{
	"id": "71f8d01c-ae4d-4186-92a5-224801acac4f",
	"created_at": "2026-04-06T00:17:59.311497Z",
	"updated_at": "2026-04-10T03:22:09.186059Z",
	"deleted_at": null,
	"sha1_hash": "cfa53851cdcad81c4a5fc92130947b4719886ccb",
	"title": "Ousaban: Private photo collection hidden in a CABinet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1177073,
	"plain_text": "Ousaban: Private photo collection hidden in a CABinet\r\nBy ESET Research\r\nArchived: 2026-04-05 20:01:00 UTC\r\nOusaban is a Latin American banking trojan active exclusively in Brazil. ESET has been tracking this malware family\r\nsince 2018. In common with most other LATAM banking trojans, Ousaban uses overlay windows to steal credentials\r\nand more from financial institutions. However, unlike most other LATAM banking trojans, Ousaban’s developers have\r\nextended the use of overlay windows to steal credentials from popular regional email services. In this installment of\r\nour series, we examine its main features and many connections to other Latin American banking trojan families.\r\nCharacteristics\r\nOusaban is written in Delphi, as are the vast majority of the other Latin American banking trojans ESET is tracking.\r\nAnd, as do many of them, Ousaban shows signs of active and continuous development.\r\nThe name ESET assigned to this family is a portmanteau of two words – “ousadia”, which means “boldness” in\r\nPortuguese, and “banking trojan”. The reason for such a name is that for a very long time, Ousaban was distributed\r\nalongside the images (some of them obscene) shown in Figure 1. In the most recent campaigns distributing Ousaban,\r\nthis is no longer the case.\r\nFigure 1. Various images distributed alongside the Ousaban banking trojan\r\nOusaban is also known as Javali, a name assigned by Kaspersky. A recent article about Ousaban can be found here.\r\nESET has also been able to attribute Ousaban to the campaigns described in this blogpost from 2018. Even though\r\nsome sources claim Ousaban is active in Europe, ESET has never observed any campaign spreading this banking\r\ntrojan outside of Brazil.\r\nOusaban protects its executables with either Themida or Enigma binary obfuscators. Additionally, most EXEs are\r\nenlarged, using binary padding, to approximately 400 MB, likely in order to evade detection and automated\r\nprocessing.\r\nhttps://www.welivesecurity.com/2021/05/05/ousaban-private-photo-collection-hidden-cabinet/\r\nPage 1 of 11\n\nMost recent Ousaban variants contain a string table to hold their strings, storing this table in their .rsrc sections. One of\r\nthe resources contains a zlib-compressed list of strings delimited by newline characters.\r\nIts backdoor capabilities are very similar to a typical Latin American banking trojan – simulating mouse and keyboard\r\nactions and logging keystrokes. The latest variants communicate with C\u0026C servers using RealThinClient – a protocol\r\nalso used by Grandoreiro.\r\nThe typical Latin American banking trojan attacks users of financial institutions using overlay windows crafted\r\nspecifically for its targets and Ousaban is no exception. Interestingly though, its targets include several email services\r\nthat it has overlay windows ready for as well, as illustrated in Figure 2.\r\nFigure 2. Overlay window design for the UOL email service\r\nTo achieve persistence, Ousaban either creates a LNK file or a simple VBS loader in the startup folder, or it modifies\r\nthe Windows registry Run key.