xorist | 8b1c6d1c4df109ef648f36a31e59e492c9752b0acf0eea26a0a75b2398c5d86c | Triage

Submit
Reports

Overview

overview

Static

static

ec2b6ecfc8...38.exe

windows7-x64

ec2b6ecfc8...38.exe

windows10-2004-x64

Sharing

General

Target

ec2b6ecfc8ca67f9357b6550166a0838
Size

506KB
Sample

231222-tpxtnsegeq
MD5

ec2b6ecfc8ca67f9357b6550166a0838
SHA1

134a0ae85224a12e3b8114900b83c9669524d427
SHA256

8b1c6d1c4df109ef648f36a31e59e492c9752b0acf0eea26a0a75b2398c5d86c
SHA512

d4803c161590c31dadebc13b1d505ee1cf1fbaee52facacdc5ea38bb16f485377819877b4a7662b255caf95c2f5ac93149f211e35c940660d0398142a00bc424
SSDEEP

12288:A1V8jxipOdK/nJr+ihc9DRVnXGrqgv6rk551VkG1ZUQ/bQDiW:q8lipOAgoc9L2PM5ybKi

Score

10^/10

xorist evasion persistence ransomware spyware stealer upx

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

ec2b6ecfc8ca67f9357b6550166a0838.exe

Resource

win7-20231215-en

xorist persistence ransomware spyware stealer upx

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

ec2b6ecfc8ca67f9357b6550166a0838.exe

Resource

win10v2004-20231215-en

xorist evasion persistence ransomware spyware stealer upx

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  ec2b6ecfc8ca67f9357b6550166a0838
- Size
  
  506KB
- MD5
  
  ec2b6ecfc8ca67f9357b6550166a0838
- SHA1
  
  134a0ae85224a12e3b8114900b83c9669524d427
- SHA256
  
  8b1c6d1c4df109ef648f36a31e59e492c9752b0acf0eea26a0a75b2398c5d86c
- SHA512
  
  d4803c161590c31dadebc13b1d505ee1cf1fbaee52facacdc5ea38bb16f485377819877b4a7662b255caf95c2f5ac93149f211e35c940660d0398142a00bc424
- SSDEEP
  
  12288:A1V8jxipOdK/nJr+ihc9DRVnXGrqgv6rk551VkG1ZUQ/bQDiW:q8lipOAgoc9L2PM5ybKi
Score

10^/10

xorist persistence ransomware spyware stealer upx evasion
- Detected Xorist Ransomware
- Modifies firewall policy service
  evasion
- Xorist Ransomware
  Xorist is a ransomware first seen in 2020.
  ransomware xorist
- Renames multiple (1913) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

xoristpersistenceransomwarespywarestealerupx

behavioral2

xoristevasionpersistenceransomwarespywarestealerupx

© 2018-2025

Terms | Privacy