RSA-NI Ransomware

The RSA-NI Ransomware is an encryption ransomware Trojan that seems to be related to the AES-NI Ransomware, a ransomware Trojan that was released in April 2017. The RSA-NI Ransomware was released in early December 2017 and uses a slight variation in its code from its predecessor. The most common way in which the RSA-NI Ransomware is delivered to victims is through the use of corrupted email attachments, which uses bad macro scripts that download and install the RSA-NI Ransomware onto victim's computers.

How the RSA-NI Ransomware Attack Works

The RSA-NI Ransomware tactic itself is not difficult to understand. The purpose of the RSA-NI Ransomware, just like other encryption ransomware Trojans is to make the victim's files inaccessible by using a combination of the AES and RSA encryptions. Ransomware threats like the RSA-NI Ransomware demand the payment of a ransom from the victim, usually by displaying a ransom note on the affected computer once the victim's files have been compromised. The RSA-NI Ransomware will target a wide variety of file types in its attack, which may include the following:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

Once the RSA-NI Ransomware enciphers the files, they are not recoverable with current technology. Apart from encrypting the victim's files, the RSA-NI Ransomware will modify their names by adding the file extension '.0x720x730x610x30@tutanota.com' to the end of each affected file. This seems to be the email address that the victims are urged to use to contact the people responsible for the RSA-NI Ransomware attack. PC security researchers counsel computer users against establishing contact with the people responsible for the RSA-NI Ransomware attack.

The Threat Contained on the RSA-NI Ransomware Ransom Note

The RSA-NI Ransomware delivers a ransom note demanding the payment of a ransom. It is delivered in the form of a text file named 'Attention!!! Your data breaches!!!.txt,' which is dropped on the infected computer system's desktop. The full text of the RSA-NI Ransomware ransom note reads:

'=========# the RSA-NI Ransomware #========
IMPORTANT: [EDITED] and [EDITED]
We hacked your server and copied your important data.
Please write us to the e-mail in 24 hours 0x720x730x610x30@tutanota.com 0x720x730x610x31@tutanota.com
After payment, Your data will be destroyed, Otherwise your data will be leaked to the public.
=========# the RSA-NI Ransomware #========'

Victims of the attack are directed to write to the cybercrooks with a specific ID number and then urged to pay a ransom using Bitcoins. The email addresses that have been linked to the RSA-NI Ransomware and its variants are:

0xc030@protonmail.ch
0xc030@tuta.io
aes-ni@scryptmail.com
0x720x730x610x31@tutanota.com

Although the exact amount of the RSA-NI Ransomware ransom is unknown currently, these attacks demand a ransom between 500 and 2000 USD. Malware experts strongly advise computer users to stay away from paying the RSA-NI Ransomware ransom or contacting the people responsible for these attacks. Instead of paying the RSA-NI Ransomware's ransom, it is preferable to recover the affected files from a backup copy. This is why having file backups is so important; backup copies of your files is the best precaution against the RSA-NI Ransomware and other ransomware Trojans.

Analysis Report

General information

Family Name:	Trojan.PerfKey.A
Packers:	$Id: UPX
Signature status:	No Signature

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: c6211724ada75f9ae9f53ddcc5e16ee7 SHA1: 03656f7e0113a16f0712a924bd8a99a12a123c3c File Size: 700.87 KB, 700872 bytes

MD5: dc64f269d65d9eceab559718c738f0f3 SHA1: cd35c9d283fb79dc7f6039b9ef389e26f13c817b File Size: 509.10 KB, 509096 bytes

MD5: 8a1660a04be87e5d165fa5917c36ab76 SHA1: d70f42a6e9bff1be9b71c8d091f1af1e41634f04 SHA256: 6BBFD18A1E1CB6E3663FC7FE9BFC469C2588158B2E91A8A929A04466C64DC1CD File Size: 23.04 KB, 23040 bytes

MD5: cc254acc416b40e2ce0b945345f2581c SHA1: 8fd258e4e210bf4625d3387743b485f7af5a626e SHA256: 418C7147E13D20A99E688B307A3B1B41FCD31A6256C120347224D4A6ACE515FC File Size: 26.62 KB, 26624 bytes

MD5: 7d030470a1bfde22ecf757ca7d222747 SHA1: ed026aafc8f5b151daf9636c29aafed8a39c29c3 SHA256: B7F7444CA33CD53C3A43B1EA68D5AE2C605D19DC3D100F910E1AA17D69858231 File Size: 220.15 KB, 220154 bytes

Show More

MD5: 20d37f7bd4c7d3326fa005d441124a81 SHA1: c83c9d6edc8ea81a7644f0d6aae771ac5a8fcd54 SHA256: F28FFA087B4D0A3D766913776CF7174908C91FA561C83A34AE3D529792F45EB4 File Size: 46.12 KB, 46121 bytes

MD5: a9dd617daa8951abc630aa1a853b9890 SHA1: 7b45af7e656143047f0bf1ba32b1973ccbf858e2 SHA256: E9236F27E7A45B3FEA4A8E1D57C3F887C1B0BB5631FF5068E69D9AD67ED65C68 File Size: 735.84 KB, 735836 bytes

MD5: 2e91e71dca60b410be8c81044cfac687 SHA1: 8f4b0a2d06e3f1f16179ee257712764dfce681e5 SHA256: DD387B74CC9CC80E9C34A3A3625C0DEA4341350A93D9548B9B14DBEAA2C2AB6C File Size: 890.64 KB, 890636 bytes

MD5: babd5f8cdc679bb0956a8c2f3f17bbf8 SHA1: 469853e7c8cf34fb79b68afecb0ae672f707456c SHA256: E93C0AF69FFBA74AA449A32BE23653E0A4206A721BC10D35CD394CC57E892715 File Size: 347.77 KB, 347772 bytes

MD5: 0777c998d73a8191f248bb0b02dc1d02 SHA1: c0af59510d745f551b053650977e97a594df21b8 SHA256: D0CC755E088A887A4A0E6485BEF36A24E38160982A4A8596533567F9C0AF9BDC File Size: 222.78 KB, 222784 bytes

MD5: 39cbc955e353e8700afedf77b5492495 SHA1: 871145d2ed491ac49b2f06147cb897fb88eef3f9 SHA256: 297663CC5626FA3D331F1D8A78D2BACF17E0AAC67EEBEC11B8CAE3B97BEEE431 File Size: 104.04 KB, 104041 bytes

MD5: 1f1336e639a627c3fc80e2f5798a6995 SHA1: c90a8780d61a7d250d8256a95a0ae44d5e9fe99f SHA256: BC30D76EF9CF254BD438AD5D0FAD2BFF212734D469981F94427E4C1EDF329E38 File Size: 518.02 KB, 518022 bytes

MD5: a936a8e2c8fdaa436341bc1d6bc7480f SHA1: 2ff6df1ad5975453e701d597f0e28f5fff5650a8 SHA256: 50DE3E73893FC5280D42357247C5F6D81A4120CA6BA9FE4D9EF9D65E6FD272DD File Size: 231.21 KB, 231206 bytes

MD5: 7db4cb09ffbd85272c3373f0f6ce6380 SHA1: 067e79855f6161d1fd31531a2112b9f78fa552a4 SHA256: 0F91D8D7A1BF0B62E65FC37C3913264A7D13419720FE3EB93D229DF417AB2246 File Size: 346.96 KB, 346957 bytes

MD5: 45daa4c160385c5b5f1e6f9a0c7335cd SHA1: 2b99198d461c38c30d9c34c069e3cb073a68457d SHA256: EF33E84F2A8C41CAA3EE8631F5B69767AFEC8A876338920A3FEDC340E545516D File Size: 287.29 KB, 287287 bytes

MD5: 5c32b11db12097ba8ddb9d99df78f324 SHA1: 891293c355feef4b3ec44612cc1c10a39e81abdc SHA256: 94328F41D629336D211CAF5114A98A10C7273FC37589C3AE5B5D8EB831084A05 File Size: 192.97 KB, 192967 bytes

MD5: 92e8ac98dbd81661463a38df222e788b SHA1: a7bb6b29b756faac260567cb8cfb4e9b16e9ae49 SHA256: 950E447AD1D06E27D2C2A2E4DD1FF449ED788F4495D007B3B1BAA090344AE9E2 File Size: 1.07 MB, 1065259 bytes

MD5: a2402efc8eae30a454fa7ebefd2e0745 SHA1: 5574910c4a6ecb49f5b2706b9d7688b346b4d1e7 SHA256: B7AD953745BDE2E69FB31F6BCDD8945842786B7195CA0E0C0AFF21789746DDFD File Size: 72.81 KB, 72805 bytes

MD5: 4db229d66c1785e4d4ac633cba83ff6d SHA1: a883ff0b3e5a72565d88cdd2acb5a2548a886473 SHA256: 7BFE956404693893DFC97D21B6956D253F0A48FD2FFD2C4470749EFBBB8AB336 File Size: 488.00 KB, 488005 bytes

MD5: 1d409b0347c1d9bc82ae900e894ba8d8 SHA1: ea2183adc3966533d38f9e4662d9432b554a614c SHA256: 7D89824288B936F4BC04963E2268D977AD0E1256C2F2903E7A5A23997130BF6F File Size: 416.84 KB, 416841 bytes

MD5: e4fe4f386643ed2eaab36cf556646ab8 SHA1: a63433b47ea14347a78b2d486b874d7e2053d822 SHA256: 5A84274187BE93DA119AA215FCC0F192B6530AF16EDAD102C3FDC7E03DEC7074 File Size: 532.13 KB, 532126 bytes

MD5: f4704cb939e406a679b711e5a6d9d36c SHA1: 82ff538c1c5decd36b995055bd96fb302348e129 SHA256: 51058DB361F7816EAB8773F6F8B2492179CA0256C3546E278BBCDBB1F88DABE9 File Size: 669.61 KB, 669607 bytes

MD5: ef04e1848567077453725e6d75dceee7 SHA1: 5532be698abf2770d2aa6e0b3e73c83fb7a7a505 SHA256: 61CC342BFCBCE55ED02C643108B6D20B7FF96018BE8A007A0ED43C7474C7CB5E File Size: 17.85 KB, 17850 bytes

MD5: beba80f626c3fa8b3bb2e0b70e5f2f43 SHA1: 82ae6708785b5abd4e0f3c8d774fe8a110ba337b SHA256: 5D243573EF1F01F8CF1FAB8E86AF20B2FB5B8EAFB59E2ED5F9546046E790DC34 File Size: 140.49 KB, 140487 bytes

MD5: 8e3175ae9592df676e2fd247fd614d99 SHA1: d3b57f62164511d7807206b42e603938faa6af06 SHA256: 8D818274160CE5309211CC4493D7CEEFC2AD032D5DF1672FC4128F991D175558 File Size: 641.02 KB, 641024 bytes

MD5: f2a3f000cb449b4db850754c6dc9efd2 SHA1: ca1ba25be8b585fdc2d41332933d207bbabdea68 SHA256: 6C3D7E76B32752C9E41F5F08D47F89F2DEF1A7878AEB294A0E95A4A90DF4D8A5 File Size: 175.55 KB, 175552 bytes

MD5: f72d13d0884dd00fd2c2488dde47b600 SHA1: 3eb1b656cf282f0aa2e749e69c2a0b6aa5d167f8 SHA256: 705194FE6D1BBA747A95F82E0F55D3ACFB9DBED9FCB8562714E73F2506B608C4 File Size: 23.04 KB, 23040 bytes

MD5: a17755a6dc619cf39dda7e615fb910ae SHA1: 98d3b3153dba495a2ac2f59e53029d1768421e98 SHA256: 3FA67EF1E6BD06D4546AFC5D2876DD30410CC8D8BD6C3165EC5D6269E5F362AD File Size: 23.04 KB, 23040 bytes

