{
	"id": "ac1d585f-7496-4d6f-ab11-8fdfd8342305",
	"created_at": "2026-04-06T00:07:52.612431Z",
	"updated_at": "2026-04-10T03:20:51.74796Z",
	"deleted_at": null,
	"sha1_hash": "ebf1a973ef2c65bc8adb22b6a4474e9524a94305",
	"title": "Exorcist Ransomware — From triaging to deep dive",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 10848703,
	"plain_text": "Exorcist Ransomware — From triaging to deep dive\r\nBy Leandro Velasco\r\nPublished: 2020-07-24 · Archived: 2026-04-05 14:46:55 UTC\r\nTL;DR\r\nOn Monday 20th while hunting for some REvil samples I stumbled upon a newly introduced ransomware as a\r\nservice called Exorcist. This ransomware is distributed via Pastebin embedded in a powershell script that loads it\r\ndirectly in memory. This script is based on “Invoke-ReflectivePEInjection.ps1” script by Joe Bialek\r\n(@JosephBialek), but it is optimised with an additional function to pass a base64 encoded executable to the main\r\nfunction. This powershell script is possibly generated using the Empire framework. The same technique is used by\r\nsome of the Sodinokibi/REvil affiliates, and in the past by Buran.\r\nThe ransomware is not obfuscated and the majority of the strings are in plaintext stored in the “.rdata” section of\r\nthe executable. The first thing that the malware does is to check the geo location of the system using the language\r\nand the keyboard layout. If the results yield one of the Commonwealth of Independent States (CIS) it quits on the\r\nspot. Then the ransomware execute a series of commands to disable and remove backups and kill processes that\r\nmight interfere with the system encryption. Once it is done with the commands, it writes to disk the RSA public\r\nkey, the session private key and the extension. This information is not written into a file in a straightforward\r\nmanner, instead it is written in different Alternate Data Streams on the file “%temp%\\\\boot.sys”.Then it extracts\r\ninformation from the system such as username, hostname, OS version, keyboard layout, etc. and sends them via\r\nhttp to the server “http://217.8.117[.]26/gateinfo”. Next it gets the amount of cpu on the systems and starts\r\nmultiple threats to encrypt the system files. Some directories and file extensions are excluded to avoid rendering\r\nthe system unusable. Once done with the encryption another http packet is sent to the same server this time to the\r\nurl “http://217.8.117[.]26/gatedrivers”. Lastly, the wallpaper of the system is changed and the ransom notes are\r\ndropped in the form of hta scripts with the name convention “\u003cextension\u003e-decrypt.hta”. In these notes we can find\r\nthe instructions to recover the system that consist of the urls “http://217.8.117[.]26/pay”.\r\n“http://4dnd3utjsmm2zcsb[.]onion/pay”, and the “Authorization Key”.\r\nExorcist Ransom Note\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 1 of 32\n\nThis information will be needed to “sign in” the payment portal shown in the following screenshot:\r\nFor the IOCs go to the bottom of the page =D\r\nExorcist Ransomware Triaging\r\nOnce the payload is extracted (base64 encoded) from the powershell loader, we get a PE32 executable. From a\r\nquick scan of the file using Assemblyline we get the following interesting insights:\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 2 of 32\n\nSo at a first glance we can see that there are some well known executable names extracted, normally seen in\r\nransomware and coin miners either to prevent processes from allowing access to files that will be encrypted or to\r\nfree resources to mine more effectively.\r\nBased on the API names extracted from the sample we can say it has some network capabilities as well as some\r\ncryptography ones. This is looking more and more like a ransomware!\r\nLastly we see there is a url extracted from the sample “http://217.8.117[.]26/pay”. If we check what we found on\r\nthat website (in a secure manner ;) ) we find the following:\r\nOur suspicion was correct, it was ransomware after all!! But what else does this ransomware do? Let’s take a look\r\nat its capabilities using the newest tool from Fireeye capa.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 3 of 32\n\nSo, it seems that indeed this ransomware sends data via http and executes some tricks to check the system to not\r\nrun on the wrong country ;). Now we are ready for a more serious deep dive!