Analysis of this file across platforms like ANY.RUN and Hybrid Analysis reveals several critical red flags:
: Reports highlight that the malware specifically searches for directories related to Telegram Desktop , Discord , and various Chromium-based browsers to strip saved login credentials. Technical Indicators Observation File Type WinRAR Archive (RAR) Threat Level Critical (100/100) Main Process Green Hell v2.4.2.rar
Contacting external IPs via HTTP/POST requests to exfiltrate ZIP archives of stolen data. Analysis of this file across platforms like ANY
Often spawns a sub-process like GreenHell.exe or a random string (e.g., svchost.exe injection). Green Hell v2.4.2.rar
: The file uses "anti-VM" and "anti-debug" techniques to detect if it is being analyzed by security researchers. If it detects a sandbox environment, it may remain dormant or crash to avoid detection.