MD5: 11dd9c404380c12092df76504462d79e SHA1: b633f1416beb79333f777be986f603633a5e8ec9 SHA256: 5568251BF547F593FB795BA3189BE2EE0F6D66F3754FBA9A38E710F5D349B531 File Size: 104.63 KB, 104629 bytes

MD5: 58ff1674f778ed533069d616d8b57b37 SHA1: 7899af5a6750eeeb42c92070e773d57ae1bf247a SHA256: 80447C22DC2586B8EB65E8ECD91CEFD65D9B054E7AC105DA9605C2B3FB2028F7 File Size: 934.25 KB, 934248 bytes

MD5: 4d93feb2fe872a0a29d8d8d5624979aa SHA1: 37a3b95ff25ac36b5012b5967c8eecc5cdc92b1b SHA256: AE4AA2D35128FF5E74FE73EC5F89831F6677DF09CD49CCBD95513309C12B0C34 File Size: 53.27 KB, 53265 bytes

MD5: 2f73212f1e2eb8ddec31ad1870d4d1cf SHA1: 2fe1acf0d082d9f12ad11d2726d83a8559263e90 SHA256: F570C3A64AE2C0CE753742DB065D5621E2A4F855B3FF01BA3CEAC137DE71E0B0 File Size: 900.00 KB, 900000 bytes

MD5: 06a85561eeef723c0625f09b324001b2 SHA1: dca00c0f13e8728ce0e8cae8f9d41c82e927f719 SHA256: 229FC9E53C0EBE2E28D65B4EDEF7F856275AD46B45BCFCBAB4F498D0FA35DBCD File Size: 86.63 KB, 86627 bytes

MD5: 548bcc61448d1e25cd6ae1de99d30e35 SHA1: a3aa6564377cea830eb8cc82e713427d96009855 SHA256: E583436D48D73EEB13D92ABE53648645A26A46D9D15CF1A3339D284B8200F27F File Size: 17.76 KB, 17762 bytes

MD5: 010c541c5c2af2e7d058aeaf2a17e1b2 SHA1: aa74f1300e2b3321d48b3c37552a8dabd488ef03 SHA256: 7771B414BD63035DB5CCA540E02E301828F93B01F15B18BB0D9D40661A842CBD File Size: 354.48 KB, 354484 bytes

MD5: 480a06011605f40579cd841d1bc781ea SHA1: 005a1f575f77e807d23120d4b56ad6a536e88292 SHA256: DF00A01C21EB768737FA85A60335B70197B4D18EB3F879B8E2912F5F877570CC File Size: 54.59 KB, 54585 bytes

MD5: f07c77ee2e04137dc473054b05da0ef0 SHA1: 9d57833c6093a073ffaf0354d110e97509fe347d SHA256: 6742EA974DB852FF74ED79A60B35A70551204105EE56E7D80BD270B0926AA9EA File Size: 791.91 KB, 791912 bytes

MD5: bf4c87f166e33f2f95021d97b41cafb1 SHA1: 3550b9f38c85b296e3b1cfa0afc814849fc85548 SHA256: E038CFB247C7F0B125103F48DE3B164235016133DE3891410875124D3C8FC6BD File Size: 987.80 KB, 987805 bytes

MD5: 58624b5d86e876aa8de34718b40497c3 SHA1: ff752e9d84b6558611d127500ad430ecb5eb8d75 SHA256: F102218BD86B00D9A0D6391C41B79DF5A10BF5C4E88FA72DB78A55C93B9AF31D File Size: 751.16 KB, 751165 bytes

MD5: 13d96601268de66fd9fb2de70c2fcba2 SHA1: 0355ee0f031f8e0e9024be6640d34731d6d7ca24 SHA256: BF7B29B17FE4395118B34CAEFBC90C728526ACCF8F9E5FA797A4CFD271240EA6 File Size: 292.41 KB, 292413 bytes

