| | | Block the domain/IP at DNS/ firewall level, quarantine any file matching the hashes, enable strict execution control (AppLocker, Windows Defender Application Control), and conduct forensic analysis on any endpoint that may have run the binary. |
The file setup.rar from 51scope.cn serves as essential, often manufacturer-directed driver software for budget hardware like endoscope cameras. However, security analysis frequently flags this specific download as a high-risk "grayware" file, often identifying it as an arch-exec sfx dropper. For a detailed security analysis of the file, visit ANY.RUN . https www 51scope cn files setup rar
| Observation | Details | |-------------|---------| | | setup.exe spawns svchost.exe (renamed) with suspended flag; later injects the downloaded payload into it. | | Network traffic | - HTTP GET to http://dl.51scope.cn/payload.bin (User‑Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) ). - TCP to 185.62.45.210:443 (TLS handshake, then binary exchange). | | File system | Writes C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe – a persistence via Startup folder . | | Registry | Creates HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost → path to the same copy. | | Anti‑analysis | - Checks for virtualization (WMI Win32_ComputerSystem Manufacturer = “VMware”). - Sleeps for 30 seconds if a debugger is detected. | | Payload | The secondary binary ( payload.bin ) is a PE with a .NET stub that loads a C#-based ransomware module (encrypts user files, drops ransom note). This behavior was observed in the sandbox after de‑obfuscation. | | Persistence | After infection, the malware registers a scheduled task named “ System Update ” that runs daily to re‑ensure the malicious executable is present. | | Command & Control (C2) | Uses HTTPS to the same IP ( 185.62.45.210 ) for key exchange; the payload downloads additional modules (e.g., a keylogger). Communication is AES‑256 encrypted with a static key ( 0x5A3F... ). | | | | Block the domain/IP at DNS/
If you can tell me (after you’ve safely inspected it), I’d be happy to help draft the article. For a detailed security analysis of the file, visit ANY