diff --git a/Exploits/Ousaban Banking Trojan.md b/Exploits/Ousaban Banking Trojan.md
new file mode 100644
index 00000000..16ec88bb
--- /dev/null
+++ b/Exploits/Ousaban Banking Trojan.md	
@@ -0,0 +1,60 @@
+Ousaban Banking Trojan
+
+Hunt for URLs and malicious hashes
+
+Query
+
+//Hunt for URLs
+
+DeviceNetworkEvents
+| where (RemoteUrl contains "https://docs.google.com/document/d/1o9MlOhxIJq9tMOuUHJiw2eprQ-BGCA_ERnbF54dZ25w/edit"
+or RemoteUrl contains "https://docs.google.com/document/d/1d1903AvDBYgOo0Pt9xBBnpCHwSerOpIi4l1b6M4mbT4/edit"
+or RemoteUrl contains "https://docs.google.com/document/d/1VKxF3yKbwQZive-ZPCA4dAU1zOnZutJxY2XZA0YHa3M/edit"
+or RemoteUrl contains "https://docs.google.com/document/d/1UiuqrzI_rrtsJQHqeSkp0sexhwU_VSje8AwS-U6KBPk/edit"
+or RemoteUrl contains "https://docs.google.com/document/d/1UbfOcHm-T9GCPiitqDRh5TNwZRNJ8_miEpLW-2ypU-I/edit"
+or RemoteUrl contains "https://docs.google.com/document/d/1JLuJKoxcd0vRqut8UeBjFJXzMDQ9OiY2ItoVIRq6Gw8/edit"
+or RemoteUrl contains "https://docs.google.com/document/d/1EOwVDlYPV3gE7PSnLZvuTgUQXvOSN9alyN5aMw7bGeI/edit"
+or RemoteUrl contains "https://docs.google.com/document/d/1DDDmJzBVcNWhuj8JMRUVb7JlrVZ5kYBugR_INSS96No/edit"
+or RemoteUrl contains "https://docs.google.com/document/d/19bXTaiFdY5iUqUWXl92Js7i9RoZSLJqcECgpp_4Kda4/edit"
+or RemoteUrl contains "https://docs.google.com/document/d/18sc6rZjk529iYF2iBTsmuNXvqDqTBSH45DhSZpuLv_U/edit"
+or RemoteUrl contains "https://docs.google.com/document/d/13A6EBLMOOdvSL3u6IfyrPWbYREXNRVdDTiKzC6ZQx7U/edit"
+or RemoteUrl contains "https://docs.google.com/document/d/1nQqifeYFsCcI7m-L1Y1oErkp50c-y670nfk7NTKOztg/edit");
+
+// Hunt for malicious hashes
+
+let SHA1Hash= dynamic(["3e8a0b6400f2d02b6b8cd917c279ea1388494182",
+"6946bfb8a519fed8ec8c30d9a56619f4e2525bea",
+"9a6a4bf3b6e974e367982e5395702aff8684d500",
+"c52bc5b0bdfc7d4c60df60e88835e3145f7fb34f",
+"d04acfaf74861ddc3b12e75658863da65c03013f",
+"e5dd2355e85b90d2d648b96c90676604a5c3ae48"]);
+let SHA256Hash= dynamic(["c2f8b96311e7668715b151e3acec9580f40dc630791ce5e1e15838df25092a87"]);
+let MD5Hash = dynamic(["72862f94261909002e8639d6496a7cee"]);
+DeviceFileEvents
+| where SHA1 in(SHA1Hash) or SHA256 in(SHA256Hash) or MD5 in(MD5Hash)
+
+
+Category
+
+This query can be used to detect the following attack techniques and tactics (see MITRE ATT&CK framework) or security configuration states.
+Technique, tactic, or state 	Covered? (v=yes) 	Notes
+Initial access 	V	
+Execution 		
+Persistence 		
+Privilege escalation 		
+Defense evasion 		
+Credential Access 		
+Discovery 		 V
+Lateral movement 		
+Collection 		
+Command and control 		
+Exfiltration 		
+Impact 		
+Vulnerability 		
+Exploit 		V
+Misconfiguration 		
+Malware, component 		
+Ransomware 		
+Contributor info
+
+Contributor: Shivam Malaviya GitHub alias: Shivammalaviya Organization: OS Contact info: shivammalaviya@hotmail.com