osiris | ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a

Resubmissions

17/04/2024, 12:19

240417-pg5r4afh91 10

17/04/2024, 12:18

17/04/2024, 12:18

17/04/2024, 12:18

17/04/2024, 12:18

16/04/2024, 14:07

Analysis

max time kernel
330s
max time network
250s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
Size

1.3MB
MD5

40755985ba0182b59a34909770557b77
SHA1

68752dead25052420fd8e5b94c867233accad1f4
SHA256

ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a
SHA512

788ec7a6c08ac4fb23e1489489152048c9663a3bcdebe767e3db304b5955f430c6bd06a16550b8c9c6bd5229a7cf2c5d1ca1ce6e40e1cbc0f2104d2630f7c507
SSDEEP

12288:hD0Yxtmgcj3DKjs16MKYIjhy+AC5j6vfNqi:hQYxtmiEEYIjhyQj6vfNqi

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris

Executes dropped EXE 1 IoCs

pid	Process
648	GetX64BTIT.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
48	api.ipify.org
47	api.ipify.org

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 648	2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe	93
PID 2800 wrote to memory of 648	2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe	93
PID 2800 wrote to memory of 892	2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe	73
PID 2800 wrote to memory of 2916	2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe	74
PID 2800 wrote to memory of 5056	2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe	75
PID 2800 wrote to memory of 2256	2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe	76
PID 2800 wrote to memory of 4824	2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe	77
PID 2800 wrote to memory of 5048	2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe	78
PID 2800 wrote to memory of 4520	2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe	79
PID 892 wrote to memory of 116	892	msedge.exe	101
PID 892 wrote to memory of 116	892	msedge.exe	101
PID 2800 wrote to memory of 116	2800	ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe	101

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Suspicious use of WriteProcessMemory
PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=123.0.6312.106 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=123.0.2420.81 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffd9f944e48,0x7ffd9f944e54,0x7ffd9f944e60
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2224,i,14910875736531803530,4367035887674785793,262144 --variations-seed-version --mojo-platform-channel-handle=2220 /prefetch:2
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1956,i,14910875736531803530,4367035887674785793,262144 --variations-seed-version --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2512,i,14910875736531803530,4367035887674785793,262144 --variations-seed-version --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=5408,i,14910875736531803530,4367035887674785793,262144 --variations-seed-version --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=5584,i,14910875736531803530,4367035887674785793,262144 --variations-seed-version --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3208,i,14910875736531803530,4367035887674785793,262144 --variations-seed-version --mojo-platform-channel-handle=4044 /prefetch:3
  2⤵
  PID:116

C:\Users\Admin\AppData\Local\Temp\ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe
"C:\Users\Admin\AppData\Local\Temp\ed614783ecd08afb919ae4b42625beaa6c9ed4207fa4f9c925c32a16d543ee3a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
  "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
  2⤵
  - Executes dropped EXE
  PID:648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
25KB

MD5
820cc4a565cf4b5320e34c5c98b7ef66

SHA1
f90b747213152cd0fb7d69449e54a143a0285742

SHA256
7f3498d1d40dc8aab1d010f2736c0a6254c430f9f2f2b46ca31ca42418c5c331

SHA512
70af3bcf87468fa86532e99958e76f4b0cf00d25c090c47b0cdeae71646a3dccda5cd44ce9ea400c86f4016edd2e252f8014cea816e1668b53e76902d789919b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt

Filesize
28B

MD5
06769236f5c5de6a2e17abfc58b3b629

SHA1
0c77f9a1561cd694b55aaee66a613408b7414c23

SHA256
5a4c4bf8b7e18db23c7493f8a5b03f3f96183022540af6f676be0a347dd297fb

SHA512
2185739327c500e5f17698d238f570593d54a2d4e32707c0de5782c56f0b8f404c7792ae21246c35a45143e46f4d49207ca631e2a131a2759045a70244e1dd76

Download Submit
memory/2800-24-0x0000000005730000-0x00000000057F6000-memory.dmp

Filesize
792KB

Download
memory/2800-38-0x0000000005730000-0x00000000057F6000-memory.dmp

Filesize
792KB

Download
memory/2800-6-0x0000000005730000-0x00000000057F6000-memory.dmp

Filesize
792KB

Download
memory/2800-8-0x0000000005730000-0x00000000057F6000-memory.dmp

Filesize
792KB

Download
memory/2800-7-0x0000000005730000-0x00000000057F6000-memory.dmp

Filesize
792KB

Download
memory/2800-10-0x0000000000400000-0x00000000051BC000-memory.dmp

Filesize
77.7MB

Download
memory/2800-4-0x0000000005730000-0x00000000057F6000-memory.dmp

Filesize
792KB

Download
memory/2800-3-0x0000000005730000-0x00000000057F6000-memory.dmp

Filesize
792KB

Download
memory/2800-16-0x0000000005730000-0x00000000057F6000-memory.dmp

Filesize
792KB

Download
memory/2800-17-0x0000000005730000-0x00000000057F6000-memory.dmp

Filesize
792KB

Download
memory/2800-19-0x0000000005530000-0x0000000005630000-memory.dmp

Filesize
1024KB

Download
memory/2800-20-0x0000000005730000-0x00000000057F6000-memory.dmp

Filesize
792KB

Download
memory/2800-22-0x0000000005730000-0x00000000057F6000-memory.dmp

Filesize
792KB

Download
memory/2800-1-0x0000000005530000-0x0000000005630000-memory.dmp

Filesize
1024KB

Download
memory/2800-5-0x0000000005730000-0x00000000057F6000-memory.dmp

Filesize
792KB

Download
memory/2800-30-0x0000000005730000-0x00000000057F6000-memory.dmp

Filesize
792KB

Download
memory/2800-26-0x0000000005730000-0x00000000057F6000-memory.dmp

Filesize
792KB

Download
memory/2800-32-0x0000000005730000-0x00000000057F6000-memory.dmp

Filesize
792KB

Download
memory/2800-35-0x0000000005730000-0x00000000057F6000-memory.dmp

Filesize
792KB

Download
memory/2800-27-0x0000000005730000-0x00000000057F6000-memory.dmp

Filesize
792KB

Download
memory/2800-40-0x0000000005730000-0x00000000057F6000-memory.dmp

Filesize
792KB

Download
memory/2800-42-0x0000000005730000-0x00000000057F6000-memory.dmp

Filesize
792KB

Download
memory/2800-44-0x0000000005730000-0x00000000057F6000-memory.dmp

Filesize
792KB

Download
memory/2800-2-0x0000000005630000-0x0000000005697000-memory.dmp

Filesize
412KB

Download
memory/2800-63-0x0000000005730000-0x00000000057F6000-memory.dmp

Filesize
792KB

Download
memory/2800-68-0x0000000005730000-0x00000000057F6000-memory.dmp

Filesize
792KB

Download
memory/2800-71-0x0000000005730000-0x00000000057F6000-memory.dmp

Filesize
792KB

Download
memory/2800-77-0x0000000005730000-0x00000000057F6000-memory.dmp

Filesize
792KB

Download
memory/2800-81-0x0000000005730000-0x00000000057F6000-memory.dmp

Filesize
792KB

Download