MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 592b2eeb513d11fa7ec4e840f2db9f810e2aee3b16114cbad882b2157adad356. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Osiris


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 592b2eeb513d11fa7ec4e840f2db9f810e2aee3b16114cbad882b2157adad356
SHA3-384 hash: baaed357d9cf5062bcbd288538ea6cba9cb1a29e60cb53595e6866fab79a9d87b8d106ca6178a3ac3b61df19523be56b
SHA1 hash: b9d83406d36b5504270470b10d1229c87735df41
MD5 hash: d7634d1df27b569aaf2dd52f8f310027
humanhash: december-charlie-ack-table
File name:SecuriteInfo.com.Variant.Johnnie.312242.12370.4606
Download: download sample
Signature Osiris
Create hunting rule
File size:129'536 bytes
First seen:2021-03-09 23:38:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fc09259c73c533a0dad22a4920000c39 (1 x Osiris)
ssdeep 3072:ICz5KYiGguiK6zwbFCo0ODRUWFZl/Z/VR8nX+7IGM7BcEv:JKYiGguiK6zwbFChLQDVGWEv
Threatray 352 similar samples on MalwareBazaar
TLSH 63C35D30B8D1E472E4A372315D62E6AA1A3CFC604BD14FDFA34D07EA4F790D5167982A
Reporter SecuriteInfoCom
Tags:Osiris

Intelligence

File Origin
# of uploads :
1
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://95.214.235.237/f4t4r.exe
Verdict:
Malicious activity
Analysis date:
2021-03-09 22:16:08 UTC
Tags:
trojan loader kronos
Link:
https://app.any.run/tasks/592cf111-41ba-40eb-89c3-bdfdb4e91d8d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/123430/
Detection(s):
SecuriteInfo.com.Variant.Johnnie.312242.12370.4606.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Creating a window
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Creating a file in the %AppData% subdirectories
Setting a keyboard event handler
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Sending a custom TCP request
Reading critical registry keys
Moving a file to the %AppData% subdirectory
Deleting a recently created file
Setting browser functions hooks
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Osiris
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/633678
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Detected Osiris Trojan
Drops executable to a common third party application directory
Found C&C like URL pattern
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 365811 Sample: SecuriteInfo.com.Variant.Jo... Startdate: 10/03/2021 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->34 36 Antivirus detection for URL or domain 2->36 38 Antivirus detection for dropped file 2->38 40 6 other signatures 2->40 6 SecuriteInfo.com.Variant.Johnnie.312242.12370.exe 7 2->6         started        10 AdobeNotificationUpdates.exe 7 2->10         started        process3 dnsIp4 26 wifoweijijfoiwjweoi.xyz 34.105.189.80, 49728, 49729, 49730 GOOGLEUS United States 6->26 42 Detected Osiris Trojan 6->42 44 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 6->44 46 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 6->46 48 Contains functionality to detect sleep reduction / modifications 6->48 13 SecuriteInfo.com.Variant.Johnnie.312242.12370.exe 3 31 6->13         started        20 C:\Users\user\AppData\Local\...\Liebert.bmp, PE32 10->20 dropped 50 Multi AV Scanner detection for dropped file 10->50 52 Machine Learning detection for dropped file 10->52 54 Maps a DLL or memory area into another process 10->54 18 AdobeNotificationUpdates.exe 1 10->18         started        file5 signatures6 process7 dnsIp8 28 icanhazip.com 172.67.9.138, 49736, 80 CLOUDFLARENETUS United States 13->28 30 127.0.0.1 unknown unknown 13->30 32 wifoweijijfoiwjweoi.xyz 13->32 22 C:\Users\...\AdobeNotificationUpdates.exe, PE32 13->22 dropped 24 AdobeNotificationU...exe:Zone.Identifier, ASCII 13->24 dropped 56 Monitors registry run keys for changes 13->56 58 Tries to harvest and steal browser information (history, passwords, etc) 13->58 60 Drops executable to a common third party application directory 13->60 62 Installs a global keyboard hook 13->62 file9 signatures10
Gathering data
Threat name:
Win32.Trojan.Johnnie
Create hunting rule
Status:
Malicious
First seen:
2021-03-09 20:25:53 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=levs522rhui7u7we5bapfw47qehcv3r3cyiuzowyqkzbk6w22nla._file
Verdict:
malicious
Similar samples:
06fa1b160e322bd7710c9110b1e4e873795b5c2680b8bbe70bbaf23484533459
Osiris
1aa2009bf625cdd1f9fce70863201c2c9fc8624edd89103fda2e49b50ba908f7
Osiris
1bb6fb4d17c2bc64645d9ea67e3f3b34c4cc3b082c70676b202ebcd59762c3c2
Osiris
57605921f72fd210ec256ed3010b59d111c6d3b9e49b9e830e06d6bddce83db4
Osiris
6e6dfb6c3ce7a1a428b51a52ab1a1bb625f791f207204c29efe8c554b37d5cfe
Osiris
7498e37c332d55c14247ae4b675e726336a8683900d8fd1da412905567d2de4a
Osiris
7c201535a28746b62adfa831cfccac096903f5b17ee83b8364fc890fa70a59fd
Osiris
92ddc88d7c1bde849c18747f4fcd526c240a81efe9c74ee1dcaa4a72ecc9ac3a
Osiris
da767e6faf97d73997f397eae71b372a549dd6331bf8ec0ebd398ef8cfe9a47e
Osiris
e431d81e245dd47b376162b55b07a341789498cbc19dba9271b98cd048002e01
Osiris
+ 342 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence spyware
Link:
https://tria.ge/reports/210309-mr9cwv93te/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
592b2eeb513d11fa7ec4e840f2db9f810e2aee3b16114cbad882b2157adad356
MD5 hash:
d7634d1df27b569aaf2dd52f8f310027
SHA1 hash:
b9d83406d36b5504270470b10d1229c87735df41
Link:
https://www.unpac.me/results/6f6defdf-fe19-4f5d-8afa-de3855c4ac41/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/592b2eeb513d11fa7ec4e840f2db9f810e2aee3b16114cbad882b2157adad356

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Osiris

Executable exe 592b2eeb513d11fa7ec4e840f2db9f810e2aee3b16114cbad882b2157adad356

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1057627/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/123430/

Comments