{ "id": "4eb945c3-4d03-4d15-9799-83a9fba70d35", "created_at": "2026-04-06T00:07:52.46772Z", "updated_at": "2026-04-10T13:12:45.252454Z", "deleted_at": null, "sha1_hash": "f6a1e2d4b21e5449c5fbda75c1099712874a656e", "title": "CryptoHost Decrypted: Locks files in a password protected RAR File", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1598998, "plain_text": "CryptoHost Decrypted: Locks files in a password protected RAR File\r\nBy Lawrence Abrams\r\nPublished: 2016-04-08 · Archived: 2026-04-05 18:24:01 UTC\r\nA new ransomware called CryptoHost was discovered by security researcher Jack that states that it encrypts your data and\r\nthen demands a ransom of .33 bitcoins or approximately 140 USD to get your files back. In reality, though, your data is not\r\nencrypted, but rather copied into a password protected RAR archive .  Thankfully, the password created by this infection is\r\neasily discovered so infected users can get their files back. This infection is currently being detected\r\nas Ransom:MSIL/Manamecrypt.A and Ransom_CRYPTOHOST.A.\r\nI would also like to thank Michael Gillespie and MalwareHunterTeam for their additional analysis.\r\nThe CryptoHost Ransomware\r\nHow to Decrypt or get your data back from the CryptoHost Ransomware\r\nNormally I would not disclose a vulnerability in a ransomware as it will just lead to the developer fixing it in a future\r\nversion. Unfortunately, a certain site who will not be named, irresponsibly revealed the method that can be used to decrypt\r\nthese files, so the secret is already out. \r\nWhen CryptoHost infects your computer it will move certain data files, which is detailed in the technical analysis below,\r\ninto a password protected RAR archive located in the C:\\Users\\[username]\\AppData\\Roaming folder. This file will have a\r\n41 character name and no extension. An example file is 3854DE6500C05ADAA539579617EA3725BAAE2C57. The\r\npassword for this archive is the name of the archive combined with the logged in user name. So for example, if the name of\r\nthe user is Test and the RAR archive is located\r\nat C:\\Users\\Test\\AppData\\Roaming\\3854DE6500C05ADAA539579617EA3725BAAE2C57, the password would\r\nbe 3854DE6500C05ADAA539579617EA3725BAAE2C57Test.\r\nhttps://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nFor those who do not want to deal with figuring out the password, you can use this password generator created by Michael\r\nGillespie.\r\nBefore we begin, we want to first terminate the cryptohost.exe process. To do this, open the Start Menu and type Task\r\nManager. When the Task Manager search results appears, click on it to start the program. Now click on the Processes tab\r\nand select the cryptohost.exe process as shown below. Then click on the End Process button to terminate it.\r\nEnd the Cryptohost.exe Process\r\nNow to to extract the password protected RAR archive with your files in it, we first need to install the 7-Zip application.\r\nOnce it is installed, open up the C:\\Users\\[username]\\AppData\\Roaming folder and locate the archive file using the info\r\ndescribed above. Now right-click on it and then select the Extract to \"foldername\" option as shown in the image below.\r\nExtraction Wizard\r\nhttps://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/\r\nPage 3 of 7\n\nWhen the 7-Zip prompts you for the password, enter the password as described above and press enter.  You data will now be\r\nextracted into a folder name that is the same name as the RAR archive.  When done, open that folder and copy all of the\r\nfolders in it to the root of your C: drive.  Your data files should now be restored.\r\nHow to remove the CryptoHost Ransomware\r\nWhen CryptoHost is installed it will create a file called cryptohost.exe and store it in the C:\\Users\\\r\n[username]\\AppData\\Roaming folder. It will alsocreate an autorun called software that executes the ransomware on login.\r\nTo remove this infection, simply end the cryptohost.exe process using Task Manager and then delete the cryptohost.exe file.\r\nTo remove the autorun you can delete this registry key:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\software %AppData%\\cryptohost.exe\r\nMost security products should detect this infection at this point and remove it automatically if you do not wish to remove\r\nCryptoHost manually.\r\nCryptoHost Ransomware Technical Analysis\r\nCryptoHost is currently being bundled with a uTorrent installer that when installed extracts the cryptohost.exe to the\r\n%AppData% folder and executes it.  Once executed, CryptoHost will move all files that match certain extensions into a\r\npassword protected RAR archive located in the %AppData% folder.  The name of the archive will be a SHA1 hash of the\r\nfollowing information with any dashes removed.\r\nprocessorId + volume_serial_number_of_c: + motherboard_serial_number\r\nThe password for this archive will be in the form of the SHA1 hash+username. So if the SHA1 hash\r\nis 3854DE6500C05ADAA539579617EA3725BAAE2C57 and the user is Test the password would\r\nbe 3854DE6500C05ADAA539579617EA3725BAAE2C57Test.\r\nThe file extensions that will be moved into the password protected archive by CryptoHost are:\r\njpg, jpeg, png, gif, psd, ppd, tiff, flv, avi, mov, qt, wmv, rm, asf, mp4, mpg, mpeg, m4v, 3gp, 3g2, pdf, docx, pptx, doc\r\nWhen the archive is finished being created, the ransomware will then perform a listing of the files in the archive and save\r\nthat list to the %AppData%\\Files file.  CryptoHost will now display the ransomware screen as shown below.\r\nhttps://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/\r\nPage 4 of 7\n\nCryptoHost Ransomware Screen\r\nThis screen is broken up into four subscreens that allow you to get various information about the infection and to list the\r\naffected data files. Below are two of these screens.\r\nHow it Works Screen\r\nCheck Payment Screen\r\nhttps://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/\r\nPage 5 of 7\n\nWhen a victim wants to decrypt their files, they need to click the Check Payment Status button, which simply checks\r\nblockchain.info for any payments to the assigned bitcoin address.  If the text returned by the blockchain query contains the\r\nexact numbers listed in the Fee label of the CryptoHost interface, then the ransomware will extract your files. This means\r\nthat a victim has to pay the exact amount and if more is paid, the ransomware will still not decrypt the files.\r\nWhen first started CryptoHost will also try to delete the HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot key in order\r\nto make it impossible to boot into safe mode.  Thankfully, this process does not run under the required privileges that are\r\nnecessary to remove this key.\r\nCryptoHost will also monitor process names and Window titles for certain strings. If these strings are detected the associated\r\nprocess will be terminated. In my tests this method only worked on process names and not Window titles. The list of strings\r\nthat it searches for are:\r\nanti virus, anti-virus, antivirus, avg, bitdefender, eset, mcafee, dr.web, f-secure, internet security, obfuscator, debug\r\nIt is interesting to note that the dev not only targets security products, but also common sites and processes that a victim may\r\nwant to visit or use for games.  This is done to further aggravate the victim into paying the ransom.\r\nLast, but not least, this ransomware does not communicate with the malware developer in any way and the only network\r\ncommunications is when it checks the blockchain.info site for payment.\r\nFiles associated with the CryptoHost Ransomware:\r\n%Temp%\\uTorrent.exeuTorrent.exe\r\n%AppData%\\cryptohost.exe\r\n%AppData%\\files\r\n%AppData%\\processor.exe\r\nRegistry entries associated with the CryptoHost Ransomware:\r\nHKCU\\Software\\Classes\\FalconBetaAccount\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\software %AppData%\\cryptohost.exe\r\nhttps://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/\r\nPage 6 of 7\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/\r\nhttps://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/" ], "report_names": [ "cryptohost-decrypted-locks-files-in-a-password-protected-rar-file" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434072, "ts_updated_at": 1775826765, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f6a1e2d4b21e5449c5fbda75c1099712874a656e.pdf", "text": "https://archive.orkl.eu/f6a1e2d4b21e5449c5fbda75c1099712874a656e.txt", "img": "https://archive.orkl.eu/f6a1e2d4b21e5449c5fbda75c1099712874a656e.jpg" } }