xorist | 84466b849c2ee067c513dadc5a23951636b3abd8b41f0e9d7bbcf974a4fe1446

General

Target

1c880eb8aaa88d35804cdc00ec1ad6be_JaffaCakes118
Size

445KB
Sample

241007-knl64swerk
MD5

1c880eb8aaa88d35804cdc00ec1ad6be
SHA1

68a06e660e9d7451dc15cf1eda8f4ab45e2930f9
SHA256

84466b849c2ee067c513dadc5a23951636b3abd8b41f0e9d7bbcf974a4fe1446
SHA512

b7a39eb3f434e86000875051a310fbaa2a41ec37d1cb3221ca5e7fc2d61ed85f6235e3952d71b1edb707699202b195cb14d8fa2257d2ff5dea635cd8e66cecda
SSDEEP

12288:M+9SmNgYpiqMQuUadfdtTtcmeL71EQPxEvMCMUW:MIqYpPM5UadrTtctJSMCMUW

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
thehunter.clan.su
Port:
21
Username:
6thehunter
Password:
andrey2519

Targets

- Target
  
  1c880eb8aaa88d35804cdc00ec1ad6be_JaffaCakes118
- Size
  
  445KB
- MD5
  
  1c880eb8aaa88d35804cdc00ec1ad6be
- SHA1
  
  68a06e660e9d7451dc15cf1eda8f4ab45e2930f9
- SHA256
  
  84466b849c2ee067c513dadc5a23951636b3abd8b41f0e9d7bbcf974a4fe1446
- SHA512
  
  b7a39eb3f434e86000875051a310fbaa2a41ec37d1cb3221ca5e7fc2d61ed85f6235e3952d71b1edb707699202b195cb14d8fa2257d2ff5dea635cd8e66cecda
- SSDEEP
  
  12288:M+9SmNgYpiqMQuUadfdtTtcmeL71EQPxEvMCMUW:MIqYpPM5UadrTtctJSMCMUW
Score

10^/10

xorist bootkit discovery persistence ransomware spyware stealer upx
- Detected Xorist Ransomware
- Xorist Ransomware
  Xorist is a ransomware first seen in 2020.
  ransomware xorist
- Renames multiple (2135) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2