{
	"id": "ff517c35-9d9f-4182-ab1b-38f2071c52d6",
	"created_at": "2026-04-06T00:06:20.256569Z",
	"updated_at": "2026-04-10T03:20:50.415768Z",
	"deleted_at": null,
	"sha1_hash": "6cd382ae49f623b2729da7ea86784ae0fb417066",
	"title": "Osiris, the god of afterlife...and banking malware?!",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 439311,
	"plain_text": "Osiris, the god of afterlife...and banking malware?!\r\nBy f0wL\r\nPublished: 2019-08-29 · Archived: 2026-04-05 15:16:09 UTC\r\nThu 29 August 2019 in Banking-Malware\r\nAfter coming back from the Chaos Communication Camp two days ago I thought it would be a good idea to check\r\non the current malware events out there, so come along for the ride\r\nI came across this sample after this tweet by @James_inthe_box :\r\nA short disclaimer: downloading and running the samples linked below will compromise your computer and\r\ndata, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be\r\nillegal depending on where you live.\r\nGet your sample today from:\r\nhttps://dissectingmalwa.re/osiris-the-god-of-afterlifeand-banking-malware.html\r\nPage 1 of 5\n\nFiles dropped in %APPDATA%\\Roaming\r\nFiles dropped in %temp%\r\nAfter running the sample for the first time it adds itself to system startup and copies itself to\r\n%appdata%\\Roaming\\Microsoft\\Windows\\Protected\\setspn.exe. Comparing the malicious setspn.exe with the\r\nMicrosoft Original (which is normally found at C:\\Windows\\System32\\setspn.exe) with the help of PEBear it is\r\nobvious that the files are not the same.\r\nhttps://dissectingmalwa.re/osiris-the-god-of-afterlifeand-banking-malware.html\r\nPage 2 of 5\n\nTo jump straight to the Hybrid-Analysis report for fixed111.exe click here. I picked out a couple of interesting\r\nfindings for you:\r\nhttps://dissectingmalwa.re/osiris-the-god-of-afterlifeand-banking-malware.html\r\nPage 3 of 5\n\nOne thing that stands out is that Osiris uses components of the Nullsoft Scriptable Installer. I did not look into it\r\nthat far yet, but it seems like it is used for a headless install only.\r\nA quite interesting find: this Osiris sample uses a POC implementation called Mini-Tor for communication with\r\nthe Tor network. Pretty convenient for the malware author as it keeps the size of the binary small, but still allows\r\ndata exfiltration over an anonymized protocol.\r\nClick here for the Any.Run analysis.\r\nAs the Twitter Discussion about this sample started multiple theories about the Tor Requests were brought up. My\r\nexplaination for this behaviour is that the malware is exfiltrating data over the Tor network. Because of the URL\r\nformat of the requested sites IPAddress/tor/servers/fp/-HASH- one can assume that the contacted servers are\r\nDirectory Servers which hold the Server Descriptor Files for known Nodes. This is why I'd classify this behaviour\r\nas more or less standard client communication.\r\nhttps://dissectingmalwa.re/osiris-the-god-of-afterlifeand-banking-malware.html\r\nPage 4 of 5\n\nIOCs\r\nFiles\r\nfixed111.exe --SHA1--\u003e a1887f8b29ef20a6e0d7284521c40eee77d47dd0\r\nsetspn.exe --SHA1--\u003e a1887f8b29ef20a6e0d7284521c40eee77d47dd0\r\nGetX64BTIT.exe--SHA1--\u003e 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0\r\nMajorca.dll --SHA1--\u003e 47d9371a0dd3369d89068994d5d18bb54a0d7433\r\nSystem.dll --SHA1--\u003e 48df0911f0484cbe2a8cdd5362140b63c41ee457\r\ngutils.dll --SHA1--\u003e ab92a9a74c55c5e5d05f1f3dde518371dda76548\r\nresToResX.exe --SHA1--\u003e b5114de8c2e78d72ec8ddb6ab7bcb02b1bb5291f\r\n79.opends60.dll --SHA1--\u003e ec9946684d5e72dbc5bdcffa31167ad1a19e29bd\r\nMicrosoftXslDebugProxy.exe --SHA1--\u003e 2d9b200ea1d9fb6442f21bb5441072bd4b9d1968\r\nUserInfo.dll --SHA1--\u003e 0bd28183a9d8dbb98afbcf100fb1f4f6c5fc6c41\r\nTypeSharingService2.asmx --SHA1--\u003e f28868e733bfdcf68cee93509f84694df50bbdf4\r\nlibfontconfig1amd64.triggers --SHA1--\u003e 6ca8f520c10214648f88a8ba08ccdfcc53b124a3\r\n349f9714.lnk --SHA1--\u003e fe08da4fd09dbab64d4e4d23b9a935468ef05f8b\r\n703 --SHA1--\u003e bb5d6f6ba8155899d0017ce2edc1bf2622ad5b3b\r\nx-perl.xml --SHA1--\u003e 32404eab9098db64af17b6e5862b0b563f57c2dd\r\nx64btit.txt --SHA1--\u003e cd8fff32832f8a8f20b88a2f32c04800535d060e\r\nParagraphia --SHA1--\u003e 360071bee9bae26834006615d0fb711d25f4a4af\r\n_dvvsdebugapi --SHA1--\u003e f5db6c9fed4cb80461502bb6d25532e8f0c1f064\r\nwin.ini --SHA1--\u003e f939c7deb74637544a09df6d0a096f5719b227d1\r\nURLs\r\nhttpx://naot[.]org/cms/file/fixed111.exe\r\nhttpx://borel[.]fr/notices/CanadaPost.zip\r\nSource: https://dissectingmalwa.re/osiris-the-god-of-afterlifeand-banking-malware.html\r\nhttps://dissectingmalwa.re/osiris-the-god-of-afterlifeand-banking-malware.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://dissectingmalwa.re/osiris-the-god-of-afterlifeand-banking-malware.html"
	],
	"report_names": [
		"osiris-the-god-of-afterlifeand-banking-malware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775433980,
	"ts_updated_at": 1775791250,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6cd382ae49f623b2729da7ea86784ae0fb417066.pdf",
		"text": "https://archive.orkl.eu/6cd382ae49f623b2729da7ea86784ae0fb417066.txt",
		"img": "https://archive.orkl.eu/6cd382ae49f623b2729da7ea86784ae0fb417066.jpg"
	}
}