\r\nExorcist Ransomware Deep Dive\r\nNow it is time to get into the details of this malware. First we are going to take a look at the file from a static point\r\nof view by analysing its strings, API calls, and code. And then to complete our analysis and better understand the\r\ninner workings of the malware we are going to study it from a dynamic point of view.\r\nStatic analysis\r\nLoading the executable on PEstudio helps us to confirm some of the hypothesis we made during the triage and\r\nalso shows us some interesting aspect of the sample that we haven’t seen so far.\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 4 of 32\n\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 5 of 32\n\nPress enter or click to view image in full size\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 6 of 32\n\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 7 of 32\n\nSo, some quick takeaways from the analysis so far:\r\n1. Samples does not obfuscate strings.\r\n2. It will exclude given directories and files with the extensions shown above to not render the system\r\nunusable.\r\n3. As expected, the ransomware will get rid of the Shadow copies of the files to avoid the easy restoring of\r\nfiles.\r\n4. It most likely will attempt to stop processes in a predefined list.\r\nLet’s get our hands dirty and look at the code to discover some more capabilities of this ransomware. For this we\r\nare going to load the sample to the free version of IDA.\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 8 of 32\n\nSo, one of the first thing is does is creating a mutex to avoid running multiple times on the system. Let’s check\r\nwhat else we find next to the hardcoded mutex string.\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 9 of 32\n\nHere we can see some interesting strings that we have overlooked before. Seems that there are some countries\r\nlisted that are most likely used together with the “get keyboard layout” capability seen before to decide if this\r\nsample should run or quit. Let’s confirm this theory!\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 10 of 32\n\nPress enter or click to view image in full size\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 11 of 32\n\nThe Ransomware uses the API “GetLocaleInfo” and “GetKeyboardLayoutList” to determine the geo location of\r\nthe system and check if it should continue running or not. Let’s verify another hypothesis we had. Does the\r\nransomware kill the processes displayed in the strings before start encrypting? For this we are going to pivot from\r\nthe un-obfuscated strings to the code.\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 12 of 32\n\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 13 of 32\n\nFrom analysing the routine we see that it is divided in two main sections, the first one running a set of predefined\r\ncommands to disabled and remove shadow copies and backups, and a second one that goes through the list of\r\nprocesses and calls “taskkill” for each of them.\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 14 of 32\n\nPress enter or click to view image in full size\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 15 of 32\n\nAnother way to browse through the code is to use the IDA feature Xref from graph. This can be done because the\r\nsample is not obfuscated, and the windows API calls are been referred explicitly. Using this tool we can guide our\r\nanalysis following the Windows API calls of interest\r\nPress enter or click to view image in full size\r\nWell…I said we could use it, not that it was small nor easy ;). However, if we zoom into it, we can have a good\r\nunderstating of the different functions and have a gist of their purpose. For example:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 16 of 32\n\nHere we see the “ShellExecuteW ”API call (always interesting to see what the sample might try to execute) that is\r\ncalled right before exiting. If we go where it is called, we end up in the following routine :\r\nThe routine consists of calling the API “GetModuleFileName” with “hmodule” Null to get the path of the\r\nexecutable file of the current process. Then, it prepares a command line that would look like “cmd.exe open\r\n\u003cexecutable path\u003e /C timeout /T /NOBREAK \u0026\u0026 del” \u003cexecutable path\u003e\\” /F”, execute the command and then\r\nexits.