xorist | 08c524509178aa6a93de9861790804266289fbed704af269f3c4ddde75518b15 | Triage

Submit
Reports

Overview

overview

Static

static

7

08c5245091...15.exe

windows7-x64

08c5245091...15.exe

windows10-2004-x64

Sharing

General

Target

08c524509178aa6a93de9861790804266289fbed704af269f3c4ddde75518b15
Size

5.1MB
Sample

230730-jva7rahe7x
MD5

c4f9fc325e2dc80bcbb2284d2f62eafe
SHA1

384dc7efa488ac7951ede56b1d6a8dbcaf24031e
SHA256

08c524509178aa6a93de9861790804266289fbed704af269f3c4ddde75518b15
SHA512

c8e0547c376ed252d1ffc0c8c9a54a3214cb74a1a47825dad6f960d640a339637f7e7790024e38d506b21dadc6094e9a89783f8ac119e9288d1e93571aa36818
SSDEEP

98304:813Fgxkk4V8EgKjH+53oPa0dQ65ojxRo7oLaR1sMbkBH5qf:9xcV8EgQA3IaMQ65oLa1KZ

Score

10^/10

xorist persistence ransomware spyware stealer vmprotect

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

08c524509178aa6a93de9861790804266289fbed704af269f3c4ddde75518b15.exe

Resource

win7-20230712-en

xorist persistence ransomware spyware stealer vmprotect

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

08c524509178aa6a93de9861790804266289fbed704af269f3c4ddde75518b15.exe

Resource

win10v2004-20230703-en

xorist persistence ransomware spyware stealer vmprotect

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  08c524509178aa6a93de9861790804266289fbed704af269f3c4ddde75518b15
- Size
  
  5.1MB
- MD5
  
  c4f9fc325e2dc80bcbb2284d2f62eafe
- SHA1
  
  384dc7efa488ac7951ede56b1d6a8dbcaf24031e
- SHA256
  
  08c524509178aa6a93de9861790804266289fbed704af269f3c4ddde75518b15
- SHA512
  
  c8e0547c376ed252d1ffc0c8c9a54a3214cb74a1a47825dad6f960d640a339637f7e7790024e38d506b21dadc6094e9a89783f8ac119e9288d1e93571aa36818
- SSDEEP
  
  98304:813Fgxkk4V8EgKjH+53oPa0dQ65ojxRo7oLaR1sMbkBH5qf:9xcV8EgQA3IaMQ65oLa1KZ
Score

10^/10

xorist persistence ransomware spyware stealer vmprotect
- Detected Xorist Ransomware
- Xorist Ransomware
  Xorist is a ransomware first seen in 2020.
  ransomware xorist
- Renames multiple (2148) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Renames multiple (2183) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

xoristpersistenceransomwarespywarestealervmprotect

behavioral2

xoristpersistenceransomwarespywarestealervmprotect

© 2018-2025

Terms | Privacy