General

  • Target

    b0b66961ae1c42587da3c0d58073cb6d6e265ca1b8006d7582bf49720083dab8

  • Size

    42KB

  • Sample

    221129-djfefadc81

  • MD5

    ae52ae883b02a0c96aff6ebd68203589

  • SHA1

    f7d44b9fc385ff312e283e6259194da112024ed5

  • SHA256

    b0b66961ae1c42587da3c0d58073cb6d6e265ca1b8006d7582bf49720083dab8

  • SHA512

    0f66b5a8191cb35316e20a61b38afe777c13f686e4a0d5382b8efafb0597d4051de7ef07bdd1d5b502a98427c77d1a5eddfccb35a6f86076c456a871872c2c86

  • SSDEEP

    768:XDPB88ZMN37olhmTsr3i5VQ6zPYovmqNp34H4:Xd88ZEOxwPnmw4H4

Malware Config

Targets

    • Target

      b0b66961ae1c42587da3c0d58073cb6d6e265ca1b8006d7582bf49720083dab8

    • Size

      42KB

    • MD5

      ae52ae883b02a0c96aff6ebd68203589

    • SHA1

      f7d44b9fc385ff312e283e6259194da112024ed5

    • SHA256

      b0b66961ae1c42587da3c0d58073cb6d6e265ca1b8006d7582bf49720083dab8

    • SHA512

      0f66b5a8191cb35316e20a61b38afe777c13f686e4a0d5382b8efafb0597d4051de7ef07bdd1d5b502a98427c77d1a5eddfccb35a6f86076c456a871872c2c86

    • SSDEEP

      768:XDPB88ZMN37olhmTsr3i5VQ6zPYovmqNp34H4:Xd88ZEOxwPnmw4H4

    • Detected Xorist Ransomware

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks