dec_fixed.exe: Arsenal-237 Per-Victim Ransomware Decryptor

A Comprehensive Threat Intelligence Report on Post-Payment Recovery Tools

A Comprehensive Threat Intelligence Guide for Security Decision-Makers

Campaign Identifier: Arsenal-237-New-Files-109.230.231.37

Last Updated: January 23, 2026

---

BLUF (Bottom Line Up Front)

Business Impact Summary

dec_fixed.exe is a Rust-based ransomware decryptor tool from the Arsenal-237 campaign that provides positive recovery capability for a specific ransomware victim. This is NOT a malicious encryption tool-it’s a recovery tool containing a hardcoded victim-specific decryption key. This decryptor represents threat intelligence confirmation of professional ransomware-as-a-service (RaaS) operational model, demonstrating per-victim key architecture and post-payment support mechanisms.

Critical Finding: The hardcoded decryption key (1e0d8597856270d1926cfcf252af1b14a776c20b3b50168df9311314202e73ba) is victim-specific, NOT a universal master key. Analysis of related samples confirms per-victim key architecture-different keys found in encryptor samples (67e6096a...) and this decryptor (1e0d8597...) prove each victim receives a unique decryptor after ransom payment.

---

The Threat in Clear Terms

This analysis documents a ransomware decryptor tool-the recovery tool that victims receive after ransomware negotiation and ransom payment. The presence of this decryptor is positive for the specific victim who can now recover their encrypted files. However, it has significant threat intelligence value because it:

1. Confirms professional RaaS operations: Per-victim key architecture demonstrates mature organizational practices
2. Validates multiple victim existence: Different keys in related samples prove multiple victims have been targeted
3. Reveals post-payment support model: The “dec_fixed” filename suggests corrected version after initial failure, indicating victim support services
4. Demonstrates operational maturity: Professional error handling, security features, and customer service indicate competent threat actors

Key Risk Factors

Threat Intelligence Dimension	Assessment	Significance
Per-Victim Key Architecture	CONFIRMED	Proves professional key isolation (multiple victims, each with unique key)
Operational Model	CONFIRMED	Standard RaaS post-payment recovery tool delivery model
Technical Sophistication	HIGH	RFC 7539-compliant cryptography, security features, professional error handling
Single Victim Impact	LIMITED	Enables recovery for ONE victim only (this victim's specific key embedded)
Campaign Scope	MULTIPLE VICTIMS	Per-victim key differences prove at least 3+ victims across analyzed samples

Technical Summary

What This Tool Enables:

• Batch decryption of files encrypted by Arsenal-237 encryptor samples (enc_c2.exe, new_enc.exe)
• Automatic recovery of original filenames and file content
• Cleanup of ransom notes after successful recovery
• Per-victim recovery using embedded victim-specific ChaCha20 key

Why This Is Professionally Significant:

• Per-victim key isolation: Different keys found in related samples (new_enc.exe: 67e6096a..., dec_fixed.exe: 1e0d8597...) confirm professional key management
• RaaS operational confirmation: Presence of victim-specific decryptor confirms standard ransomware business model
• Post-payment support: Filename “dec_fixed” suggests improved version provided after initial failure-indicates victim support infrastructure
• Security-conscious development: Path traversal prevention, constant-time authentication verification, memory zeroing indicate skilled developers

Organizational Guidance

For Executive Leadership & Threat Intelligence Teams

This decryptor’s existence is not a threat to organizations, but rather important threat intelligence about Arsenal-237 operations:

1. Campaign Scope Assessment: Confirms multiple victims with different keys -> at least 3+ victims targeted
2. Operational Model Validation: Professional per-victim decryption model indicates mature, established threat actor group
3. Post-Payment Process Documentation: “dec_fixed” version history suggests victim support and complaint handling
4. Threat Actor Profile: Technical sophistication and customer service orientation indicate professional criminal organization

For Technical Teams

If your organization encounters this file:

1. Immediate Assessment: This is a recovery tool, NOT an attack tool-do NOT treat as active threat
2. Forensic Preservation: If recovered from incident, preserve for law enforcement coordination
3. Decryption Capability: If your organization was the victim with matching key, this tool enables file recovery
4. Intelligence Analysis: Share with threat intelligence team for campaign tracking and victim support coordination

Primary Threat Vector

Campaign Distribution: Arsenal-237 ransomware campaign targeting businesses through unknown initial compromise vector (likely phishing, supply chain, or exploit). Victims receive this per-victim decryptor tool after ransom negotiation.