MD5: d177898e9f042f87a58b3eae27302ffa SHA1: 4fbd26c57d67c0a6734a92ad63808e6df688b7cc SHA256: FA3B3A2C808F897E4FB4CC51AE857B8784EC3AE1B5BF3324E2A11809BFD5ABD8 File Size: 326.73 KB, 326727 bytes

MD5: 333c7fa736259f94d71f4fc59ea5587c SHA1: 624dd581e3349db78097d86fdad59f087c86e7e0 SHA256: 6B793121278B02592B7E8BBEA57749C13DAB5C300925E255FA2B99B97A986E25 File Size: 824.71 KB, 824713 bytes

MD5: 9095198743685ea3c3b12849fc4c41a8 SHA1: ecf8e3fff278590c5b25549b04119571d89ecfcd SHA256: 4B8F9A4158B9CE73931E982A7C80505D565386368ED99DDAD3F16EAD50E50AB4 File Size: 4.63 MB, 4632913 bytes

MD5: ce4c14fe3d137ff4638cdea2a883015d SHA1: 2909655e363efd4421d73493b00419e3e8d8d68d SHA256: 94CBB91E2FD626466EA473A2120B0178C8E29E4E4855EF4A191F498BBDF8476A File Size: 93.18 KB, 93184 bytes

MD5: 7eadb46176280386fcfd18a2b43d04a1 SHA1: 3249f23027cc22a20eb1081fb735dd1fe7f3c931 SHA256: 69C349B3E9484691C66D918A8ABA074E28DF5BA9A6608D37B5399CEC2FB8BC49 File Size: 70.45 KB, 70453 bytes

MD5: 53fe7c93e4fdc94a5d690314a5b6037c SHA1: 61401d7bdba6e83c0823049bf3af9166b016d6cf SHA256: E04E8DA44F92DF5ADD31CA81BA6D584851667330B98FC1BC83DFB3A10CD5E8DC File Size: 727.88 KB, 727879 bytes

MD5: a79f5975b045eac4140ac57c6e28d65b SHA1: 6018744d1080d7bd8112c6c0c1ac15aec62e132c SHA256: B2B193E5BD5B60DE3501937D3F973F29381DDEC9E82717E278A9D1338194DEC2 File Size: 798.75 KB, 798754 bytes

MD5: c1025d403c85c2b006e23bef3138fd66 SHA1: e9305607179021fefe3c0cc4415ff0330a6ff923 SHA256: F1E0413659A513A978805858676C9BECAD21072ABB21C67AC502C4E79A18B2C6 File Size: 531.03 KB, 531030 bytes

MD5: f86b656a907688885039d3c08a05e3ab SHA1: 541acc43855c5eeff812e01ee211ad2d321f4e6a SHA256: A06D58816490E6727DB81F633C9C9BCD6F9E801AC3E16F00E3638182DCC3A10C File Size: 23.04 KB, 23040 bytes

MD5: 39ddb72a6e80e33bdce5bba153ce6565 SHA1: e7e0c0c905a6a299ed93d00ff9677e7ff2b2f4cb SHA256: D38E148BF67D75FD71A9BBB9A86B8293AEB8B5114A2435B6EE3137B5D86ED46C File Size: 49.94 KB, 49940 bytes

MD5: 90f0aece5d389d52123f560dad7234b8 SHA1: 837ca3feedccce4ce482323b5a664396534d7727 SHA256: 3641085FE6E3009F6CAE675C9B1C1694A1C62E0866238786480CACC43EAB5E83 File Size: 990.37 KB, 990370 bytes

MD5: 44f4aba221fd03369dc262ef55c6a524 SHA1: 1ee051c6f0a229ab5aa648e185c667ac80621cba SHA256: B3FCF2F03BFEDCDA894914D50D377DFD498CCDA15A49020C1B932346EEC349FC File Size: 52.98 KB, 52980 bytes

MD5: 943c0d9ca271fa5572d8a4040e777ca5 SHA1: 3abccf5f390cc70ebec3412a7b21a050698a5aa7 SHA256: 0017267E54EE25A1A90CA389F05CB0620E0A85D7B6B1001E0E0E9689D0A48BB5 File Size: 22.40 KB, 22397 bytes

