xorist | eaad06b4a7b1072a3e7e361638e75ffc18d81e17d8a443b511b77162fe4251a3 | Triage

Submit
Reports

Overview

overview

Static

static

mbrlocker.exe

windows7-x64

mbrlocker.exe

windows10-2004-x64

Sharing

General

Target

mbrlocker.exe
Size

7KB
Sample

231223-nqw1wafffj
MD5

61dc75a6465bc7582f873b554fcb1b6a
SHA1

9dcfd74bcb873ddb4ed65ea234140f33664a9ff2
SHA256

eaad06b4a7b1072a3e7e361638e75ffc18d81e17d8a443b511b77162fe4251a3
SHA512

457ae5e5315645f8d496fe4066f2487f8e17372f9225b648498b5444b9f13ed1b7768a773c37153cf32518ec102d2c8c5f3f89f7d760a81ded9bc96848834f1a
SSDEEP

96:lrZhl8wdS+r3yOYW189fTwUVF0CWHyjk8P1LOmjXfihExs2VKi6oWd96OGMUA:Nzdrr1FG1WDCgmjPZHT/OGMUA

Score

10^/10

xorist persistence ransomware spyware stealer upx

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

mbrlocker.exe

Resource

win7-20231129-en

xorist persistence ransomware spyware stealer upx

windows7-x64

12 signatures

1800 seconds

Behavioral task

behavioral2

Sample

mbrlocker.exe

Resource

win10v2004-20231215-en

xorist persistence ransomware spyware stealer upx

windows10-2004-x64

13 signatures

1800 seconds

Malware Config

Targets

- Target
  
  mbrlocker.exe
- Size
  
  7KB
- MD5
  
  61dc75a6465bc7582f873b554fcb1b6a
- SHA1
  
  9dcfd74bcb873ddb4ed65ea234140f33664a9ff2
- SHA256
  
  eaad06b4a7b1072a3e7e361638e75ffc18d81e17d8a443b511b77162fe4251a3
- SHA512
  
  457ae5e5315645f8d496fe4066f2487f8e17372f9225b648498b5444b9f13ed1b7768a773c37153cf32518ec102d2c8c5f3f89f7d760a81ded9bc96848834f1a
- SSDEEP
  
  96:lrZhl8wdS+r3yOYW189fTwUVF0CWHyjk8P1LOmjXfihExs2VKi6oWd96OGMUA:Nzdrr1FG1WDCgmjPZHT/OGMUA
Score

10^/10

xorist persistence ransomware spyware stealer upx
- Detected Xorist Ransomware
- Xorist Ransomware
  Xorist is a ransomware first seen in 2020.
  ransomware xorist
- Renames multiple (2172) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xoristpersistenceransomwarespywarestealerupx

behavioral2

xoristpersistenceransomwarespywarestealerupx

© 2018-2025

Terms | Privacy