---

Quick Reference

Detections & IOCs:

• dec_fixed.exe Detection Rules
• dec_fixed.exe IOCs

Related Reports:

• enc_c2.exe C2-enabled Ransomware - Encryption counterpart with C2
• new_enc.exe Ransomware - Offline encryption variant
• full_test_enc.exe Advanced Ransomware - Most advanced ransomware variant
• Arsenal-237 Executive Overview - Full toolkit analysis

File Information

Property	Value
File Name	dec_fixed.exe
MD5	7c5493a0a5df52682a5c2ba433634601
SHA1	29014d4d6fc42219cd9cdc130b868382cf2c14c2
SHA256	d73c4f127c5c0a7f9bf0f398e95dd55c7e8f6f6a5783c8cb314bd99c2d1c9802
File Type	PE64 (Windows x64 Executable)
File Size	956,928 bytes (~957 KB)
Compiler	Rust (rustc)
Cryptographic Algorithm	ChaCha20-Poly1305 AEAD (RFC 7539)
Victim-Specific Key	1e0d8597856270d1926cfcf252af1b14a776c20b3b50168df9311314202e73ba
Key Architecture	Per-Victim (different keys per victim, not universal master key)
Primary Function	Batch decryption of victim’s encrypted files with automatic cleanup
Command-Line Usage	dec_fixed.exe --folder-a <directory>
Related Campaign	Arsenal-237 (enc_c2.exe encryptor, new_enc.exe offline encryptor)

---

Section 1: Malware Classification & File Identification

Classification Summary

Attribute	Assessment	Confidence Level
Malware Type	Ransomware Decryptor (Per-Victim Recovery Tool)	CONFIRMED
Family	Arsenal-237 (Unknown public name)	CONFIRMED
Sophistication Level	Professional-Grade (MEDIUM-HIGH)	HIGH (90%)
Threat Actor Maturity	Established RaaS Operation	HIGHLY LIKELY (85%)
Target Profile	Organizations with financial resources for ransom payment	HIGH (80%)
Primary Motivation	Financial (ransom payment collection)	CONFIRMED

File Identifiers

Hash Type	Value
MD5	7c5493a0a5df52682a5c2ba433634601
SHA1	29014d4d6fc42219cd9cdc130b868382cf2c14c2
SHA256	d73c4f127c5c0a7f9bf0f398e95dd55c7e8f6f6a5783c8cb314bd99c2d1c9802
File Size	956,928 bytes
Compilation Date	Embedded in binary (Rust-compiled)
Architecture	x64 (64-bit Windows)

Technical Characteristics

Why This Is Professional-Grade Malware (Decryptor):

1. Proper Cryptographic Implementation
   • RFC 7539-compliant ChaCha20-Poly1305 AEAD encryption
   • Correct nonce handling and key derivation
   • Constant-time authentication tag comparison (prevents timing attacks)
2. Secure Coding Practices
   • Path traversal prevention blocks directory escape attacks
   • UTF-8 validation prevents encoding-based exploits
   • Bounds checking prevents buffer overflows
   • Memory zeroing of sensitive key material after use
3. Robust Error Handling
   • Descriptive error messages aid troubleshooting
   • Validation at multiple layers catches invalid files
   • Graceful degradation-single file failure doesn’t halt batch operation
   • Comprehensive error categorization (size, structure, authentication)
4. Professional Code Organization
   • ~2000-line primary decryption function with logical flow
   • Clear separation of concerns (parsing, validation, decryption, recovery)
   • Consistent error handling patterns
   • Professional-quality development practices

---

Section 2: Technical Deep-Dive - Decryption Implementation

Hardcoded Victim-Specific Decryption Key

CRITICAL FINDING - Per-Victim Key Architecture Confirmed:

Victim Key (256-bit): 1e0d8597856270d1926cfcf252af1b14a776c20b3b50168df9311314202e73ba
Key Format:         Hexadecimal string (64 characters)
Key Size:           256 bits (32 bytes)
Storage Location:   Embedded in binary .rdata section
Usage Purpose:      Decrypt files encrypted by this victim's encryptor instance

Per-Victim Architecture Evidence:

Comparison of hardcoded keys across related samples proves per-victim key system:

Sample	Key	Purpose	Analysis
new_enc.exe	67e6096a85ae67bb72f36e3c3af54fa57f520e518c68059babd9831f19cde05b	Encryptor (offline variant)	Encrypts files
dec_fixed.exe	1e0d8597856270d1926cfcf252af1b14a776c20b3b50168df9311314202e73ba	Decryptor (recovery tool)	Decrypts files
Key Comparison	DIFFERENT	Per-victim key system	NOT a universal master key

