: It has been documented as a downloader for Locky ransomware and has appeared in campaigns involving the RagnarLocker threat group.
According to analysis from Joe Sandbox and Hybrid Analysis , typical indicators include: : E4272FB1E61D3D995EEA488931E815AF . File Paths : Often found in %TEMP% or on the %DESKTOP% . Soft.exe
: The malware frequently uses CryptOne packing to hide its code and implements stalling techniques (like calling Sleep functions) to wait out sandbox analysis. : It has been documented as a downloader
: It may drop secondary executables with randomized names or names like svchost015.exe . Summary Table: Behavioral Analysis Observed Activity Type Ransomware Downloader / InfoStealer Delivery : The malware frequently uses CryptOne packing to
: In more recent activity, a related variant named ViperSoftX has been found disguised as cracked software to steal cryptocurrency and system information.