MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf9eb06db25ea1d3138b8e19a18d248df56a04200f9e54edfed850d018d2bb62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Osiris


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf9eb06db25ea1d3138b8e19a18d248df56a04200f9e54edfed850d018d2bb62
SHA3-384 hash: 4a910bf74b359bde0cc828a720538367b87296256a6a9e244e04efba63b155ee1c453c5da5f9ca0ed1f44825f2cb49ec
SHA1 hash: df2d854aa894676f7d7c3bd9eb833fe955575a6f
MD5 hash: 677f9f62a49e9a2a2212ed2f6e7dd545
humanhash: illinois-mike-moon-quebec
File name:run32dll.exe
Download: download sample
Signature Osiris
Create hunting rule
File size:422'816 bytes
First seen:2020-11-03 08:46:40 UTC
Last seen:2020-11-03 10:51:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 6144:U9X0GPBp90FOKWU3TDPTuU4ldQZ7OTcaYEQSh9Ty0y6c4H3yEDFDQMb6Ph0VA4WT:a02PWw9C6hlSZ6g2G0yKHp1VbWabfBnG
Threatray 84 similar samples on MalwareBazaar
TLSH DA94125223A0DCA3D5764F3019BB675997FBF2601234CF8F67186DCCAE53A81262E306
Reporter JAMESWT_WT
Tags:Osiris signed Unicom Ltd

Code Signing Certificate

Organisation:Unicom Ltd
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Oct 27 00:00:00 2020 GMT
Valid to:Oct 27 23:59:59 2021 GMT
Serial number: FA3DCAC19B884B44EF4F81541184D6B0
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 6557117E37296D7FDCAC23F20B57E3D52CABDB8E5AA24D3B78536379D57845BE
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Kronos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/81994/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Setting a keyboard event handler
Creating a file
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Deleting a recently created file
Sending an HTTP GET request
Setting browser functions hooks
Sending an HTTP GET request to an infection source
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/518985
Signature
Found Tor onion address
Installs a global keyboard hook
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
kronos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bf9eb06db25ea1d3138b8e19a18d248df56a04200f9e54edfed850d018d2bb62/
Threat name:
Win32.Trojan.Kronosbot
Create hunting rule
Status:
Malicious
First seen:
2020-11-02 22:30:00 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=x6pla3nsl2q5ge4lrym2ddjerx2wubbab6pfj3p63binaggsxnra._file
Verdict:
malicious
Similar samples:
111b63f31d1e6855b0bc722107ac4f5668a7f115fd45654625eb41a6160828c6
Osiris
1dca04a092036da431753ed714b8e11bbd6ed1db8c9b3755d05bb8c61fcfc805
Osiris
2b5a3934d3e81fee4654bb1a7288c81af158a6d48a666cf8e379b0492551188f
Osiris
4da8564def807d49cf9d45fcad3e9201344732a49aea4261ab05b8b43cb3adae
Osiris
62bd38c89d1a30b03bd89a788d9f2852659f77715c97e5c12445c33f43fa13e5
Osiris
6c1d19babfa606ff54c791d86f53bc2fae6def5a101c3205d741d6fb1e5c3cc4
Osiris
73feac20d7cdbe1e10ca26b196d60d68ea0c4e652ceacf534b1c549e4e597e74
Osiris
a456769302254d2e6609a7832d93937572b7b73cca217873d7f60678414645e0
Osiris
a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78
Osiris
f6f1b197a2b2ad6cebaddc12b7f421305ec3d61bb56abc214a19e702e49485cc
Osiris
+ 74 additional samples on MalwareBazaar
Result
Malware family:
osiris
Create hunting rule
Score:
  10/10
Tags:
family:osiris banker botnet
Link:
https://tria.ge/reports/201103-jxh1few912/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Osiris
Unpacked files
SH256 hash:
bf9eb06db25ea1d3138b8e19a18d248df56a04200f9e54edfed850d018d2bb62
MD5 hash:
677f9f62a49e9a2a2212ed2f6e7dd545
SHA1 hash:
df2d854aa894676f7d7c3bd9eb833fe955575a6f
Link:
https://www.unpac.me/results/2313be7c-de19-4266-98a5-a286fa8838d8/
SH256 hash:
541e4471d841153f87eab678df21c98348e3fdec86d5d5e8b3c95a62fd21b8f3
MD5 hash:
6ea34cbb39b57436d02c15413d69d1ad
SHA1 hash:
60755afa603e90599a8e4bb98af239a5d50d5ddb
Link:
https://www.unpac.me/results/2313be7c-de19-4266-98a5-a286fa8838d8/
SH256 hash:
7b66b3d461d433aad14a0d95c1aa2babbbd9bf631ecb3f0d6c5cf23845ff56d8
MD5 hash:
1661ddb4522372f00068e4fefa2391a8
SHA1 hash:
79d70c4c8d0cd0bb8216d3d5302ace7fb1684af9
Detections:
win_kronos_g1
Create hunting rule
win_kronos_auto
Create hunting rule
Link:
https://www.unpac.me/results/2313be7c-de19-4266-98a5-a286fa8838d8/
SH256 hash:
58ae2c5d7827dbe80984ca450b058f6dd9f41b406cac0ed91a45b94fb768ce43
MD5 hash:
f2dc1ead3963eae6a82bdf86d3cf2fa3
SHA1 hash:
a1ab4a56bc430afb6b6ed4ecdcc9faa0674633e8
Link:
https://www.unpac.me/results/2313be7c-de19-4266-98a5-a286fa8838d8/
SH256 hash:
4b490e48ddf81ab8f4114394d6f8d544ff7b83623e4719e8c553dabc50d1a2ef
MD5 hash:
92c3e64894bc6aec94adb20cf5d26afb
SHA1 hash:
d0eece4d7a317c91eed8537c877b7debf132ac71
Link:
https://www.unpac.me/results/2313be7c-de19-4266-98a5-a286fa8838d8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
REvil
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bf9eb06db25ea1d3138b8e19a18d248df56a04200f9e54edfed850d018d2bb62

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:win_kronos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Osiris

Executable exe bf9eb06db25ea1d3138b8e19a18d248df56a04200f9e54edfed850d018d2bb62

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/81994/
  
URLhaus
https://urlhaus.abuse.ch/url/782181/
  
Delivery method
Distributed via web download

Comments