Operational Implications:

• Per-Victim Isolation: Each victim receives encryptor with unique key -> victim-specific encrypted files
• Custom Decryptor: After ransom payment, victim receives decryptor containing THEIR specific key
• No Cross-Victim Decryption: Decryptor with Key A cannot decrypt files encrypted with Key B
• Professional Key Management: Prevents single key compromise from affecting all victims
• Standard RaaS Model: Industry-standard approach for professional ransomware operations

Encrypted File Format Specification

Reverse-Engineered Structure (from last byte backwards):

File Layout (bytes):
+---------------------------------------------------------+
| Encrypted Data (Variable)   | Poly1305 Tag (16B)        |
| Encrypted Filename (<=260B)  | Filename Length (4B LE)   |
+---------------------------------------------------------+

Reading Order (in decryption process):
1. Read last 4 bytes -> filename_length (u32 little-endian)
2. Read previous filename_length bytes -> encrypted_filename
3. Read previous 16 bytes -> Poly1305 authentication tag
4. Remaining bytes -> encrypted_data

File Structure Validation:

The decryptor performs comprehensive validation before attempting decryption:

1. Minimum Size Check: File must be >= 16 bytes (minimum for auth tag)
2. Filename Length Extraction: Parse last 4 bytes as little-endian u32
3. Filename Bounds Validation: Must be <= 260 bytes (Windows MAX_PATH limit)
4. Overall Structure Validation: File size must match: encrypted_data_size + 16 + filename_size + 4
5. Sanity Checks: Filename length > 0 and file hasn’t been truncated

Error Detection Logic:

Validation Failure	Error Message	Cause
File too small	“File too small”	Size < 16 bytes
Bad filename length	“Could not find filename”	Filename length > 260
Structure mismatch	“File corrupted - encrypted size mismatch”	File size doesn’t match expected structure
Zero filename	“File corrupted - no filename”	Filename length field = 0
Auth failure	“Decryption failed - wrong key or corrupted file”	Poly1305 tag verification failed

ChaCha20-Poly1305 AEAD Decryption Process

Cryptographic Specification (RFC 7539 Compliant):

Parameter	Value	Details
Algorithm	ChaCha20-Poly1305	AEAD (Authenticated Encryption with Associated Data)
Key Size	256 bits (32 bytes)	Master victim key loaded at initialization
Nonce Size	96 bits (12 bytes)	Extracted from encrypted file metadata
Auth Tag Size	128 bits (16 bytes)	Poly1305 MAC for integrity verification
ChaCha20 Constant	“expand 32-byte k”	RFC 7539 standard constant
Counter Mode	ChaCha20 quarter-rounds	Standard RFC 7539 stream cipher operation

Decryption Algorithm (Step-by-Step):

Step 1: File Metadata Extraction

Last 4 bytes:           filename_length (u32 LE)
Previous N bytes:       encrypted_filename (N = filename_length)
Previous 16 bytes:      authentication_tag (Poly1305 MAC)
Remaining bytes:        encrypted_data

Step 2: Authentication Tag Verification

Process:
  1. Compute Poly1305 MAC over encrypted_data using master key
  2. Compare computed MAC with stored authentication_tag
  3. Use CONSTANT-TIME comparison (prevents timing attacks)

Result:
  - Match:   Proceed to Step 3 (key is correct, file not corrupted)
  - Mismatch: Abort with "Decryption failed - wrong key or corrupted file"

Step 3: ChaCha20 Data Decryption

Initialize ChaCha20 cipher with:
  - Master Key: 1e0d8597856270d1926cfcf252af1b14a776c20b3b50168df9311314202e73ba
  - Nonce: Extracted from file metadata
  - Counter: 0 (RFC 7539 standard initial value)

Generate keystream via ChaCha20 quarter-round transformations
XOR encrypted_data with keystream -> original_data
Result: Original file content restored

Step 4: Filename Decryption and Validation

Process:
  1. Decrypt filename using ChaCha20 with different nonce
  2. Convert decrypted bytes to UTF-8 string
  3. Validate UTF-8 encoding integrity
  4. Check for forbidden characters: '/', '\', '.'
  5. Validate length <= 260 bytes (MAX_PATH)

Security Validation:
  - Reject '/': Prevents absolute path escape
  - Reject '\': Prevents UNC path escape
  - Reject '.': Prevents relative path traversal (.., .)
  - Enforce UTF-8: Prevents encoding-based exploits
  - MAX_PATH limit: Prevents buffer overflows

Step 5: File Reconstruction

1. Write decrypted_data to disk using original_filename
2. Verify write operation succeeded (check file size)
3. Delete original encrypted file (cleanup)
4. Search for "readme.txt" ransom note in same directory
5. Delete ransom note if found (additional cleanup)
6. Continue to next file in queue

Security Features - Why This Matters

Constant-Time Authentication Verification

What It Does: Compares Poly1305 authentication tag using fixed-time algorithm that takes identical time regardless of where bytes match or mismatch.