\r\nDistribution and execution\r\nOusaban is distributed mainly through phishing emails (such as the one in Figure 3). The threat actor behind Ousaban\r\ncycles through multiple distribution chains. These chains share some common characteristics, mainly:\r\nDLL side-loading is used to execute a binary payload\r\nCAB archives are sometimes used instead of ZIP\r\nA configuration file distributed inside an archive with one stage is required by the next stage\r\nAn injector, unique to Ousaban, may be used\r\nhttps://www.welivesecurity.com/2021/05/05/ousaban-private-photo-collection-hidden-cabinet/\r\nPage 2 of 11\n\nFigure 3. Recent spam email distributing Ousaban (a rough translation is provided on the right)\r\nMSI with JavaScript\r\nThis distribution chain, illustrated in Figure 4, is quite straightforward. The victim is misled into executing an MSI\r\nattached to the phishing email. When executed, the MSI launches an embedded JavaScript downloader that downloads\r\na ZIP archive and extracts its contents. It then executes the legitimate application, which side-loads the Ousaban\r\nbanking trojan.\r\nFigure 4. Simple Ousaban distribution chain\r\nMultistage MSI\r\nhttps://www.welivesecurity.com/2021/05/05/ousaban-private-photo-collection-hidden-cabinet/\r\nPage 3 of 11\n\nRecently, ESET has observed a new distribution chain spreading Ousaban massively. It is much more complicated than\r\nthe one described above. The whole process is illustrated in Figure 5.\r\nThe first two stages are almost identical. In both, the core of the stage is contained in an archive (ZIP or CAB) and\r\ncontains:\r\nA legitimate application\r\nAn encrypted injector\r\nAn encrypted downloader\r\nAn encrypted configuration file\r\nLegitimate files\r\nThe legitimate application, when executed, side-loads the injector. The injector locates, decrypts and executes the\r\ndownloader. The downloader decrypts the configuration file to obtain a URL leading to a remote configuration. The\r\nremote configuration contains a URL leading to the next stage archive. The downloader downloads the next stage\r\narchive, extracts its contents and executes the legitimate application.\r\nThe final stage is slightly different, as it decrypts and executes the actual Ousaban banking trojan instead of a\r\ndownloader. The third configuration file leads to a remote configuration with C\u0026C server IP address and port. The\r\narchive with the last stage contains one more malware-related file – a support module that alters various settings of the\r\nvictim’s machine. Finally, the archives for all three stages include additional files – a single legitimate executable in\r\nthe first-stage archive, 14 legitimate files in the second-stage archive, and 13 legitimate files in the third-stage archive\r\nplus an embedded archive containing a further 102 legitimate files.\r\nhttps://www.welivesecurity.com/2021/05/05/ousaban-private-photo-collection-hidden-cabinet/\r\nPage 4 of 11\n\nhttps://www.welivesecurity.com/2021/05/05/ousaban-private-photo-collection-hidden-cabinet/\r\nPage 5 of 11\n\nFigure 5. Ousaban's complex distribution chain\r\nSupport module\r\nOusaban loads this module to make it easier for the threat actor to connect to the victim’s machine. It mainly:\r\nModifies the RDP settings to use RDPWrap, a utility to allow multiple RDP connections to Home editions of\r\nthe Windows OS\r\nModifies firewall settings to allow all RDP connections\r\nCreates a new account with administrative privileges\r\nThe module contains the RDPWrap binaries stored in its .rsrc section. It then changes the RDP settings directly in the\r\nWindows registry at:\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\TermService\\\r\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\\r\nThe module then uses netsh.exe to modify the Windows firewall to allow all TCP and UDP traffic directed to port\r\n3389, the standard port for RDP. Finally, it creates a new account Administrat0r with administrative privileges. We\r\nhypothesize that the threat actor wants to have a second way to access the victim’s machine; the threat actor is then not\r\nlimited by the capabilities of the Ousaban banking trojan and can perform any malicious activity.\r\nCryptography\r\nhttps://www.welivesecurity.com/2021/05/05/ousaban-private-photo-collection-hidden-cabinet/\r\nPage 6 of 11\n\nOusaban utilizes three cryptographic schemes overall. Its strings are encrypted with an algorithm used by the vast\r\nmajority of Latin American banking trojans we have analyzed (we have previously described it in detail here). All\r\ncommunications between Ousaban and its C\u0026C server are encrypted using the standard AES cipher with a hardcoded\r\nkey.\r\nThe final algorithm is used in the previously mentioned injector specific to this family. We provide a Python\r\nimplementation in Figure 6.\r\ndef decrypt(data, key):\r\ndata_dec = str()\r\nkey_len = len(key)\r\nfor i, c in enumerate(data):\r\nif i % 2 != 0:\r\ndata_dec += chr(key[i % key_len ^ c ^ ((key_len - (i \u0026 key_len)) \u0026 0xFF)])\r\nelse\r\ndata_dec += chr(key[i % key_len] ^ c ^ (i \u0026 0xFF))\r\nreturn data_dec\r\nFigure 6. Algorithm used by Ousaban’s injector to decrypt its payloads\r\nRemote configuration\r\nOusaban relies on remote configuration to obtain its next stage URLs and the C\u0026C address and port to use. Ousaban\r\nused to store its remote configuration on YouTube, similar to Casbaneiro, but lately it has started using Google Docs\r\ninstead.\r\nThe remote configuration is in JSON format with the values being encrypted by the same algorithm used for strings,\r\nbut with a different key. The fields have the following meaning:\r\nhost = C\u0026C domain\r\nlink = next stage URL\r\nporta = C\u0026C port or 0 (the default HTTP port 80 is then used)\r\nvers = Ousaban version\r\nExamples of the remote configuration are provided in Figure 7 and Figure 8.\r\nhttps://www.welivesecurity.com/2021/05/05/ousaban-private-photo-collection-hidden-cabinet/\r\nPage 7 of 11\n\nFigure 7. Ousaban remote configuration on YouTube\r\nFigure 8. Ousaban remote configuration on Google Docs\r\nSimilarities with other LATAM banking trojans\r\nWe have already mentioned some similarities between Ousaban and other Latin American banking trojans previously\r\nanalyzed in this series (like the same string decryption algorithm). During our analysis, we discovered additional links\r\nto the other families, mainly:\r\nSome Ousaban downloaders contain the same string obfuscation code as Amavaldo\r\nOusaban has been distributed by the same malicious advertisements as Mispadu in the past\r\nThe JavaScript files it uses are similar to Vadokrist, Mekotio, Casbaneiro and Guildma\r\nThe PowerShell files it occasionally uses for distribution (aside from the recent methods described in this\r\nblogpost) are similar to Amavaldo, Casbaneiro and Mekotio\r\nWe analyzed the interestingly close cooperation between these malware families in depth in our white paper presented\r\nat the Virus Bulletin 2020 conference.\r\nConclusion\r\nIn this installment of our series, we looked at Ousaban, a Latin American banking trojan targeting only Brazil. This\r\nmalware family has been active since at least 2018 and shares typical characteristics of this type of threat – it is written\r\nin Delphi, contains backdoor functionality and attacks using overlay windows.