MD5: 275b48a9b2bb596452fcc06f015b0f9f SHA1: f24a0354e52aeaef3987e1ab81c1dc2c063ebc55 SHA256: ADCCFCF7CE8E93DFA9A4E99DB1C57D7CD04D86DE52A97B0EDCE78707DC83DFE4 File Size: 655.47 KB, 655471 bytes

MD5: 7df5a594ab087a465ccb7f87bfd08852 SHA1: a5f9072eddffae7cb9267a6cfbd7f5e1a24cf4e2 SHA256: CE5E69B40D4340936434CC8960FFEAFF2C55ABBED5F3875E84D47186B95362A1 File Size: 31.17 KB, 31171 bytes

MD5: 5e5d4d1c3f44460a4f85f1e1bf2408a8 SHA1: fd6ecf037c1f5352c76156b8e3fd803191386c45 SHA256: 04E6CFD4A29E9D91676B3982A458C9592CF3DB3EE5063CDEEC5FC7498E19410C File Size: 425.66 KB, 425656 bytes

MD5: f729d361b415d7323dd3687abc378fa2 SHA1: c5e4ab9d75e8026f1d7c3fca8d28d632ebcb3697 SHA256: 35FF65B059A4FD7D75A92A881FD037A1C0E4E1926ACAD09DC3EBCC96F2B9579B File Size: 520.51 KB, 520509 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have debug information
• File doesn't have exports table
• File doesn't have relocations information
• File doesn't have security information
• File has been packed
• File has TLS information
• File is 32-bit executable
• File is either console or GUI application
• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)

Show More

• File is Native application (NOT .NET application)
• File is not packed
• IMAGE_FILE_DLL is not set inside PE header (Executable)
• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

File Traits

• $Id: UPX
• .UPX
• 2+ executable sections
• big overlay
• HighEntropy
• No Version Info
• packed
• RAR (In Overlay)
• RARinO
• upx

Show More

• UPX
• UPX!
• WinRAR SFX
• x86

Block Information

i

Block Information

During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.

Total Blocks:	128
Potentially Malicious Blocks:	81
Whitelisted Blocks:	28
Unknown Blocks:	19

Visual Map

1 ? ? 0 0 0 ? x ? ? ? ? ? ? x 0 ? 0 ? ? ? ? x x 0 x x 0 0 x 0 x x x x x 0 x 0 0 x 0 0 x 0 x x x x x x x x 0 0 0 x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x 0 x x x x 0 x x x x x x x 0 0 0 x x x x x x x x x x ? x x 0 ? x ? x ? ? x x 0 1 x 0

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

i

Similar Families

This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.

• Agent.AAQC
• PerfKey.A

Files Modified

i

Files Modified

This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.

File	Attributes
\device\namedpipe\gmdasllogger	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\armas.db	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\armas.db	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\armas.px	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\armas.px	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\armasbk.db	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\armasbk.db	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\contratantes.db	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\contratantes.db	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\contratantes.px	Generic Write,Read Attributes

