aa5889a3857f90179a40a1c61635c43f0d7133d18eab9c564d36d075e355de43

Sharing

Copy URL

Twitter E-mail

General

Target

Use_50505_As_Passw0rd.rar
Size

1.5MB
Sample

221226-y4nlrsdg47
MD5

eb448a6e6f0ad5d08bac4ef38278aa36
SHA1

f3c92f9459f56e9db825721e25b8df076c37f0d1
SHA256

aa5889a3857f90179a40a1c61635c43f0d7133d18eab9c564d36d075e355de43
SHA512

a2e80829c78a204eff594ca01c413c3b65d3cebad772512e8e308f1d4623301511795670c385d0aee741a6d14bca6e5b0c8592bf3643288e381f9fd39bff1551
SSDEEP

24576:MbUtT8g9bPtJKf6cssILnoBvL5ov+wphRE7GBppg+NAPC0MdyYKF7H:MbcTtJt8fYsEoBD53dGBnpAPSdfU7H

Score

10^/10

Malware Config

Extracted

Path

C:\Program Files\WinRAR\Rar.txt

Ransom Note

User's Manual ~~~~~~~~~~~~~ RAR 6.11 console version ~~~~~~~~~~~~~~~~~~~~~~~~ =-=-=-=-=-=-=-=-=-=-=-=-=-=- Welcome to the RAR Archiver! -=-=-=-=-=-=-=-=-=-=-=-=-=-= Introduction ~~~~~~~~~~~~ RAR is a console application allowing to manage archive files in command line mode. RAR provides compression, encryption, data recovery and many other functions described in this manual. RAR supports only RAR format archives, which have .rar file name extension by default. ZIP and other formats are not supported. Even if you specify .zip extension when creating an archive, it will still be in RAR format. Windows users may install WinRAR, which supports more archive types including RAR and ZIP formats. WinRAR provides both graphical user interface and command line mode. While console RAR and GUI WinRAR have the similar command line syntax, some differences exist. So it is recommended to use this rar.txt manual for console RAR (rar.exe in case of Windows version) and winrar.chm WinRAR help file for GUI WinRAR (winrar.exe). Configuration file ~~~~~~~~~~~~~~~~~~ RAR and UnRAR for Unix read configuration information from .rarrc file in a user's home directory (stored in HOME environment variable) or in /etc directory. RAR and UnRAR for Windows read configuration information from rar.ini file, placed in the same directory as the rar.exe file. This file can contain the following string: switches=<any RAR switches separated by spaces> For example: switches=-m5 -s It is also possible to specify separate switch sets for individual RAR commands using the following syntax: switches_<command>=<any RAR switches separated by spaces> For example: switches_a=-m5 -s switches_x=-o+ Environment variable ~~~~~~~~~~~~~~~~~~~~ Default parameters may be added to the RAR command line by establishing an environment variable "RAR". For instance, in Unix following lines may be added to your profile: RAR='-s -md1024' export RAR RAR will use this string as default parameters in the command line and will create "solid" archives with 1024 MB sliding dictionary size. RAR handles options with priority as following: command line switches highest priority switches in the RAR variable lower priority switches saved in configuration file lowest priority Log file ~~~~~~~~ If switch -ilog is specified in the command line or configuration file, RAR will write informational messages about errors encountered while processing archives into a log file. Read the switch -ilog description for more details. The file order list for solid archiving - rarfiles.lst ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ rarfiles.lst contains a user-defined file list, which tells RAR the order in which to add files to a solid archive. It may contain file names, wildcards and special entry - $default. The default entry defines the place in order list for files not matched with other entries in this file. The comment character is ';'. In Windows this file should be placed in the same directory as RAR or in %APPDATA%\WinRAR directory, in Unix - to the user's home directory or in /etc. Tips to provide improved compression and speed of operation: - similar files should be grouped together in the archive; - frequently accessed files should be placed at the beginning. Normally masks placed nearer to the top of list have a higher priority, but there is an exception from this rule. If rarfiles.lst contains such two masks that all files matched by one mask are also matched by another, that mask which matches a smaller subset of file names will have higher priority regardless of its position in the list. For example, if you have *.cpp and f*.cpp masks, f*.cpp has a higher priority, so the position of 'filename.cpp' will be chosen according to 'f*.cpp', not '*.cpp'. RAR command line syntax ~~~~~~~~~~~~~~~~~~~~~~~ Syntax RAR <command> [ -<switches> ] <archive> [ <@listfiles...> ] [ <files...> ] [ <path_to_extract\> ] Description Command is a single character or string specifying an action to be performed by RAR. Switches are designed to modify the way RAR performs such action. Other parameters are archive name and files to be archived or extracted. Listfiles are plain text files containing names of files to process. File names must start at the first column. It is possible to put comments to the listfile after // characters. For example, you can create backup.lst containing the following strings: c:\work\doc\*.txt //backup text documents c:\work\image\*.bmp //backup pictures c:\work\misc and then run: rar a backup @backup.lst If you wish to read file names from stdin (standard input), specify the empty listfile name (just @). By default, console RAR uses the single byte encoding in list files, but it can be redefined with -sc<charset>l switch. You can specify both usual file names and list files in the same command line. If neither files nor listfiles are specified, then *.* is implied and RAR will process all files. path_to_extract includes the destination directory name followed by a path separator character. For example, it can be c:\dest\ in Windows or data/ in Unix. It specifies the directory to place extracted files in 'x' and 'e' commands. This directory is created by RAR if it does not exist yet. Alternatively it can be set with -op<path> switch. Many RAR commands, such as extraction, test or list, allow to use wildcards in archive name. If no extension is specified in archive mask, RAR assumes .rar, so * means all archives with .rar extension. If you need to process all archives without extension, use *. mask. *.* mask selects all files. Wildcards in archive name are not allowed when archiving and deleting. In Unix you need to enclose RAR command line parameters containing wildcards in single or double quotes to prevent their expansion by Unix shell. For example, this command will extract *.asm files from all *.rar archives in current directory: rar e '*.rar' '*.asm' Command could be any of the following: a Add files to archive. Examples: 1) add all *.hlp files from the current directory to the archive help.rar: rar a help *.hlp 2) archive all files from the current directory and subdirectories to 362000 bytes size solid, self-extracting volumes and add the recovery record to each volume: rar a -r -v362 -s -sfx -rr save Because no file names are specified, all files (*) are assumed. 3) as a special exception, if directory name is specified as an argument and if directory name does not include file masks and trailing path separator, the entire contents of the directory and all subdirectories will be added to the archive even if switch -r is not specified. The following command will add all files from the directory Bitmaps and its subdirectories to the RAR archive Pictures.rar: rar a Pictures.rar Bitmaps 4) if directory name includes the trailing path separator, normal rules apply and you need to specify switch -r to process its subdirectories. The following command will add all files from directory Bitmaps, but not from its subdirectories, because switch -r is not specified: rar a Pictures.rar Bitmaps\* c Add archive comment. Comments are displayed while the archive is being processed. Comment length is limited to 256 KB. Examples: rar c distrib.rar Also comments may be added from a file using -z[file] switch. The following command adds a comment from info.txt file: rar c -zinfo.txt dummy ch Change archive parameters. This command can be used with most of archive modification switches to modify archive parameters. It is especially convenient for switches like -cl, -cu, -tl, which do not have a dedicated command. It is not able to recompress, encrypt or decrypt archive data and it cannot merge or create volumes. If used without any switches, 'ch' command just copies the archive data without modification. Example: Set archive time to latest file: rar ch -tl files.rar cw Write archive comment to specified file. Format of output file depends on -sc switch. If output file name is not specified, comment data will be sent to stdout. Examples: 1) rar cw arc comment.txt 2) rar cw -scuc arc unicode.txt 3) rar cw arc d Delete files from archive. If this command removes all files from archive, the empty archive is removed. e Extract files without archived paths. Extract files excluding their path component, so all files are created in the same destination directory. Use 'x' command if you wish to extract full pathnames. Example: rar e -or html.rar *.css css\ extract all *.css files from html.rar archive to 'css' directory excluding archived paths. Rename extracted files automatically in case several files have the same name. f Freshen files in archive. Updates archived files older than files to add. This command will not add new files to the archive. i[i|c|h|t]=<string> Find string in archives. Supports following optional parameters: i - case insensitive search (default); c - case sensitive search; h - hexadecimal search; t - use ANSI, UTF-8, UTF-16 and OEM (Windows only) character tables; If no parameters are specified, it is possible to use the simplified command syntax i<string> instead of i=<string> It is allowed to specify 't' modifier with other parameters, for example, ict=string performs case sensitive search using all mentioned above character tables. Examples: 1) rar "ic=first level" -r c:\*.rar *.txt Perform case sensitive search of "first level" string in *.txt files in *.rar archives on the disk c: 2) rar ih=f0e0aeaeab2d83e3a9 -r e:\texts\*.rar Search for hex string f0 e0 ae ae ab 2d 83 e3 a9 in rar archives in e:\texts directory. k Lock archive. RAR cannot modify locked archives, so locking important archives prevents their accidental modification by RAR. Such protection might be especially useful in case of RAR commands processing archives in groups. This command is not intended or able to prevent modification by other tools or willful third party. It implements a safety measure only for accidental data change by RAR. Example: rar k final.rar l[t[a],b] List archive contents [technical [all], bare]. 'l' command lists archived file attributes, size, date, time and name, one file per line. If file is encrypted, line starts from '*' character. 'lt' displays the detailed file information in multiline mode. This information includes file checksum value, host OS, compression options and other parameters. 'lta' provide the detailed information not only for files, but also for service headers like NTFS streams or file security data. 'lb' lists bare file names with path, one per line, without any additional information. You can use -v switch to list contents of all volumes in volume set: rar l -v vol.part1.rar Commands 'lt', 'lta' and 'lb' are equal to 'vt', 'vta' and 'vb' correspondingly. m[f] Move to archive [files only]. Moving files and directories results in the files and directories being erased upon successful completion of the packing operation. Directories will not be removed if 'f' modifier is used and/or '-ed' switch is applied. p Print file to stdout. Send unpacked file data to stdout. Informational messages are suppressed with this command, so they are not mixed with file data. r Repair archive. Archive repairing is performed in two stages. First, the damaged archive is searched for a recovery record (see 'rr' command). If archive contains the previously added recovery record and if damaged data area is continuous and smaller than error correction code size in recovery record, chance of successful archive reconstruction is high. When this stage has been completed, a new archive is created, named as fixed.arcname.rar, where 'arcname' is the original (damaged) archive name. If broken archive does not contain a recovery record or if archive is not completely recovered due to major damage, second stage is performed. During this stage only the archive structure is reconstructed and it is impossible to recover files which fail checksum validation, it is still possible, however, to recover undamaged files, which were inaccessible due to the broken archive structure. Mostly this is useful for non-solid archives. This stage is never efficient for archives with encrypted file headers, which can be repaired only if recovery record is present. When the second stage is completed, the reconstructed archive is saved as rebuilt.arcname.rar, where 'arcname' is the original archive name. By default, repaired archives are created in the current directory, but you can append an optional destpath\ parameter to specify another destination directory. Example: rar r buggy.rar c:\fixed\ repair buggy.rar and place the result to 'c:\fixed' directory. rc Reconstruct missing and damaged volumes using recovery volumes (.rev files). You need to specify any existing .rar or .rev volume as the archive name. Example: rar rc backup.part03.rar Read 'rv' command description for information about recovery volumes. rn Rename archived files. The command syntax is: rar rn <arcname> <srcname1> <destname1> ... <srcnameN> <destnameN> For example, the following command: rar rn data.rar readme.txt readme.bak info.txt info.bak will rename readme.txt to readme.bak and info.txt to info.bak in the archive data.rar. It is allowed to use wildcards in the source and destination names for simple name transformations

Emails

[email protected]

Extracted

Path

C:\Program Files\WinRAR\WhatsNew.txt

Ransom Note

WinRAR - What's new in the latest version Version 6.11 1. Added support for Gz archives with large archive comments. Previously the extraction command failed to unpack gz archives if comment size exceeded 16 KB. 2. Archive comments in gz archives are displayed in the comment window and recognized by "Show information" command. Large comments are shown partially. Previous versions didn't display Gzip comments. 3. Reserved device names followed by file extension, such as aux.txt, are extracted as is in Windows 11 even without "Allow potentially incompatible names" option or -oni command line switch. Unlike previous Windows versions, Windows 11 treats such names as usual files. Device names without extension, such as aux, still require these options to be unpacked as is regardless of Windows version. 4. Switch -mes can be also used to suppress the password prompt and abort when adding files to encrypted solid archive. 5. Additional measures to prevent extracting insecure links are implemented. 6. Bugs fixed: a) if password exceeding 127 characters was entered when unpacking an encrypted archive with console RAR, text after 127th character could be erroneously recognized as user's input by different prompts issued later; b) wrong archived file time could be displayed in overwrite prompt when extracting a file from ZIP archive. It happened if such archive included extended file times and was created in another time zone. It didn't affect the actual file time, which was set properly upon extraction. Version 6.10 1. WinRAR can unpack contents of .zst and .zipx archives utilizing Zstandard algorithm. 2. Added support of Windows 11 Explorer context menus. Beginning from Windows 11, an application can add only a single top level command or submenu to Explorer context menu. If "Cascaded context menus" in "Integration settings" dialog is on, this single item is a submenu storing all necessary WinRAR commands. If this option is off, only one extraction command for archives and one archiving command for usual files are available. You can select these commands with "Context menu items..." button in "Integration settings" dialog. 3. "Legacy context menus" option in "Settings/Integration" dialog can be used in Windows 11 if WinRAR commands are missing in "Show more options" Windows legacy context menu or in context menus of third party file managers. If WinRAR commands are already present here, keep "Legacy context menus" option turned off to prevent duplicating them. This option is not available in Windows 10 and older. 4. Windows XP is not supported anymore. Minimum required operating system version is Windows Vista. 5. "Close" item is added to "When done" list on "Advanced" page of archiving dialog. It closes WinRAR window, when archiving is done. 6. "When done" list is added to "Options" page of extraction dialog. It allows to select an action like turning a computer off or closing WinRAR after completing extraction. 7. Switch -si can be used when extracting or testing to read archive data from stdin, such as: type docs.rar | rar x -si -o+ -pmypwd dummy docs\ Even though the archive name is ignored with this switch, an arbitrary dummy archive name has to specified in the command line. Operations requiring backward seeks are unavailable in this mode. It includes displaying archive comments, testing the recovery record, utilizing the quick open information, processing multivolume archives. Prompts requiring user interaction are not allowed. Use -o[+|-|r], -p<pwd> or -mes switches to suppress such prompts. 8. New -ep4<path> switch excludes the path prefix when archiving or extracting if this path is found in the beginning of archived name. Path is compared with names already prepared to store in archive, without drive letters and leading path separators. For example: rar a -ep4texts\books archive c:\texts\books\technical removes "text\books" from archived names, so they start from 'technical'. 9. New -mes switch skips encrypted files when extracting or testing. It replaces the former -p- switch. 10. New -op<path> switch sets the destination folder for 'x' and 'e' extraction commands. Unlike <path_to_extract\> command line parameter, this switch also accepts paths without trailing path separator character. 11. If 'p' command is used to print a file to stdout, informational messages are suppressed automatically to prevent them mixing with file data. 12. "Generate archive name by mask" option and switch -ag treat only first two 'M' characters after 'H' as minutes. Previously any amount of such characters was considered as minutes. It makes possible to place the time field before the date, like -agHHMM-DDMMYY. Previous versions considered all 'M' in this string as minutes. 13. Maximum allowed size of RAR5 recovery record is increased to 1000% of protected data size. Maximum number of RAR5 recovery volumes can be 10 times larger than protected RAR volumes. Previous WinRAR versions are not able to use the recovery record to repair broken archives if recovery record size exceeds 99%. Similarly, previous versions cannot use recovery volumes if their number is equal or larger than number of RAR volumes. 14. Warning is issued if entered password exceeds the allowed limit of 127 characters and is truncated. Previously such passwords had been truncated silently. 15. If archive includes reserved device names, the underscore character is inserted in the beginning of such names when extracting. For example, aux.txt is converted to _aux.txt. It is done to prevent compatibility problems with software unable to process such names. You can use "Allow potentially incompatible names" option in "Advanced" part of extraction dialog or command line -oni switch to avoid this conversion. 16. WinRAR attempts to reset the file cache before testing an archive. It helps to verify actual data written to disk instead of reading a cached copy. 17. Multiple -v<size> switches specifying different sizes for different volumes are now allowed also for ZIP archives: WinRAR a -v100k -v200k -v300k arcname.zip Previously multiple -v<size> switches were supported only for RAR archives. 18. Switches -sl<size> and -sm<size> can be used in WinRAR.exe command line mode when extracting archives in any supported formats, provided that such archive includes unpacked file sizes. Previously these switches could filter files by size only in RAR and ZIP archives. 19. Newer folder selection dialog is invoked when pressing "Browse" button in WinRAR "Settings/Paths" page, "Repair" and "Convert" commands, also as in few other similar places. Previously a simpler XP style folder selection dialog was opened. 20. When restoring from tray after completing an operation, WinRAR window is positioned under other opened windows, to not interfere with current user activities. 21. "650 MB CD" is removed and "2 GB volumes" is added to the list of predefined volume sizes in "Define volume sizes" dialog invoked from WinRAR "Settings/Compression". 