MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7131d78da58eb6b54db8466e0c09d7173da6f05c5615841a73dc6a032648a217. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Osiris


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7131d78da58eb6b54db8466e0c09d7173da6f05c5615841a73dc6a032648a217
SHA3-384 hash: eb09bb2bfec470b3938e301a69dbbe173049007e275e080b15b351ea4ccaa24a5e733d48e7aa64446993bcc6096d40f3
SHA1 hash: 66649127ad784288c393992971a197c10f86a8eb
MD5 hash: 793707365df26450bc8642f518a540f0
humanhash: delta-blue-vegan-butter
File name:SecuriteInfo.com.BackDoor.Rat.281.18292.12946
Download: download sample
Signature Osiris
Create hunting rule
File size:1'455'616 bytes
First seen:2021-06-15 12:53:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 019647f8a1eb3148b0e2b8be3fbd329b (1 x Osiris)
ssdeep 24576:8Ec46GnhPe4h/N5m8loOoYJ/HRz1IgRizQJYiEH0YSXHZTNbf86:8EBQ2xrVEcXfbf86
Threatray 1'966 similar samples on MalwareBazaar
TLSH 14657C32B2918437D0632BB89D2FB3A56939FF102E34598B67F51C4C1F79A5039292E7
Reporter SecuriteInfoCom
Tags:exe Osiris

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.BackDoor.Rat.281.18292.12946
Verdict:
Malicious activity
Analysis date:
2021-06-15 12:56:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d575d87a-9713-4c20-a651-a140d4c5982a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.BorlandCpp-9
Create hunting rule

