Ousaban is a Windows-based malware threat that targets personal computers and business workstations through a combination of sophisticated evasion techniques and credential-harvesting capabilities. First documented in widespread campaigns during 2018, this trojan has evolved from simple information-stealer code into a multi-stage threat platform capable of downloading additional malicious payloads, exfiltrating sensitive data, and maintaining persistent access to infected systems. We've seen Ousaban infections across metro Atlanta, including right here in Roswell, typically arriving through malicious email attachments disguised as invoices, shipping notifications, or business correspondence.

Ousaban — cybersecurity illustration
Photo by John (Giannis) Tekeridis on Pexels
Think you're infected right now? Disconnect from the internet immediately (unplug ethernet or disable WiFi), do not log into any financial accounts, and call us at (770) 679-9870. Ousaban actively harvests credentials and banking information—every minute online increases your risk of data theft. Our shop is at 1550 Old Alabama Rd, Suite 102B in Roswell. We can start emergency diagnostics within the hour for walk-ins.

Threat Profile

Characteristic Details
Threat Name Ousaban
Threat Type Trojan, Information Stealer, Backdoor
Platform Windows (all versions from XP through Windows 11)
File Type Windows PE Executable (.exe, .dll)
First Documented 2018
Distribution Method Phishing emails, malicious attachments, exploit kits
Primary Payload Credential theft, banking trojan capabilities, backdoor access
Persistence Mechanism Registry run keys, scheduled tasks, startup folder modifications
Detection Difficulty Moderate to High (employs anti-analysis techniques)
Removal Difficulty Moderate (leaves multiple persistence points)
Data at Risk Banking credentials, browser passwords, email access, cryptocurrency wallets, stored payment information
Common Detection Names Ousaban, Trojan.Ousaban, Win32/Ousaban, Backdoor.Ousaban

How It Spreads

Ousaban primarily spreads through targeted email campaigns that prey on business routines and trust relationships. The attackers behind this malware invest significant effort in crafting convincing messages that appear to come from shipping companies, accounting departments, business partners, or service providers. These emails typically contain either a malicious Microsoft Office document (Word or Excel) with embedded macros, or a ZIP archive containing an executable file disguised with a double extension or misleading icon.

The infection chain usually begins when a user opens what appears to be a legitimate business document. If the attachment is an Office file, the victim sees a prompt to "Enable Content" or "Enable Editing"—standard security warnings that many users have been trained to click through without thinking. Once macros execute, they download the full Ousaban payload from a compromised legitimate website or attacker-controlled server. If the attachment is an executable, it may masquerade as a PDF reader, document viewer, or other utility, relying on Windows' default setting to hide known file extensions.

Common distribution vectors we've observed include:

  • Invoice scams: Fake billing notifications from UPS, FedEx, DHL, or accounting departments claiming outstanding payments or delivery failures
  • Document sharing: Emails purporting to be from DocuSign, Adobe Sign, or Microsoft OneDrive with "urgent documents requiring signature"
  • Business correspondence: Targeted messages to specific companies referencing real projects, vendors, or internal terminology (gathered from LinkedIn or data breaches)
  • Malicious ads: Exploit kit delivery through compromised advertising networks on legitimate websites
  • Software bundling: Occasionally distributed with cracked software, key generators, or "free" versions of paid applications downloaded from unofficial sources
  • Lateral movement: Once one machine on a network is infected, Ousaban may attempt to spread to other computers via shared folders or stolen admin credentials

What It Does On Your Machine

Once Ousaban establishes itself on a system, it operates in multiple stages with different components handling reconnaissance, data theft, and command-and-control communication. The initial dropper is typically a small loader that performs environment checks to detect sandboxes, virtual machines, or security analysis tools. If it determines the environment is a real user's computer rather than a researcher's analysis system, it proceeds to download and execute the main payload components.

The core malware establishes persistence through multiple redundant mechanisms. It creates registry entries in the current user's Run key and often the local machine Run key if it can obtain elevated privileges. It may install itself as a scheduled task that executes at user logon or at regular intervals. Some variants copy themselves to the Windows Startup folder under innocuous names like "SystemUpdate.exe" or "WindowsSecurityCheck.exe." This redundancy ensures that even if one persistence method is discovered and removed, the malware can reinfect the system from another location.