22. "Rename" command selects the file name part up to the final dot. Previously it selected the entire name. 23. If SFX archive size exceeds 4 GB, an error message is issued during compression, immediately after exceeding this threshold. Previously this error was reported only after completing compression. Executables of such size cannot be started by Windows. 24. Command line -en switch is not supported anymore. It created RAR4 archives without the end of archive record. End of archive record permits to gracefully skip external data like digital signatures. 25. Bugs fixed: a) when editing a file inside of .rar or .zip archive, WinRAR created a new SFX archive instead of updating an existing archive if "Create SFX archive" option was set in the default compression profile; b) the total progress could be displayed incorrectly when using -oi, -f, -u switches or appropriate GUI options; c) "Find files" command with "Use all tables" option and command line "it" commands failed to find strings in UTF-16 encoding. Version 6.02 1. ZIP SFX module refuses to process SFX commands stored in archive comment if such comment is resided after beginning of Authenticode digital signature. It is done to prevent possible attacks with inclusion of ZIP archive into the signature body. We already prohibited extracting contents of such malformed archives in WinRAR 6.01. We are thankful to Jacob Thompson - Mandiant Advantage Labs for reporting this issue. 2. WinRAR uses https instead of http in the web notifier window, home page and themes links. It also implements additional checks within the web notifier. This is done to prevent a malicious web page from executing existing files on a user's computer. Such attack is only possible if the intruder has managed to spoof or otherwise control user's DNS records. Some other factors are also involved in limiting the practical application of this attack. We would like to express our gratitude to Igor Sak-Sakovskiy for bringing this issue to our attention. 3. Where appropriate, SFX archive displays the additional line with detailed error information provided by operating system. For example, previously such archive would display "Cannot create file" message alone. Now this message is followed by a detailed reason like access denied or file being used by another process. In the past this extended error information was available in WinRAR, but not in SFX archives. 4. Switch -idn hides archived names also in 'v' and 'l' commands. It can be useful if only the archive type or total information is needed. 5. If -ibck -ri<priority> switches are used together, WinRAR process sets the priority specified in -ri switch. Previous versions ignored -ri and set the priority to low in the presence of -ibck switch. 6. When using "File/Change drive" command, WinRAR saves the last folder of previous drive and restores it if that drive is selected again later. 7. Name of unpacking file is now included into WinRAR incorrect password warning for RAR5 archives. It can be helpful when unpacking a non-solid archive containing files encrypted with different passwords. 8. Bugs fixed: a) "Convert archives" command issued erroneous "The specified password is incorrect" message after succesfully converting RAR archive with encrypted file names if new password was set and archive was opened in WinRAR shell; b) if command progress window was resized up and then quickly resized down to original dimensions, window contents could be positioned incorrectly. Version 6.01 1. Ctrl+A keyboard shortcut selects the entire text in WinRAR comment window. 2. If -idn switch is used together with -t or -df in console RAR when archiving, it additionally disables "Deleting <filename>" or "Testing <filename>" messages, normally issued by these switches. Also -idn disables folder creation messages when extracting a file to non-existing folder. 3. WinRAR and ZIP SFX module refuse to extract contents of ZIP SFX archives if ZIP central directory is resided after beginning of Authenticode digital signature. It is done to prevent possible attacks with inclusion of ZIP archive into signature body. 4. Bugs fixed: a) "Convert archives" command could incorrectly convert Unicode comments in RAR archives. b) if two archive information windows had been opened from Explorer context menu, the compression ratio bar in the first window could erroneously display a value for second archive. It did not affect the ratio and other text details at the right of window. Only the vertical bar at the left could be updated to a wrong value; c) if "Wait if other WinRAR copies are active" option was enabled in extraction dialog, "Waiting for another WinRAR copy" title was not set in command progress window while waiting; d) when extracting a symbolic link, previous versions did not overwrite existing symbolic links even if user requested it in overwrite prompt. Version 6.00 1. "Ignore" and "Ignore All" options are added to read error prompt. "Ignore" allows to continue processing with already read file part only and "Ignore All" does it for all future read errors. For example, if you archive a file, which portion is locked by another process, and if "Ignore" is selected in read error prompt, only a part of file preceding the unreadable region will be saved into archive. It can help to avoid interrupting lengthy archiving operations, though be aware that files archived with "Ignore" are incomplete. If switch -y is specified, "Ignore" is applied to all files by default. Previously available "Retry" and "Quit" options are still present in read error prompt as well. 2. Exit code 12 is returned in the command line mode in case of read errors. This code is returned for all options in the read error prompt, including a newly introduced "Ignore" option. Previously more common fatal error code 2 was returned for read errors. 3. If several archives are selected, "Extract archives to" option group in "Options" page of extraction dialog can be used to place extracted files to specified destination folder, to separate subfolders in destination folder, to separate subfolders in archive folders and directly to archive folders. It replaces "Extract archives to subfolders" option and available only if multiple archives are selected. 4. New -ad2 switch places extracted files directly to archive's own folder. Unlike -ad1, it does not create a separate subfolder for each unpacked archive. 5. "Additional switches" option in "Options" page of archiving and extraction dialogs allows to specify WinRAR command line switches. It might be useful if there is no option in WinRAR graphical interface matching a switch. Use this feature only if you are familiar with WinRAR command line syntax and clearly understand what specified switches are intended for. 6. Compression parameters in "Benchmark" command are changed to 32 MB dictionary and "Normal" method. They match RAR5 default mode and more suitable to estimate the typical performance of recent WinRAR versions than former 4 MB "Best" intended for RAR4 format. Latest "Benchmark" results cannot be compared with previous versions directly. New parameters set produces different values, likely lower because of eight times larger dictionary size. 7. When unpacking a part of files from solid volume set, WinRAR attempts to skip volumes in the beginning and

