Download
memory/2664-68-0x00000000053C0000-0x0000000005486000-memory.dmp

Filesize
792KB

Download
memory/2664-72-0x00000000053C0000-0x0000000005486000-memory.dmp

Filesize
792KB

Download
memory/2664-1-0x00000000052C0000-0x00000000053C0000-memory.dmp

Filesize
1024KB

Download