osiris | b3b3a4a9ac1cc6715d8c875ac34f92708d0b9f91104b793768ed90baa57c97d0

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trusteer.exe
Size

3.3MB
MD5

30cb49e14aa0f3247110df5dc1a1690b
SHA1

84521809033b25b01338e3087881d4c37b4d0faa
SHA256

2ad801c4a4f232b02c940858d69c3d3608c6df1606b73c76494e1d7d0d30e761
SHA512

c206045d0c2ba0dfc773bb5b41db0802127d86d521b6fe41523d63e59b79a2657dd960b3ca1dc1be31298279d920f3080a5e72803cd11fe261b32e08cd3577e9
SSDEEP

49152:p7RUQh1V1fO/9DA0q3i9aLrsvHyR15U8dJAsgWpyTulz9b9H5vDCjeMeZi7uax:p711TMeS92r1155A/0ysPZvej3

Score

10^/10

osiris banker botnet discovery evasion

Malware Config

Signatures

Osiris
banker botnet osiris

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Trusteer.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Trusteer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Trusteer.exe

Executes dropped EXE 1 IoCs

pid	Process
2876	GetX64BTIT.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine	Trusteer.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
47	api.ipify.org
46	api.ipify.org

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4848	Trusteer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4848 set thread context of 368	4848	Trusteer.exe	104

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trusteer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trusteer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4848	Trusteer.exe
4848	Trusteer.exe
4848	Trusteer.exe
4848	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe
368	Trusteer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
368	Trusteer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 368	4848	Trusteer.exe	104
PID 4848 wrote to memory of 368	4848	Trusteer.exe	104
PID 4848 wrote to memory of 368	4848	Trusteer.exe	104
PID 4848 wrote to memory of 368	4848	Trusteer.exe	104
PID 4848 wrote to memory of 368	4848	Trusteer.exe	104
PID 4848 wrote to memory of 368	4848	Trusteer.exe	104
PID 4848 wrote to memory of 368	4848	Trusteer.exe	104
PID 4848 wrote to memory of 368	4848	Trusteer.exe	104
PID 4848 wrote to memory of 368	4848	Trusteer.exe	104
PID 4848 wrote to memory of 368	4848	Trusteer.exe	104
PID 368 wrote to memory of 2876	368	Trusteer.exe	105
PID 368 wrote to memory of 2876	368	Trusteer.exe	105

C:\Users\Admin\AppData\Local\Temp\Trusteer.exe
"C:\Users\Admin\AppData\Local\Temp\Trusteer.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Users\Admin\AppData\Local\Temp\Trusteer.exe
  "C:\Users\Admin\AppData\Local\Temp\Trusteer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
    "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
    3⤵
    - Executes dropped EXE
    PID:2876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=1288 /prefetch:8
1⤵
PID:740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt

Filesize
28B

MD5
03d40b023a868844d00145bc7e131bae

SHA1
6280b59cbf7c12f0b40b330e07d9be87a9c62d88

SHA256
cdeec18bd07a0b8b7c62d9b34e0c78d2795206854320f8f31aa0325d048051d1

SHA512
bb7a2030a4e14a824bfeccff95635c84966e93f06762115ea4c7b046a148fe243b0a0155cd59bbfacf6c4f8cdf24a1030d1170a95cd63df3632c1cbca3325d30

Download Submit
memory/368-42-0x0000000000460000-0x00000000004FF000-memory.dmp

Filesize
636KB

Download
memory/368-33-0x0000000000460000-0x00000000004FF000-memory.dmp

Filesize
636KB

Download
memory/368-22-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/368-41-0x0000000000460000-0x00000000004FF000-memory.dmp

Filesize
636KB

Download
memory/368-44-0x0000000000460000-0x00000000004FF000-memory.dmp

Filesize
636KB

Download
memory/368-34-0x0000000000460000-0x00000000004FF000-memory.dmp

Filesize
636KB

Download
memory/368-45-0x0000000000460000-0x00000000004FF000-memory.dmp

Filesize
636KB

Download
memory/368-43-0x0000000000460000-0x00000000004FF000-memory.dmp

Filesize
636KB

Download
memory/368-32-0x0000000000460000-0x00000000004FF000-memory.dmp

Filesize
636KB

Download
memory/368-31-0x0000000000460000-0x00000000004FF000-memory.dmp

Filesize
636KB

Download
memory/368-30-0x0000000000460000-0x00000000004FF000-memory.dmp

Filesize
636KB

Download
memory/368-25-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/368-29-0x0000000000460000-0x00000000004FF000-memory.dmp

Filesize
636KB

Download
memory/368-28-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4848-10-0x0000000000D30000-0x00000000018AE000-memory.dmp

Filesize
11.5MB

Download
memory/4848-26-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

Filesize
4KB

Download
memory/4848-18-0x0000000000D30000-0x00000000018AE000-memory.dmp

Filesize
11.5MB

Download
memory/4848-19-0x0000000000D30000-0x00000000018AE000-memory.dmp

Filesize
11.5MB

Download
memory/4848-20-0x0000000000D30000-0x00000000018AE000-memory.dmp

Filesize
11.5MB

Download
memory/4848-21-0x0000000000D30000-0x00000000018AE000-memory.dmp

Filesize
11.5MB

Download
memory/4848-16-0x0000000000D30000-0x00000000018AE000-memory.dmp

Filesize
11.5MB

Download
memory/4848-23-0x0000000000D30000-0x00000000018AE000-memory.dmp

Filesize
11.5MB

Download
memory/4848-15-0x0000000000D30000-0x00000000018AE000-memory.dmp

Filesize
11.5MB

Download
memory/4848-14-0x0000000000D30000-0x00000000018AE000-memory.dmp

Filesize
11.5MB

Download
memory/4848-13-0x0000000000D30000-0x00000000018AE000-memory.dmp

Filesize
11.5MB

Download
memory/4848-17-0x0000000000D30000-0x00000000018AE000-memory.dmp

Filesize
11.5MB

Download
memory/4848-12-0x0000000000D30000-0x00000000018AE000-memory.dmp

Filesize
11.5MB

Download
memory/4848-11-0x0000000000D30000-0x00000000018AE000-memory.dmp

Filesize
11.5MB

Download
memory/4848-0-0x0000000000D30000-0x00000000018AE000-memory.dmp

Filesize
11.5MB

Download
memory/4848-2-0x0000000005CC0000-0x0000000005CC1000-memory.dmp

Filesize
4KB

Download
memory/4848-3-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download
memory/4848-4-0x0000000005D00000-0x0000000005D01000-memory.dmp

Filesize
4KB

Download
memory/4848-5-0x0000000005CB0000-0x0000000005CB1000-memory.dmp

Filesize
4KB

Download
memory/4848-6-0x0000000005D30000-0x0000000005D31000-memory.dmp

Filesize
4KB

Download
memory/4848-7-0x0000000005D20000-0x0000000005D21000-memory.dmp

Filesize
4KB

Download
memory/4848-8-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/4848-9-0x0000000005CA0000-0x0000000005CA1000-memory.dmp

Filesize
4KB

Download
memory/4848-1-0x0000000077C84000-0x0000000077C86000-memory.dmp

Filesize
8KB

Download