MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Osiris

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b
SHA3-384 hash:	56e800fb265648992753bc1f7cf0ad2f39c6eb03422fe939ee0ac2e442944acb2c5660bd305c3566cc6557f6d06829cb
SHA1 hash:	5fba19ae9f76b445d96dbca71f53113492b09d49
MD5 hash:	8e8f7ff797c292231959e4dd410a98da
humanhash:	nineteen-mirror-nuts-sixteen
File name:	6729001591617.bin
Download:	download sample
Signature	Osiris Create hunting rule
File size:	3'723'232 bytes
First seen:	2021-01-28 11:55:18 UTC
Last seen:	2021-01-28 13:58:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	00f39b64160f1f3ca0bfe741064f3430 (1 x Osiris)
ssdeep	49152:2pU1pIkY3RFCXgUG0xibD3QUaSalMG45TRVVqfMqJ7CdfAYQtTGCD:2psIbhYXJS3HaHM17Vqfz7sQtiw
Threatray	7 similar samples on MalwareBazaar
TLSH	3D06BE59F9C290E0EDC316F452FAA7374C388225572698D3F3613D904E611E27B7EA8E
Reporter	JAMESWT_WT
Tags:	Osiris

Code Signing Certificate

Organisation:	AAA Certificate Services
Issuer:	AAA Certificate Services
Algorithm:	sha1WithRSAEncryption
Valid from:	Jan 1 00:00:00 2004 GMT
Valid to:	Dec 31 23:59:59 2028 GMT
Serial number:	01
Intelligence:	384 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:	This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	D7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

127

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

FickerStealer.exe

Verdict:

Malicious activity

Analysis date:

2021-01-28 10:53:05 UTC

Tags:

evasion trojan ficker stealer

Link:

https://app.any.run/tasks/f4fed4a9-48b2-44e0-8d23-b174f4f04854

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/114217/

Detection(s):

SecuriteInfo.com.generic.ml.16383.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Unauthorized injection to a recently created process

Setting a keyboard event handler

Creating a file in the %temp% directory

Creating a process from a recently created file

Deleting a recently created file

DNS request

Sending a custom TCP request

Setting browser functions hooks

Connection attempt to an infection source

Unauthorized injection to a browser process

Sending an HTTP GET request to an infection source

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Kronos

Detection:

malicious

Classification:

bank.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/592824

Signature

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Contains functionality to detect sleep reduction / modifications

Detected Kronos e-Banking malware

Detected unpacking (changes PE section rights)

Found Tor onion address

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hijacks the control flow in another process

Injects a PE file into a foreign processes

Installs a global keyboard hook

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file has nameless sections

Tries to detect virtualization through RDTSC time measurements

Uses known network protocols on non-standard ports

Behaviour

Behavior Graph:

Download SVG

Detection:

kronos

Link:

https://mwdb.cert.pl/sample/ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b/

Threat name:

Win32.Trojan.Kronosbot

Status:

Malicious

First seen:

2021-01-28 11:56:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

12 of 29 (41.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vtu7giojsz5s77r356ifnqitwiaeb7uige2rbaxbqyjfv3vivmfq._file

Verdict:

unknown

Osiris

4da8564def807d49cf9d45fcad3e9201344732a49aea4261ab05b8b43cb3adae

Osiris

62bd38c89d1a30b03bd89a788d9f2852659f77715c97e5c12445c33f43fa13e5

Osiris

73feac20d7cdbe1e10ca26b196d60d68ea0c4e652ceacf534b1c549e4e597e74

Osiris

90929f4e6bd28d6a197fef323930502ac1a3dcc9de8d4dba02dc6702fd570e14

Osiris

bf9eb06db25ea1d3138b8e19a18d248df56a04200f9e54edfed850d018d2bb62

Osiris

dfb2cb14a2f6a3281514226cec06bb2bb99e9ebbeb583a9b6f80ec8b4d6fe15f

Osiris

Result

Malware family:

osiris

Score:

10/10

Tags:

family:osiris banker botnet ransomware

Link:

https://tria.ge/reports/210128-ljnc58c5ms/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Looks up external IP address via web service

Uses Tor communications

Drops startup file

Loads dropped DLL

Executes dropped EXE

Osiris

Unpacked files

SH256 hash:

ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b

MD5 hash:

8e8f7ff797c292231959e4dd410a98da

SHA1 hash:

5fba19ae9f76b445d96dbca71f53113492b09d49

Link:

https://www.unpac.me/results/8cebb4d2-9dda-4360-85b8-b00cc3aa36ac/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Kronos Create hunting rule
Author:	kevoreilly
Description:	Kronos Payload

Rule name:	win_kronos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_kronos_g0 Create hunting rule
Author:	mak

Rule name:	win_kronos_g1 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

https://twitter.com/JAMESWT_MHT/status/1354745815458308100?s=20

Cape

https://www.capesandbox.com/analysis/114217/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample