Ousaban
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
4 techniques
Execution
If the user environment passes the server-side check, a VBS file is downloaded. The VBS file contains numerous benign function calls. The malicious code downloads a steganographic image that resembles a PDF icon.
The PDF also includes JavaScript code that displays an error message and then accesses the same webpage. This JavaScript code is hex-escaped to evade detection.
Persistence
1 technique
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
7 techniques
Stealth
This JavaScript code is hex-escaped to evade detection.
A script downloads an image that looks like a PDF icon but hides a ZIP file inside, a trick called steganography.
The malicious payload involves a DLL file that is run via DLL side-loading or process injection.
After execution, the ZIP file, image file, and VBS file are deleted to minimize the footprint.
The script unpacks Ousaban from that ZIP, runs it, then deletes the image, the ZIP, and itself to leave less behind.
Credential Access
1 technique
Credential Access
Discovery
2 techniques
Discovery
Lateral Movement
1 technique
Lateral Movement
Collection
3 techniques
Collection
When a target bank loads, it can capture screenshots and keystrokes, tamper with the clipboard, show fake messages, and give the attacker remote control.
Command and Control
5 techniques
Command and Control
If the hostname is resolvable, Ousaban establishes a connection to the C2 server. Below is the basic command list: #Convite# Collect user information #Handle# Assign a victim ID #ON-LINE# Heartbeat
It carries a Pastebin link that points to one server address, but Fortinet says that address is a decoy. Hiding these details in web services is an old Ousaban habit: earlier campaigns stashed the configuration in Google Docs.
#Iniciar# starts screenshot capture and initializes various functions for further actions, such as controlling the mouse and keyboard
IOCs tracked for this family
30 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Brazilian banking trojan targeting Windows users in Spain and Portugal. It is delivered via phishing PDFs and a staged payload hidden in an image/ZIP, persists via a Windows Run key, waits for victims to open banking sites, and then captures screenshots and keystrokes, tampers with the clipboard, displays fake messages, and enables remote control to hijack banking sessions and take over accounts.
Banking trojan targeting users in Spain and Portugal via phishing PDFs, malicious webpages, VBS downloaders, and MSI/Rust-based downloaders. It establishes persistence via the Run registry key, monitors access to banking services, resolves daily-changing DDNS-based C2 infrastructure, and supports screenshot capture, remote control, clipboard injection, and keylogging.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.