\r\nWe have covered its most typical features, distribution and execution methods and the structure of its remote\r\nconfiguration. We also discovered several leads that suggest Ousaban is linked to some other Latin American banking\r\ntrojans.\r\nFor any inquiries, contact us at threatintel@eset.com. Indicators of Compromise can also be found in our GitHub\r\nrepository.\r\nIndicators of Compromise (IoCs)\r\nHashes\r\nSHA-1 Description ESET detection name\r\nC52BC5B0BDFC7D4C60DF60E88835E3145F7FB34F\r\nOusaban\r\nbanking trojan\r\nWin32/Spy.Ousaban.G\r\nhttps://www.welivesecurity.com/2021/05/05/ousaban-private-photo-collection-hidden-cabinet/\r\nPage 8 of 11\n\nSHA-1 Description ESET detection name\r\nD04ACFAF74861DDC3B12E75658863DA65C03013F\r\nOusaban JS\r\ndownloader\r\nJS/TrojanDownloader.Banload.AAP\r\n9A6A4BF3B6E974E367982E5395702AFF8684D500\r\nOusaban JS\r\ndownloader\r\nJS/TrojanDownloader.Banload.AAP\r\n3E8A0B6400F2D02B6B8CD917C279EA1388494182\r\nOusaban MSI\r\ndownloader\r\nWin32/Spy.Ousaban.W\r\n6946BFB8A519FED8EC8C30D9A56619F4E2525BEA\r\nOusaban\r\ninjector\r\nWin32/Spy.Ousaban.W\r\nE5DD2355E85B90D2D648B96C90676604A5C3AE48\r\nOusaban\r\nsupport\r\nmodule\r\nWin32/Spy.Ousaban.AB\r\nAbused legitimate applications\r\nExample SHA-1 EXE name DLL name\r\nBA5493B08354AEE85151B7BBD15150A1C3F03D1D Avira.SystrayStartTrigger.exe Avira.OE.NativeCore.dll\r\n7F6C820B00FC8C628E2420C388BBB9096A547DAA AudioGrabber.exe StarBurn.dll\r\nC5D5CF1B591C40344B20370C5EE5275356D312EC PlGen.exe bass_fx.dll\r\n53045B8047CED049BBC7EBCB3D3299D2C465E8B9 BlazeDVD.exe SkinScrollBar.dll\r\nA6118D354D512DC29965E368F6C78AA3A42A27AD ImageGrabber.exe StarBurn.dll\r\nF9C71277CF05738275261D60A9E938CBA7232E0D nvsmartmaxapp.exe nvsmartmax.dll\r\nRecent configuration file URLs\r\nhttps://docs.google[.]com/document/d/1o9MlOhxIJq9tMOuUHJiw2eprQ-BGCA_ERnbF54dZ25w/edit\r\nhttps://docs.google[.]com/document/d/1nQqifeYFsCcI7m-L1Y1oErkp50c-y670nfk7NTKOztg/edit\r\nhttps://docs.google[.]com/document/d/13A6EBLMOOdvSL3u6IfyrPWbYREXNRVdDTiKzC6ZQx7U/edit\r\nhttps://docs.google[.]com/document/d/1UiuqrzI_rrtsJQHqeSkp0sexhwU_VSje8AwS-U6KBPk/edit\r\nhttps://docs.google[.]com/document/d/1VKxF3yKbwQZive-ZPCA4dAU1zOnZutJxY2XZA0YHa3M/edit\r\nhttps://docs.google[.]com/document/d/19bXTaiFdY5iUqUWXl92Js7i9RoZSLJqcECgpp_4Kda4/edit\r\nhttps://docs.google[.]com/document/d/1DDDmJzBVcNWhuj8JMRUVb7JlrVZ5kYBugR_INSS96No/edit\r\nhttps://docs.google[.]com/document/d/1UbfOcHm-T9GCPiitqDRh5TNwZRNJ8_miEpLW-2ypU-I/edit\r\nhttps://docs.google[.]com/document/d/1d1903AvDBYgOo0Pt9xBBnpCHwSerOpIi4l1b6M4mbT4/edit\r\nhttps://docs.google[.]com/document/d/1JLuJKoxcd0vRqut8UeBjFJXzMDQ9OiY2ItoVIRq6Gw8/edit\r\nhttps://docs.google[.]com/document/d/1EOwVDlYPV3gE7PSnLZvuTgUQXvOSN9alyN5aMw7bGeI/edit\r\nhttps://docs.google[.]com/document/d/18sc6rZjk529iYF2iBTsmuNXvqDqTBSH45DhSZpuLv_U/edit\r\nhttps://www.welivesecurity.com/2021/05/05/ousaban-private-photo-collection-hidden-cabinet/\r\nPage 9 of 11\n\nMITRE ATT\u0026CK techniques\r\nNote: This table was built using version 8 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.001 Acquire Infrastructure: Domains\r\nOusaban operators register domains to be\r\nused as C\u0026C servers.\r\nT1587.001 Develop Capabilities: Malware\r\nOusaban is operated by the same group\r\nthat develops it.\r\nInitial Access T1566.001\r\nPhishing: Spearphishing\r\nAttachment\r\nOusaban’s initial downloader is most\r\ncommonly distributed as a spam\r\nattachment.