\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 17 of 32\n\nBy looking at the XRef graph we also notice some classic Windows API calls used to send http packets over the\r\nnetwork. If we follow the references we find the following routine :\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 18 of 32\n\nBy exploring this routine, we see that a post request is done. But now the question is what information is been\r\nsent. In the next section we are going to find out exactly what is been sent via the post http request.\r\nGet Leandro Velasco’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nIn order to fast forward the analysis, confirm some hypothesis, and discover new functionality, we will start the\r\nsample in the x32/64 debugger while having Procmon and FakeNet running next to it to get more insights.\r\nDynamic analysis\r\nNow that our ransomware is running in a controlled environment we can see in more details how the different\r\ncommands and processes are been killed by it.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 19 of 32\n\nPress enter or click to view image in full size\r\nLet’s continue where we left trying to understand what is sent to the server over an http post request. In the\r\nfollowing screenshot we can see how the IP and Port are decoded from the string stored in the “.rdata” section of\r\nthe executable.\r\nPress enter or click to view image in full size\r\nOnce it has that information the malware will start preparing the request. This means setting up the headers and\r\nthe content that will be sent. Once done it will call the API call “HttpSendRequest” to send the http request. Using\r\nFakeNet we received that request and respond with a fake site to emulate the “C2”.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 20 of 32\n\nAs the picture shows the ransomware sends a big blob encoded in base64 to the c2 server at\r\n“http://217.8.117[.]26/gateinfo”. But where is this information coming from? For this we need to go back to the\r\ncode an analyse what happened so far.\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 21 of 32\n\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 22 of 32\n\nIn this function we see that there is a template for a json file were some details about the system are gathered and\r\nlater appended to the json temple string. Examples of details that are gathered include but are not limited to:\r\nGetCurrentHwProfileA\r\nGen_token (some crypto API calls are involved)\r\nQuery the registry key “SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion”\r\nGetUsername\r\nGetComputername\r\nGetLocale\r\nEtc.\r\nOnce it finished querying the system it generates a json that looks as follows:\r\nPress enter or click to view image in full size\r\nAfter the information is gathered, we see that some encryption is initialised (creating encryption keys, specifying\r\nalgorithms, etc) but some of the information used is queried from a file that was written in “%temp%\\\\boot.sys” in\r\nan earlier stage. The most interesting aspect of this, is that the information is not read from the file itself, instead it\r\nqueries the file using the convention “filename.ext:string”. This means that this ransomware is using Alternate\r\nData Streams to hide information. Using the ADS-spy tool we can inspect the content that is been read by the\r\nmalware.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 23 of 32\n\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 24 of 32\n\nPress enter or click to view image in full size\r\nHidden in this file we can find the generated unique extension, the RSApublic key, and the Private Session Key.\r\nOnce these values are retrieved the encryption of the json string takes place.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 25 of 32\n\nPress enter or click to view image in full size\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 26 of 32\n\nThe json string is encrypted with AES CBC and the symmetric key encrypted the with the public RSA key. In the\r\nfollowing screenshot we can see the json string in plaintext and then encrypted.