URLs

https

http

http://weirdsgn.com

http://icondesignlab.com

https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar

Targets

- Target
  
  Use_50505_As_Passw0rd.rar
- Size
  
  1.5MB
- MD5
  
  eb448a6e6f0ad5d08bac4ef38278aa36
- SHA1
  
  f3c92f9459f56e9db825721e25b8df076c37f0d1
- SHA256
  
  aa5889a3857f90179a40a1c61635c43f0d7133d18eab9c564d36d075e355de43
- SHA512
  
  a2e80829c78a204eff594ca01c413c3b65d3cebad772512e8e308f1d4623301511795670c385d0aee741a6d14bca6e5b0c8592bf3643288e381f9fd39bff1551
- SSDEEP
  
  24576:MbUtT8g9bPtJKf6cssILnoBvL5ov+wphRE7GBppg+NAPC0MdyYKF7H:MbcTtJt8fYsEoBD53dGBnpAPSdfU7H
Score

10^/10

discovery persistence ransomware
- Modifies system executable filetype association
  persistence
- Downloads MZ/PE file
- Executes dropped EXE
- Registers COM server for autorun
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  Setup.exe
- Size
  
  413.9MB
- MD5
  
  af15e6423b24652d4a41311e26b96f28
- SHA1
  
  585757a832d6e923ea3fc7051eb7412b62c34ad6
- SHA256
  
  2727709123d4fd26090c227402a09e5779cec516d615d27e02faf1f346c9d895
- SHA512
  
  bc666bd4fecb39590c199b933e7dfec345a01e5db44a8c8e636d7727378b6471a00e14f3c81d93bb82e22aea695bf71acae6f576e77b370f620dc290aed6075b
- SSDEEP
  
  24576:PnP39FKtLH3nq6WEs6dW8VX5+nfO5dTzNYMhSl4:vP3cuo1SfO5hzxhSl4
Score

5^/10
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral2
- Target
  
  langs/Croatian.ini
- Size
  
  105KB
- MD5
  
  8477123868f12632d652c6da5df683c2
- SHA1
  
  23dbeba17e366e1bb5e7d7be156a9be309c9555d
- SHA256
  
  5bf2b70edb78073f3ce4fe6d809a3a25c982cb2840b8ebaf4367ebc42f16bd3e
- SHA512
  
  b785f8d680f22211c01cfa59cdf86f1bfdeca0446c1c26fc2c144e3018773d22e4050c95cd513d60df9b226df31dc504b5059db168977b3949dbcc428a7ff30d
- SSDEEP
  
  768:w0VnpiuM0pY1HIlw1VoIGRweBLUab7Fno8wBtA1yR4IY52t9RM8wE4c+Tyb3TRr2:VdpiuM0pY1olaEZLUYg4c+7wvO60ll
Score

1^/10
behavioral3
- Target
  
  langs/Danish.ini
- Size
  
  107KB
- MD5
  
  5f50b22de0efb245cd3b8f2fb50a6d3d
- SHA1
  
  be369ffd0c47ff92b3aa5c259ab9f4d40807b687
- SHA256
  
  59df77a75aca7c0a8574f6d4b5be5632908c4fea8634f4748e36ff6fee40e317
- SHA512
  
  f3fec19409ea564bd68f4bd1253297ed8bcbe86554422a22891c61ee237f581f95f6976512e53bcabc5cafe3411343e660d3fb8f398f95f9c1efcec8eaa4367a
- SSDEEP
  
  1536:gmGRkLzUJnbfeKzcqt5G+qX59CcZEY9dHbm/c4C1CgqfRG:gmGRbnbfNRt5G+qX59CcNdX47G
Score

1^/10
behavioral4
- Target
  
  langs/English.ini
- Size
  
  107KB
- MD5
  
  525ce1c02ca53f9c63cb697ed3aae899
- SHA1
  
  9ddc2763d9dd663f3cb0febf0d580e21c52c2f18
- SHA256
  
  0f9d467f6bb6f682c0d1351b26038950c73720f2bfc0741ec1c7bfab2046d75f
- SHA512
  
  734d599d839b1266c42f340e044243ae30d1859d314eed7738f72f59201d19359f1ac6ee0cac8bfef4a0a2b8f2232a4f1f33336770c8c43f929c1bef162d2317
- SSDEEP
  