Ousaban's primary function is credential harvesting and financial data theft. It monitors browser activity, capturing login credentials for banking sites, email accounts, social media, and cryptocurrency exchanges. It can intercept form data before it's encrypted by HTTPS, giving it access to passwords, credit card numbers, and security questions. The malware specifically targets saved passwords in web browsers, extracting credentials stored by Chrome, Firefox, Edge, and Internet Explorer. Some variants include keylogging capabilities that record everything typed, sending logs back to attackers periodically.

The malware communicates with command-and-control servers to receive instructions and exfiltrate stolen data. This communication is often encrypted and may use legitimate services like Pastebin, GitHub, or cloud storage APIs to blend in with normal traffic and evade network monitoring. The C2 connection also allows attackers to deliver additional modules or completely different malware families, turning the infected machine into a platform for whatever operation the attackers currently prioritize—whether that's ransomware deployment, cryptocurrency mining, or spam distribution.

Typical Ousaban File System and Registry Artifacts (observed in sandbox): C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemUpdate.exe C:\Users\[Username]\AppData\Local\Temp\~DF[random].tmp C:\Users\[Username]\AppData\Roaming\[random folder name]\svchost.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ WindowsUpdate = "C:\Users\[Username]\AppData\Roaming\[random]\svchost.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ SystemSecurity = "C:\Windows\System32\[malicious file].exe" // Network indicators (observed in sandbox environment) DNS queries to: [various compromised domains] HTTP/HTTPS POST to: [attacker infrastructure] Communication encrypted using: custom protocols, SSL/TLS

Manual Removal — Step by Step

01

Disconnect From the Internet Immediately

Before beginning removal, physically disconnect your computer from the internet by unplugging the ethernet cable or disabling your WiFi adapter. This prevents Ousaban from sending any additional stolen data to its command servers and stops it from downloading additional malware components. Do not reconnect until the removal process is completely finished and verified.

02

Boot Into Safe Mode With Networking

Restart your computer and repeatedly press F8 (or Shift+F8 on newer systems) during boot to access Advanced Boot Options. Select "Safe Mode with Networking" from the menu. This loads Windows with only essential drivers and services, preventing most malware from automatically starting. If you can't access F8 options, use the System Configuration tool (msconfig) from a clean boot to enable Safe Mode for the next restart.

03

Show Hidden Files and File Extensions

Open File Explorer, click the View tab, and check both "Hidden items" and "File name extensions." Ousaban often hides its files using system or hidden attributes, and it disguises executables with double extensions like "invoice.pdf.exe" that only appear as "invoice.pdf" when extensions are hidden. You need to see the real file names to identify malicious files.

04

Examine and Clean Startup Locations

Check every common startup location manually. Navigate to the Startup folder (press Win+R, type shell:startup) and delete any unfamiliar executables. Then check shell:common startup for system-wide startup items. Look for generic names like SystemUpdate.exe, WindowsSecurityCheck.exe, or random character strings. Use Task Manager's Startup tab (Ctrl+Shift+Esc, then Startup tab) to disable suspicious entries, noting their file locations before disabling them.

05

Clean Registry Run Keys

Press Win+R, type regedit, and navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Examine every entry, looking for unfamiliar programs or entries pointing to files in temporary directories or AppData folders. Delete suspicious entries, but write down what you remove in case you need to restore a legitimate program. Repeat for HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Also check the "RunOnce" keys in both locations.

06

Review Scheduled Tasks

Open Task Scheduler (search for "Task Scheduler" in the Start menu). Expand the Task Scheduler Library and review all tasks, particularly those in the root folder and Microsoft\Windows folders. Look for tasks that run executables from unusual locations, especially user AppData folders or Temp directories. Disable and delete any suspicious scheduled tasks. Pay attention to tasks with random names or those configured to run every few minutes.

07

Delete Malicious Files

Using the file locations you identified from startup and registry analysis, navigate to each location and delete the malicious executables. Common hiding spots include C:\Users\[YourName]\AppData\Roaming\, AppData\Local\, and AppData\Local\Temp\. Look for folders with random names or folders trying to mimic legitimate Windows components. If Windows prevents deletion, restart into Safe Mode or use the command prompt with administrative privileges to force deletion with del /F /Q [filename].