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 27 of 32\n\nAfter encryption, the json is base6 4encoded and then added to the http post request as already shown.\r\nWhat about the file encryption? After all, this is a ransomware, right? So once the first beacon is sent to the server\r\nthe ransomware starts the file encryption in a multithreaded fashion. This can be seen in the following screenshots:\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 28 of 32\n\nPress enter or click to view image in full size\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 29 of 32\n\nOnce it finished it sends yet again another beacon with data to the server but this time to\r\n“http://217.8.117[.]26/gatedrivers”. In the following picture we can find an example of a ransom note that is left\r\nin every directory. The name convention for them is “\u003cextension\u003e-decrypt.hta”\r\nPress enter or click to view image in full size\r\nSo this will be all for now, there are quite some more interesting aspects to research into like how the file\r\nencryption is performed at a cryptographic level, how are some of the other interesting strings (powershell get\r\nhost by address) used, does this ransomware implement persistence mechanisms, etc. Feel free to contact me for\r\ncomments and questions. Constructive feedback is always welcomed!\r\nIOCs\r\nSamples:\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 30 of 32\n\nhttps://bazaar.abuse.ch/sample/027d99aaaa6803a07d07ce0ba1fa66964388129d3b26dcf8621a3310692b0a61/\r\nhttps://bazaar.abuse.ch/sample/a7e27cc38a39ff242da39d05e04b95ea9b656829dfe2e90e8226351da8813d7d/\r\nhttps://bazaar.abuse.ch/sample/8d684a790a5683b8decde9fb5a819c4a164d3032723a151a30ff26d3c2b1aabf/\r\nhttps://bazaar.abuse.ch/sample/bf6e5f9d060ebc5bb70144ca6e795bfc249c6590ab9f45e258ec9b5f3d49eeb6/\r\nhttps://bazaar.abuse.ch/sample/8da469200a4b3899b23a34232eec537f12c621aa3c8766a9745d8ff721ef5296/\r\nhttps://bazaar.abuse.ch/sample/b1bcc54ef15f91d9291357eca02862174bd6158e95813eff1ab0c16ba48ff10e/\r\nMD5:\r\n79385ed97732aee0036e67824de18e28\r\nf4009abe9f41da41e48340c96e29d62c\r\nfa4c4ac8b9c1b14951ae8add855f34e8\r\nf188cf267d209a0209a25bda4bb75b86\r\n5a63e7d371dd69c5625f5b48da426c14\r\ncb3a1463f4fd3e74b8f1ca5e73b81816\r\n7e415d5a1b1235491cb698eb14817d31\r\nSHA256:\r\n8d684a790a5683b8decde9fb5a819c4a164d3032723a151a30ff26d3c2b1aabf\r\n6db3aae21a6d80857c85f58c4c8b2cf9c6b7f8b8a9ab1d5496d18eaf9bd0bd01\r\nbf6e5f9d060ebc5bb70144ca6e795bfc249c6590ab9f45e258ec9b5f3d49eeb6\r\n027d99aaaa6803a07d07ce0ba1fa66964388129d3b26dcf8621a3310692b0a61\r\nb1bcc54ef15f91d9291357eca02862174bd6158e95813eff1ab0c16ba48ff10e\r\n8da469200a4b3899b23a34232eec537f12c621aa3c8766a9745d8ff721ef5296\r\na7e27cc38a39ff242da39d05e04b95ea9b656829dfe2e90e8226351da8813d7d\r\nURLs:\r\nhttp://217.8.117[.]26/pay\r\nhttp://217.8.117[.]26/gateinfo\r\nhttp://217.8.117[.]26/gatedrivers\r\nhttp://4dnd3utjsmm2zcsb[.]onion/pay\r\nIPs:\r\n217.8.117[.]26\r\nTria.ge Sandbox reports:\r\nhttps://tria.ge/reports/200724-gmz55kbvr2/behavioral1\r\nhttps://tria.ge/reports/200724-2v2mzfsjwx/behavioral1\r\nhttps://tria.ge/reports/200724-kfjg2xf1b2/behavioral1\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 31 of 32\n\nhttps://tria.ge/reports/200724-64rls1gjl2/behavioral1\r\nhttps://tria.ge/reports/200724-b5zwteacds/behavioral1\r\nhttps://tria.ge/reports/200724-15z7parj4x/behavioral1\r\nhttps://tria.ge/reports/200724-zxydprrjys/behavioral1\r\nAcknowledgements:\r\nSpecial thanks to @rikvduijn and @ValthekOn for helping me figure some of the details out and my team at\r\n@kpnsecurity for supporting my crazy projects and reviewing this writeup =D\r\nSource: https://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nhttps://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81\r\nPage 32 of 32",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81"
	],
	"report_names": [
		"exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81"
	],
	"threat_actors": [],
	"ts_created_at": 1775434072,
	"ts_updated_at": 1775791251,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ebf1a973ef2c65bc8adb22b6a4474e9524a94305.pdf",
		"text": "https://archive.orkl.eu/ebf1a973ef2c65bc8adb22b6a4474e9524a94305.txt",
		"img": "https://archive.orkl.eu/ebf1a973ef2c65bc8adb22b6a4474e9524a94305.jpg"
	}
}