xorist | 3fe8fd2dfde21f0b79e0336fce36e5f6d28efc2452851cb5d3e9f3e1d950412c

General

Target

3fe8fd2dfde21f0b79e0336fce36e5f6d28efc2452851cb5d3e9f3e1d950412c
Size

13KB
Sample

240419-wyxldacf5y
MD5

0da42b36896f93a1a517f69c7fc19773
SHA1

2730de840fec2cb457db0329bb5d53794c48db6e
SHA256

3fe8fd2dfde21f0b79e0336fce36e5f6d28efc2452851cb5d3e9f3e1d950412c
SHA512

a211803e3eb6900956a4a038ca944d7b1e2aa06e4dec1f7badd942b185fc2b53ee84703bffa6bf880307e7396b8dcce36804457d95abdd9eac774dffffe967b5
SSDEEP

384:vg+O/BCEvVVTAcWv4yBXIn56KEzAkZObS:vgP/BCeVU0yyuzgbS

Score

10^/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt

Ransom Note

YOUR SYSTEM IS LOCKED AND ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED. DON'T WORRY YOUR FILES ARE SAFE. TO RETURN ALL TO NORMALLY YOU MUST BUY THE CERBER DECRYPTOR PROGRAM. PAYMENTS ARE ACCEPTED ONLY THROUGH THE BITCOIN NETWORK. YOU CAN GET THEM VIA ATM MACHINE OR ONLINE https://coinatmradar.com/ (find a ATM) https://www.localbitcoins.com/ (buy instantly online any country) THE PRICE FOR DECRYPTOR SOFTWARE IS 2000$ BTC ADRESS : 17o2F4pUNiuCkfqN9KWpRWSwn5pj7k7YRj (where you need to make the payment) VERRY IMPORTANT ! DO NOT TRY TO SCAN WITH ANTIVIRUS YOU RISK LOSING YOUR DATA . ANTIVIRUSES ONLY DESTROY THE ENCRYPTED DATA , THEY DO NOT KNOW THE ALGORITH WITH WICH THE ENTIRE SYSTEM WAS ENCRYPTED. THE ONLY WAY TO DECRYPT YOUR SYSTEM AND RETURN TO NORMAL IS TO BUY THE ORIGINAL DECRYPTOR SOFTWARE. For more information : [email protected] (24/7) Subject: SYSTEM-LOCKED-ID: 80012Afr1

Emails

[email protected]

Wallets

17o2F4pUNiuCkfqN9KWpRWSwn5pj7k7YRj

URLs

https://coinatmradar.com/

https://www.localbitcoins.com/

Targets

- Target
  
  9bb8d77ac2a18950a244183a82fa3cc4fa47ef6b4ce2a0979552dd1ff46725bd
- Size
  
  21KB
- MD5
  
  dc6aec10c0d6a6aa1111921e8787318b
- SHA1
  
  c639d565c2723471a133030b505ab3d6c708e1c4
- SHA256
  
  9bb8d77ac2a18950a244183a82fa3cc4fa47ef6b4ce2a0979552dd1ff46725bd
- SHA512
  
  298c5c63144e9f262d04e0188c337a58147239e9d956deb3010defee610ebc6170a399c5e858638c8d24d46bf5d60b13549c0752876b654cee1ef6b9bf150bb2
- SSDEEP
  
  384:Uprr1gkDCgSwvXqOBQy608DpyVwP3lGtgAB6Q0Ci6VBi:6rVDCyT2L089ZP3gtFXRti
Score

10^/10

xorist persistence ransomware spyware stealer upx
- Detected Xorist Ransomware
- Xorist Ransomware
  Xorist is a ransomware first seen in 2020.
  ransomware xorist
- Renames multiple (6728) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral1 behavioral2