  1536:5S5Ybl8/lKlXiF3y24FMuRvV5I7BohUT1:xxXiVQV5uJ1
Score

1^/10
behavioral5
- Target
  
  langs/Finnish.ini
- Size
  
  106KB
- MD5
  
  09abf1d7277a388b362c7c94012c9655
- SHA1
  
  85b3a52814c0a4bc9b0c39550e920340f4fb2ac2
- SHA256
  
  eb6cd045c3899f7ca4a7ecd4e8211478720206b3e607ab21c22e164f4c684510
- SHA512
  
  c531f18b5516a5cd32733bd2c00be746d580805a1178971ac57316befcdd0216e906e2283690157c622f217743a10d09e1e78b82558301a95aeb80f2278d4cb0
- SSDEEP
  
  1536:+0X4yMypD2b6/lXRYpc1maOK+RJh5enKT2e2ULv387G:fMyYL5/fgG2e2UL4G
Score

1^/10
behavioral6
- Target
  
  langs/Hebrew.ini
- Size
  
  97KB
- MD5
  
  dbf6973ac46a0adcae8500a16cce4e48
- SHA1
  
  eae986788b33ad048f08ba722fd4eb7354212e63
- SHA256
  
  42ba655e5b635698995a588f4dd39147be867a0c4b45fd49edc65982b12b9531
- SHA512
  
  7a59fe15ac9c10caf3b3abed60201f008583684dfa476cbb9f8ad4c3f5e93d34f31dec859019f1f36d92129b2298272df5eec15be59e367cdcb77d5e89b46549
- SSDEEP
  
  768:w2kJwh+FrSb7UJTvsjkhsRGn6PqwKJTDv69ZUtiGn5Eq5lBQAjV8WEdtWfSZu/JR:zkJwh+FrScvs6Eq5uWpfSZ6KlThAd+C
Score

1^/10
behavioral7
- Target
  
  langs/Hungarian.ini
- Size
  
  107KB
- MD5
  
  7591df7fae4342cbc7a0706e1b28e87b
- SHA1
  
  825e88ad498e8713522f5aef3b21ee01d6fa8b41
- SHA256
  
  fe9997629d296908247a2e82da6c369e2ea7eb4c87b12fc7c8d3ecb3e6fc320d
- SHA512
  
  8f58c6fbaf5ea140a3ecbbc88cbf4bdd0e0ba3fbdf169f4b7cb831094a47a6ead103f89fc07748f91d1396ebd13c7ebcc90a316f0eb203ff4c86a50be5cd3ca4
- SSDEEP
  
  3072:UaKBsDgGod8NAH4iyf8kXrLfKgL6YhL+L3yGU:73X
Score

1^/10
behavioral8
- Target
  
  langs/Indonesian.ini
- Size
  
  105KB
- MD5
  
  d944d8a3551719a176db4da31733ab75
- SHA1
  
  6cf51cb43dbd7ca84334389076adbabe407d95b8
- SHA256
  
  9e52e0b1f7ec39a36e2edd0231dc98865de8524a651fcf6b1b948a575e35fd0f
- SHA512
  
  b9077bdeb69e07894c995bd519ebab594016c8077a213b29264a8040370c9841f1ad6dada2d0af595a596a3875f9c9989dc30af8e7c7b981b420cf1382d5c9a6
- SSDEEP
  
  768:wbWt5bTJA+NtkooQG+Wioa6lBT8IwUzCc0qfcLVUWf1RzVARBBfxP7KLVoeY4z9v:9bT+atkwR2AIheY4pMOy0F8gx
Score

1^/10
behavioral9
- Target
  
  langs/Japanese.ini
- Size
  
  91KB
- MD5
  
  36d47bfae8d0d48d56b7b1feb3b317e7
- SHA1
  
  1d8d59aa40f765319fcb70a9f49e997aca305b89
- SHA256
  
  9077b41d743ed6af51cd9b8aedaebb6d1e0e6217825635a1aa9451994efaff0f
- SHA512
  
  b510a5b17e52778b87f58aaa61f222f11c6190a988440789d1d40591aebdcc7311f7bb3bee9621ab8d971dc2de1ec6ed4d52598b3808dd689f693c3e5897f938
- SSDEEP
  
  768:wPZoCIywqTgXCaNnWYjV6UDFlv0Gaf9xS7ua6PE0FtrqGv0ZQkxKQRTM94DGNWdN:1CIywqTKnWKV5GAQkxHKUfxJYNeNx
Score

1^/10
behavioral10
- Target
  
  langs/Kazakh.ini
- Size
  
  105KB
- MD5
  
  fe2b5687f2de60cb55629fd7f0ca9a21
- SHA1
  
  5299f36a7b8c5a0b59e3603b8517cb1b3e0f2160
- SHA256
  
  1fde00989b3baeb67e6b1f8654cd2fc7216a40a4c5a5a9a64d03d47ee95e76be
- SHA512
  
  ebda06bfb42a56ed71915a1f42d84edb795927697eae51fa98bcdbac76ce6dd224c7e7610743050f45649f2d756aea82e47af3ef6ad929ddc9593d8044e3334d
- SSDEEP
  