\r\nExecution\r\nT1059.001\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nOusaban uses PowerShell in some\r\ndistribution chains.\r\nT1059.003\r\nCommand and Scripting\r\nInterpreter: Windows Command\r\nShell\r\nOusaban uses the cmd.exe to execute the\r\nlegitimate applications that side-load the\r\nmain Ousaban payload.\r\nT1059.007\r\nCommand and Scripting\r\nInterpreter: JavaScript/JScript\r\nOusaban uses JavaScript in some\r\ndistribution chains.\r\nT1204.002 User Execution: Malicious File\r\nOusaban relies on the victim to execute\r\nthe distributed MSI file.\r\nPersistence\r\nT1098 Account Manipulation\r\nOusaban registers a new local\r\nadministrator account on the victim’s\r\nmachine.\r\nT1547.001\r\nBoot or Logon Autostart\r\nExecution: Registry Run Keys /\r\nStartup Folder\r\nOusaban achieves persistence using the\r\nRun key or startup folder.\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nOusaban payloads and strings are\r\nencrypted.\r\nT1574.002\r\nHijack Execution Flow: DLL\r\nSide-Loading\r\nOusaban is often executed by this\r\ntechnique.\r\nT1562.001\r\nImpair Defenses: Disable or\r\nModify Tools\r\nOusaban modifies the RDP settings of the\r\nvictim’s machine.\r\nT1562.004\r\nImpair Defenses: Disable or\r\nModify System Firewall\r\nOusaban modifies Windows firewall\r\nsettings.\r\nhttps://www.welivesecurity.com/2021/05/05/ousaban-private-photo-collection-hidden-cabinet/\r\nPage 10 of 11\n\nTactic ID Name Description\r\nT1027.001\r\nObfuscated Files or Information:\r\nBinary Padding\r\nOusaban frequently uses binary padding.\r\nT1027.002\r\nObfuscated Files or Information:\r\nSoftware Packing\r\nOusaban binaries are protected by\r\nThemida or Enigma packers.\r\nT1218.007\r\nSigned Binary Proxy Execution:\r\nMsiexec\r\nOusaban uses the MSI format for\r\nexecution.\r\nCredential\r\nAccess\r\nT1056.001 Input Capture: Keylogging Ousaban can capture keystrokes.\r\nDiscovery\r\nT1010 Application Window Discovery\r\nOusaban looks for bank- and email-related windows based on their window\r\nnames and titles.\r\nT1518.001\r\nSoftware Discovery: Security\r\nSoftware Discovery\r\nOusaban collects information about the\r\nsecurity software installed on the victim’s\r\nmachine.\r\nT1082 System Information Discovery\r\nOusaban collects basic information about\r\nthe victim’s machine, such as computer\r\nname and Windows version.\r\nT1113 Screen Capture Ousaban can take screenshots.\r\nCommand and\r\nControl\r\nT1132.002\r\nData Encoding: Non-Standard\r\nEncoding\r\nOusaban uses RealThinClient that\r\nprovides non-standard encryption.\r\nT1219 Remote Access Software\r\nOusaban installs RDPWrap on the\r\nvictim’s machine.\r\nExfiltration T1041 Exfiltration Over C2 Channel Ousaban exfiltrates data via C\u0026C server.\r\nSource: https://www.welivesecurity.com/2021/05/05/ousaban-private-photo-collection-hidden-cabinet/\r\nhttps://www.welivesecurity.com/2021/05/05/ousaban-private-photo-collection-hidden-cabinet/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2021/05/05/ousaban-private-photo-collection-hidden-cabinet/"
	],
	"report_names": [
		"ousaban-private-photo-collection-hidden-cabinet"
	],
	"threat_actors": [],
	"ts_created_at": 1775434679,
	"ts_updated_at": 1775791329,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cfa53851cdcad81c4a5fc92130947b4719886ccb.pdf",
		"text": "https://archive.orkl.eu/cfa53851cdcad81c4a5fc92130947b4719886ccb.txt",
		"img": "https://archive.orkl.eu/cfa53851cdcad81c4a5fc92130947b4719886ccb.jpg"
	}
}