08

Scan With Multiple Anti-Malware Tools

Download and run at least two reputable anti-malware scanners. Use Malwarebytes, HitmanPro, or ESET Online Scanner in addition to your primary antivirus. Run full system scans with each, as different engines detect different variants and components. Allow the tools to quarantine or remove everything they find. Restart between scans if prompted. This multi-scanner approach catches components that individual programs might miss.

09

Change All Passwords From a Clean Device

This is critical: do NOT change passwords from the potentially infected computer. Use a phone, tablet, or known-clean computer to change passwords for every important account—banking, email, social media, shopping sites, work accounts, everything. Enable two-factor authentication wherever possible. Ousaban specifically targets credentials, so assume every password entered on the infected machine has been compromised.

10

Monitor Financial Accounts and Credit Reports

Contact your bank and credit card companies to alert them of potential compromise. Monitor your accounts daily for the next several weeks, watching for unauthorized transactions. Place fraud alerts with the three credit bureaus (Equifax, Experian, TransUnion). Consider freezing your credit if you saw the malware actively running for an extended period before detection. Ousaban's credential theft capabilities make financial monitoring essential after infection.

Prevention

  1. Disable macros by default: Configure Microsoft Office to disable macros in documents from the internet. Go to File > Options > Trust Center > Trust Center Settings > Macro Settings and select "Disable all macros without notification." Only enable macros in documents from verified, trusted sources, and even then, call the sender to confirm they actually sent the file.
  2. Show file extensions: In Windows File Explorer, enable "File name extensions" in the View tab. This immediately reveals disguised executables trying to pass as PDFs or documents. A file named "invoice.pdf.exe" will show its true executable nature instead of masquerading as a harmless PDF.
  3. Verify unexpected attachments before opening: If you receive an unexpected email with an attachment, especially with urgent language or claiming unpaid invoices, call the supposed sender using a phone number you look up independently (not one provided in the email). Attackers rely on you clicking first and thinking later.
  4. Keep Windows and software updated: Enable automatic updates for Windows, Office, browsers, and other commonly exploited software. Many malware delivery mechanisms exploit known vulnerabilities that patches have already fixed. Set updates to install automatically overnight so you're not tempted to postpone them.
  5. Use a standard user account for daily work: Create a separate administrator account for system changes and use a standard user account for email, browsing, and regular work. This limits malware's ability to make system-wide changes or install itself for all users. When prompted for admin credentials, actually read what's requesting elevation and deny it if unexpected.
  6. Implement proper email filtering: For businesses, use email security services that scan attachments in sandboxed environments before delivery. For home users, Gmail and Outlook.com offer reasonably good filtering—don't disable their security warnings. Mark suspicious emails as spam rather than just deleting them to train the filter.
  7. Maintain offline backups: Keep regular backups of important files on an external drive that you disconnect after backing up. If malware does compromise your system, you can restore from a known-clean backup without paying ransom or losing data. Test your backup restoration process at least once to verify it actually works.
  8. Deploy reputable security software: Use a well-reviewed antivirus solution with real-time protection enabled. Free options like Windows Defender provide baseline protection, but paid solutions often offer better detection rates and additional features like banking protection and exploit prevention. Keep definitions updated automatically.
Our 90-Day Guarantee: When Computer Repair Roswell removes Ousaban or any malware from your system, we stand behind our work with a 90-day warranty. If the same infection returns within 90 days through no fault of your own, we'll re-clean your system at no charge. We completely remove the malware, verify all persistence mechanisms are eliminated, help you secure your accounts, and provide prevention guidance so you stay protected going forward.

Bring It In

Ousaban removal requires thorough analysis to ensure every component and persistence mechanism is eliminated. While the manual steps above can help, infections this sophisticated often have hidden components that evade casual inspection. Our technicians at Computer Repair Roswell have specialized tools and forensic experience to completely clean infected systems, verify removal, and help you secure your compromised accounts. We'll also check for additional malware that may have been downloaded during the infection period, something manual removal often misses.

We're located at 1550 Old Alabama Rd, Suite 102B in Roswell, just off Highway 92. Call us at (770) 679-9870 to schedule same-day service, or bring your computer in as a walk-in—we'll typically start diagnostics within an hour. We serve residential and business customers throughout Roswell, Alpharetta, Johns Creek, and the surrounding metro Atlanta area. Don't let credential-stealing malware put your finances and personal information at risk. Let us handle the technical details while you get back to using your computer safely.