SecuriteInfo.com.BackDoor.Rat.281.18292.12946.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Sending a UDP request
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Moving a file to the %AppData% subdirectory
Creating a file
Setting a keyboard event handler
Sending an HTTP GET request
Setting browser functions hooks
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/68b30d2b-eb59-4538-abfb-48cd7007b2bd
Result
Threat name:
Kronos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/802424
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hijacks the control flow in another process
Installs a global keyboard hook
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Kronos
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 434820 Sample: SecuriteInfo.com.BackDoor.R... Startdate: 15/06/2021 Architecture: WINDOWS Score: 100 41 ipv4.imgur.map.fastly.net 2->41 43 i.imgur.com 2->43 63 Antivirus / Scanner detection for submitted sample 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 Yara detected Kronos 2->67 69 Uses known network protocols on non-standard ports 2->69 9 SecuriteInfo.com.BackDoor.Rat.281.18292.exe 2->9         started        12 bac58a5f.exe 1 2->12         started        signatures3 process4 signatures5 83 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->83 85 Hijacks the control flow in another process 9->85 87 Uses ipconfig to lookup or modify the Windows network settings 9->87 89 2 other signatures 9->89 14 ipconfig.exe 17 9->14         started        19 conhost.exe 12->19         started        process6 dnsIp7 51 ipv4.imgur.map.fastly.net 151.101.12.193, 443, 49710, 49712 FASTLYUS United States 14->51 53 i.imgur.com 14->53 39 C:\Users\user\AppData\Local\Temp\cmd.exe, PE32 14->39 dropped 55 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->55 57 Hijacks the control flow in another process 14->57 59 Writes to foreign memory regions 14->59 61 Maps a DLL or memory area into another process 14->61 21 cmd.exe 2 10 14->21         started        26 cmd.exe 14->26         started        28 conhost.exe 14->28         started        file8 signatures9 process10 dnsIp11 45 91.203.5.146, 49721, 80 VOLIA-ASUA Ukraine 21->45 47 185.10.16.41, 49734, 80 VIRTUA-SYSTEMSVIRTUA-SYSTEMSEuropeanNetworkEU France 21->47 49 37 other IPs or domains 21->49 35 C:\Users\user\AppData\...\-1162585297.exe, PE32 21->35 dropped 37 C:\Users\user\AppData\...behaviorgraphetX64BTIT.exe, PE32+ 21->37 dropped 71 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->71 73 Tries to steal Mail credentials (via file access) 21->73 75 Tries to harvest and steal browser information (history, passwords, etc) 21->75 77 Installs a global keyboard hook 21->77 30 GetX64BTIT.exe 1 21->30         started        33 -1162585297.exe 1 7 21->33         started        79 May check the online IP address of the machine 26->79 81 Machine Learning detection for dropped file 26->81 file12 signatures13 process14 signatures15 91 Antivirus detection for dropped file 30->91 93 Multi AV Scanner detection for dropped file 30->93 95 Tries to steal Mail credentials (via file access) 33->95
Detection:
kronos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7131d78da58eb6b54db8466e0c09d7173da6f05c5615841a73dc6a032648a217/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2020-09-08 16:58:24 UTC
File Type:
PE (Exe)
Extracted files:
72
AV detection:
26 of 46 (56.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oey5pdnfr23lktnyizxaycoxc462n4c4kykyigtt3rvagjsiuilq._file
Verdict:
malicious
Similar samples:
064cad19bee4580a82bc4ee3558e8510100ebba8da83720749f553cc411d5cb3
Osiris
3ce7a091f24c19dd1a0875c60f9e97ee017435614198c62ca97220658723b785
Osiris
40d4ee1e0fa412176d826027c500bfbc29ee4c65bfd13dcec2f0facd0021399c
Osiris
44a372643b6edb7ba50ddbf6ea5ce6f907dabc83d41a0702e173426a028712cc
Osiris
7cb4b3df2fb0058a2d8bd5ece903c1c3c6241f0e3b6e85d6c83454a795cde393
Osiris
8872e76ffc38017c1b3ef4b07756edb26c82cf45cceb8ed4d8c153c358fb5674
Osiris
98bfe099448bb6fd9805a64eef2cdcf84c7ea5ac8112540d5f21cc5e8294ed94
Osiris
9ba1cb23cae148d08a8d7b8689a860fe3860553c1d2b93bfba05e72d551a0fc9
Osiris
c2aab1195c83820e08fd02a4a52b218fefdb10ebe51bc4dc09d4d4b512f2c395
Osiris
eb639e9d45ed4d4cf911195b7ef53d61897dd8f826c542ae411854ddec3aea87
Osiris
+ 1'956 additional samples on MalwareBazaar
Result
Malware family:
osiris
Create hunting rule
Score:
  10/10
Tags:
family:osiris banker botnet spyware stealer
Link:
https://tria.ge/reports/210615-n162cadl7e/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Looks up external IP address via web service
Uses Tor communications
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Nirsoft
Osiris
Unpacked files
SH256 hash:
7131d78da58eb6b54db8466e0c09d7173da6f05c5615841a73dc6a032648a217
MD5 hash:
793707365df26450bc8642f518a540f0
SHA1 hash:
66649127ad784288c393992971a197c10f86a8eb
Link:
https://www.unpac.me/results/467b34e8-84da-4808-8414-12e8b1f8cada/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Exploit
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7131d78da58eb6b54db8466e0c09d7173da6f05c5615841a73dc6a032648a217

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_parallax_payload_1
Create hunting rule
Author:@VK_Intel
Description:Detects Parallax Injected Payload v1.01
Reference:https://twitter.com/VK_Intel/status/1227976106227224578
Rule name:crime_win32_rat_parralax_shell_bin
Create hunting rule
Author:@VK_Intel
Description:Detects Parallax injected code
Reference:https://twitter.com/VK_Intel/status/1257714191902937088
Rule name:MAL_crime_win32_rat_parallax_shell_bin
Create hunting rule
Author:@VK_Intel
Description:Detects Parallax injected code
Reference:https://twitter.com/VK_Intel/status/1257714191902937088

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Osiris

Executable exe 7131d78da58eb6b54db8466e0c09d7173da6f05c5615841a73dc6a032648a217

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1368450/
  
Delivery method
Distributed via web download

Comments