Show More

c:\sistemas\sisev\datavz\contratantes.px	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\contratantes.xg0	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\contratantes.xg0	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\contratantes.yg0	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\contratantes.yg0	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\historico.db	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\historico.db	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\historico.px	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\historico.px	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\historico.xg0	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\historico.xg0	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\historico.yg0	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\historico.yg0	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\municao.db	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\municao.db	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\municao.px	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\municao.px	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\pessoal.db	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\pessoal.db	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\pessoal.fam	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\pessoal.fam	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\pessoal.px	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\pessoal.px	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\pessoal.tv	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\pessoal.tv	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\pessoal.xg0	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\pessoal.xg0	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\pessoal.yg0	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\pessoal.yg0	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\postos.db	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\postos.db	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\postos.px	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\postos.px	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\postos.xg0	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\postos.xg0	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\postos.yg0	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\postos.yg0	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\sveiculos.px	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\sveiculos.px	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\tabelauf.px	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\tabelauf.px	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\veiculos.db	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\veiculos.db	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\veiculos.px	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\veiculos.px	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\vigilantes.db	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\vigilantes.db	Synchronize,Write Attributes
c:\sistemas\sisev\datavz\vigilantes.px	Generic Write,Read Attributes
c:\sistemas\sisev\datavz\vigilantes.px	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\gs-logo.jpg	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0\gs-logo.jpg	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\install.bat	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0\install.bat	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\mpg4c32.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0\mpg4c32.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\ms-mpg4.inf	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0\ms-mpg4.inf	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\part.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0\part.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\patch	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\patch\data	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\patch\data\cmn	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\patch\data\cmn\fe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\patch\data\cmn\fe\english.loc	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0\patch\data\cmn\fe\english.loc	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\patch\data\cmn\fe\fcdb_eng.dbi	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0\patch\data\cmn\fe\fcdb_eng.dbi	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\patch\data\feart	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\patch\data\feart\engfont0.ffn	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0\patch\data\feart\engfont0.ffn	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\patch\data\feart\engfont1.ffn	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0\patch\data\feart\engfont1.ffn	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\patch\data\feart\engfont2.ffn	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0\patch\data\feart\engfont2.ffn	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\readme.htm	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0\readme.htm	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\readme.txt	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0\readme.txt	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\ritmo 1.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\ritmo 1.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\ritmo 1.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\ritmo 1.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\ritmo 2.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\ritmo 2.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\ritmo 2.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\ritmo 2.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\ritmo 3.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\ritmo 3.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\ritmo 3.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\ritmo 3.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\ritmo 4.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\ritmo 4.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\ritmo 4.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\ritmo 4.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\ritmo 5.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\ritmo 5.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\ritmo 5.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\ritmo 5.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\ritmo 6.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\ritmo 6.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\ritmo 6.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\ritmo 6.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\ritmo 7.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\ritmo 7.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\ritmo 7.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\ritmo 7.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\ritmo 8.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\ritmo 8.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\ritmo 8.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\ritmo 8.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\ritmo 9.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\ritmo 9.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\ritmo 9.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\ritmo 9.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 0.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 0.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 1.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 1.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 1.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 1.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 10.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 10.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 10.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 10.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 11.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 11.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 11.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 11.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 12.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 12.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 12.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 12.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 13.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 13.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 13.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 13.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 14.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 14.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 14.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 14.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 15.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 15.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 15.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 15.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 16.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 16.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 16.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 16.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 17.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 17.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 17.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 17.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 18.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 18.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 18.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 18.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 19.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 19.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 19.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 19.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 2.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 2.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 2.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 2.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 20.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 20.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 20.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 20.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 21.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 21.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 21.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 21.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 22.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 22.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 22.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 22.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 23.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 23.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 23.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 23.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 24.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 24.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 24.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 24.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 3.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 3.bsb	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 3.mid	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 3.mid	Synchronize,Write Attributes
c:\users\user\downloads\solfejos\solfejo 4.bsb	Generic Write,Read Attributes
c:\users\user\downloads\solfejos\solfejo 4.bsb	Synchronize,Write Attributes

22 additional files are not displayed above.

Registry Modifications

i

Registry Modifications

This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.

Key::Value	Data	API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKCU\software\microsoft\multimedia\drawdib:: 1024x768x32(bgr 0)	31,31,31,31	RegNtPreCreateKey

Windows API Usage

i

Windows API Usage

This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.

Category	API
Anti Debug	IsDebuggerPresent NtQuerySystemInformation
User Data Access	GetUserObjectInformation
Process Manipulation Evasion	NtUnmapViewOfSection
Process Shell Execute	ShellExecuteEx
Other Suspicious	SetWindowsHookEx

Shell Command Execution

i

Shell Command Execution

This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.

(NULL) C:\Users\Fwaydjkl\AppData\Local\Temp\RarSFX0\part.exe