  1536:UdBOtqJCnhr189gDXrbF3h14FMuRv5RI7EhUv1:isH/VG5Rm1
Score

1^/10
behavioral11
- Target
  
  langs/Korean.ini
- Size
  
  91KB
- MD5
  
  efae0c78be2abe2920c78b9d4785ab45
- SHA1
  
  8c0799fb68852cb071bbe260deb4ab357bd5f4ed
- SHA256
  
  ad556989f6e4a683d9668e41d2d7175b7b46847c2eef26188b9075fc600d0132
- SHA512
  
  44737be4d4bd0f93ca3e986c89102612932f3749b8e9b89446a567cff60ceb856b4bd7380da7fe3f1809579e6ec2162d0cdd4a217935a4961c6b36a482dd4ac8
- SSDEEP
  
  768:wPYhkzQl6qE7rY+xuPAsyKVmq8Ag8lyWqFk5ziCfsg8S+EZNlWJ7lxyBiCWfbMav:HSzQlc7siCmq8AFlBmLfbNA2Nt7osVP
Score

1^/10
behavioral12
- Target
  
  langs/Kurdish.ini
- Size
  
  106KB
- MD5
  
  af61b416403963d653f5008aaba82e03
- SHA1
  
  b1ab14d6ee43e1230cfcc5acfc4de27ab2a6f6b3
- SHA256
  
  94ac43cb7eb95277db44616a53b23e9174415377b4b3b98a1bdfc98d06a40a4b
- SHA512
  
  a65a21d5d9f7085acf0a96701d4577bf5fbfc0ebcb4f188ff39139b135570f95d76677e6470261aef022b75378898342ab3105704228029f90b8998f414603ab
- SSDEEP
  
  1536:rESqStTfwl/lmie4rC3DA3f1wjF7af0/KkmwL3mnJ/6BD1I:lbTNC
Score

1^/10
behavioral13
- Target
  
  langs/Norwegian.ini
- Size
  
  104KB
- MD5
  
  5cf9c294bd9d233d95e54e198bd8b4ab
- SHA1
  
  670de196a831bc9b0d503694b594524ccfb77b04
- SHA256
  
  1c99b7b06af0d5ac5582f00447fbe04e2325e173666cba8ce2d18678f7b31e3b
- SHA512
  
  bea2be5e1dab1854cbb83fc221f392793aa7b67a1ba1ee521c4ad0aaea671bbbda868d57b3b226cc713eaf9f90bd9fc05b3166353d78c532a43111349159ac7c
- SSDEEP
  
  3072:/Tu1PWiYzr8Z2GIBpLkQXtgpE7ZrB2kyC+3HX:0
Score

1^/10
behavioral14
- Target
  
  langs/SimpChinese.ini
- Size
  
  86KB
- MD5
  
  7aad044a68d89d8bb5a202f8bc69d87c
- SHA1
  
  e20ca69d6f4d1612dc4457612a4b5e4808470bf3
- SHA256
  
  1bfa864f7012e64f5c1656fc5636ea29e87e2a45b5eb2c31a3b20643fdd8ad4d
- SHA512
  
  1fe22968bcba141229d8a4d36f8a7d300e44e76ea701d6a07430854567d15c8b8ebaaacb646d038a89273414c5b2a48562407ca31ac9c75e1e22fece73686625
- SSDEEP
  
  1536:SXm7cLrzWFubvgkOvAbGCgjhRrERD+0xs3sqPHGUt471J2BZIn:8FKNPHGVt
Score

1^/10
behavioral15
- Target
  
  langs/Sinhala.ini
- Size
  
  106KB
- MD5
  
  318ee9a93c4620940f88052b904f05ce
- SHA1
  
  a5574f778537ce085d53c3fc52299b3049da2371
- SHA256
  
  b6fad3bf2adba7c77641ee1a17ff4cd9e5e9b14bac1b855346c91a286e517504
- SHA512
  
  054c1e0322a170b83273a5c253eeb9ffc107056c555ca470d19dbdefc7d68c822d67576fd9333cf5b17357878dc6147a3d1367219db48b2b10e9bd915e806e52
- SSDEEP
  
  1536:Run1VCXWZTr/lOPoMHjYMgr5xU1Jdr/pSnE8EtwO5vrzAKnUs2:RungtoMHjYMgrgJqE8EqOxzus2
Score

1^/10
behavioral16
- Target
  
  langs/Slovak.ini
- Size
  
  109KB
- MD5
  
  fcba4d2df72a46575ca828c807224431
- SHA1
  
  265e34f895f4b2fbe98a39b960c385be7309dfaa
- SHA256
  
  b5b2f7fc1c62f1c8161ec59af79cf5e8f12cb0070264703087dcc5cb58e7352a
- SHA512
  
  6edf1e1484225455b76a1deb6c9f02857433a941bc0aececb916f0aede4398a4f22e70e9c152bd6a78ba2f02f11237a6ee92fb05b21374d250f680b56c6a5cc1
- SSDEEP
  
  3072:2ykd4BlB1wCoG9Yhgt8VQcGlW2Jw/6ro5pw9v6Nv83diJoTNfaRlnCoUjZ5bYtZr:P1wCnyNYpCaAWK
Score

1^/10
behavioral17
- Target
  
  langs/Swedish.ini
- Size
  
  104KB
- MD5
  
  d0280eb9ebf7e5f9b91dc0e405bd7178
- SHA1
  
  e0425673213109f140f8f9b7474029a0326cdab4
- SHA256
  
  f1ee3b2de54ee588813a7dbffca7e7607bbb769c763cdf73ccd600e06346fe1d
- SHA512
  
  0102a9b215d169b5cad039bbf80ef9882ad6eea7933ccb47e6ac204451456c50baabaeca43dd477a36d2db3eda317f4d59979e5387e169fbedf1c13494dc87e2
- SSDEEP
  
  3072:lMgTj95UgiNg1TdyjQxx3Ho7wAM65CB9mptXse6/3/GbBJsXdFg9FNX:w
Score

1^/10
behavioral18
- Target
  
  langs/Thai.ini
- Size
  
  103KB
- MD5
  
  b193d9eacf4afac3199e11b4f4cb6572
- SHA1
  
  9b3f47c3674b11e16df5ba6d5d29d2698a3e1694
- SHA256
  
  172276c875a496c173b349e24f7dec66ddda24f6a424120a13de73ef5e70ba07
- SHA512
  
  11a6971e4ba3c03822de4a46bd9854f2a1525b5380000afac9eddb5d644ba4af0308454413016c859960ce4cf49efe0dbea4a59651b6127d643d1c7eaec34f32
- SSDEEP
  
  1536:5fJMD1fKNP5/l3X8vruiFDKn+0PRs5jWY+APLR2lw:xy
Score

1^/10
behavioral19
- Target
  
  langs/TradChinese.ini
- Size
  
  85KB
- MD5
  
  dc01555f89e044192a9ad584b62e41a7
- SHA1
  
  e830a3012e610b2c8775c993ff504f6f3e5628ee
- SHA256
  
  eb8fc39f2551834010f3748d81e5f842a1b4e27adb87e425b764bb9152b55cb1
- SHA512
  
  954582efc17a2ffb29ba462d3d670576682211066a67de11daae4e5b2f283e055bb3119ce6aab1f40fbf8e629d7e0562c5059455ae420741558484f3c464bcca
- SSDEEP
  
  768:wRZh4e4gX/LtXW2DhVaajeVbWFcqnxCjDvUkkIRNQz+q8wbXrFtUkFhBaQagVQlz:yZGgX/LtXW2Dhk1bWF5dhBa00uZNfsi+
Score

1^/10
behavioral20
- Target
  
  langs/Ukrainian.ini
- Size
  
  106KB
- MD5
  
  9482109e20bf801180bbe11e0603c972
- SHA1
  
  bafe4b7daa5529a5bd7b708482cfcdab95273959
- SHA256
  
  f1f0c46ed4c136149fd57d9cae512242a023e14dd13d7c633bb4f7bf9ed71343
- SHA512
  
  b06df7881df5f79fd246e4c95edbe8c2072dbb9a6a02a7f66886b1a41c6928cf9b7d544b0c238ff2ddcb77fdb7f9ed8764ecd32fb46aa05f7bc6a5e167fded1e
- SSDEEP
  
  1536:iziJtNQr3yk2oKLNzPOcGC+Be6fJzFmXZ:sPcGC+Be6fO
Score

1^/10
behavioral21
- Target
  
  langs/UyghurLatin.ini
- Size
  
  108KB
- MD5
  
  98eb38cef87e8fa6e6d2619577d4265f
- SHA1
  
  205d6e9147c1f935612423bb9716fa402efa3e57
- SHA256
  
  d517f3322a43292dbb241597353ad01013ee3be86d666c83d87c0eda4f56f926
- SHA512
  
  4e85b523bd819d41ab1032534ef1ca38e841a0d80c2fc672b21a9f2dfa846384ccedd4cea9745ef7ccf127c98378bba913057b0dd716fd620e4a7d2bcf9e75ae
- SSDEEP
  
  1536:mJ05+SP/l0iI5XYIUicOFCWsvzqUSS0XZqISnFhKoMfyLd9:dI5oEcOAqUSS0XZqIWMfyLd9
Score

1^/10
behavioral22
- Target
  
  langs/Uzbek.ini
- Size
  
  77KB
- MD5
  
  29dc4e77b361bbce2780610edf092861
- SHA1
  
  5edc783102a4f213e876d70599e0155387ca7429
- SHA256
  
  af11b0cbdcb67ddc024272d45d098cf1da8a21661fe9f6fb7a0239d0c6684531
- SHA512
  
  ad87a926748c607773dad37b1a9fcdd47a87dde0defb36aadf6c8b043561e57b5c420e517d7ae3283f098b661c49e5d8a3ae6f3a348824780ef9d5435be828a9
- SSDEEP
  
  768:wR2Wh/kX5yUYBW0nbEwiW8S9LZU0xqXKhTVT2EogXcZILi2LAUTVxlWRumLFE0DZ:DcBW0nbEnMUMlWRRr+Wntr
Score

1^/10
behavioral23
- Target
  
  langs/Vietnamese.ini
- Size
  
  105KB
- MD5
  
  9ee05121e1a02efeec015669d96161eb
- SHA1
  
  28d253a23000f4ca1cba851410cec9b1b02b52c0
- SHA256
  
  7b939fb24a88a01b1e45b37427dccb8a319cead04fd012136551f36b4363e887
- SHA512
  
  0f31ccc9b86661ca679258b309ab846608145c8366225e95aa61691c5b42323a50a1631f645ab58483dcf26331239b677e97d04106029c67aa3c67367fbfbca6
- SSDEEP
  
  768:wVna1qkfNk1220z8aypq/EJDPU35BL8kDgavFij+I7Cs3L+LnL80Tj3DSHPoH1ag:5qkf+12SFU/bnP3DSE1swQg5
Score

1^/10
behavioral24

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

Score

N/A

behavioral1

discoverypersistenceransomware

Score

10^/10

Sharing

General

Malware Config

Extracted

Extracted

Targets

Modifies system executable filetype association

Downloads MZ/PE file

Executes dropped EXE

Registers COM server for autorun

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24