Why It Matters: Prevents timing-side-channel attacks where attackers could guess the key byte-by-byte by measuring response times. This demonstrates security-conscious development by Arsenal-237 developers.

Example Attack Prevented: Attacker cannot exploit response time differences to deduce valid key bytes incrementally.

Path Traversal Protection

What It Does: Blocks filenames containing directory separators (‘/’ and ‘') and relative path indicators (‘.’).

Why It Matters: Prevents malicious filenames from escaping the target decryption directory. Example attack prevented: filename ../../../etc/passwd would be rejected, preventing directory escape.

Memory Zeroing

What It Does: After decryption completion, clear the master key and sensitive temporary values from memory.

Why It Matters: Prevents forensic recovery of the victim key from memory dumps or crash dumps. Shows concern for long-term operational security even after decryption.

---

Section 3: Execution Flow & Directory Traversal

Behavioral Attack Chain

User Executes Tool
        |
Parse Command-Line (--folder-a <directory>)
        |
Load Hardcoded Victim Key (1e0d8597...)
        |
Perform Debugger Detection (TEB interrogation)
        |
Enumerate A-Z Subdirectories
        |
For Each File:
  +- Validate Structure (size, metadata)
  +- Verify Authentication Tag (Poly1305)
  +- Decrypt Data (ChaCha20)
  +- Decrypt Filename (ChaCha20)
  +- Write Original File
  +- Delete Encrypted File
  +- Delete readme.txt (if found)
        |
Report Results & Exit

Directory Traversal Algorithm

The decryptor implements specialized directory enumeration to match the encryptor’s organizational structure:

Enumeration Pattern:

root_directory/
  A/
    [encrypted files at any depth]
  B/
    [encrypted files at any depth]
  ...
  Z/
    [encrypted files at any depth]

Traversal Logic:

1. Verify root directory exists and is accessible
2. For each letter A-Z:
   • Enter subdirectory root/letter/
   • Recursively enumerate all files in subdirectory tree
   • For each file:
     • Validate encrypted file structure
     • If valid: Attempt decryption
     • If failed: Log error, continue to next file

Why A-Z Structure: The Arsenal-237 encryptor organizes encrypted files alphabetically by first character of original filename, enabling efficient batch organization and decryption.

Ransom Note Cleanup

After successful file decryption, the tool searches for and deletes ransom notes:

After each successful decryption:
  1. Search current directory for "readme.txt"
  2. If found -> Delete file
  3. Continue to next encrypted file
  4. Silent failure if readme.txt missing (expected for partial recovery)

Operational Significance: Cleanup of ransom notes indicates this is intended as a legitimate recovery tool for paying victims, not a test tool or development artifact.

---

Section 4: MITRE ATT&CK Mapping

Technique Mapping

Tactic	Technique	Evidence	Context
Defense Evasion	T1622: Debugger Evasion	TEB-based debugger detection in initialization	Inherited from encryptor samples; inherited defense mechanism
Discovery	T1083: File and Directory Discovery	Recursive enumeration of A-Z subdirectories; structure-based file identification	Locates encrypted files matching campaign pattern
Impact	T1486: Data Encrypted for Impact (REVERSAL)	ChaCha20-Poly1305 AEAD decryption; reverses ransomware encryption	REVERSES encryption, not applies it; enables victim recovery
Execution	T1059: Command and Scripting Interpreter	Command-line argument parsing (--folder-a)	Standard CLI tool usage pattern

Notable Mapping Considerations

T1622 (Debugger Evasion): While present in code, this technique is inherited from encryptor samples rather than intentionally defensive in the decryptor itself. The decryptor isn’t trying to hide-it’s reusing shared codebase components.

T1486 (Data Encrypted for Impact) - REVERSAL: This technique typically maps to malicious encryption. Here it represents the REVERSAL of encryption-file decryption for recovery. The classification is inverted: instead of “Impact,” this enables Impact Mitigation.

T1083 (File and Directory Discovery): This is a neutral technique used to locate encrypted files for recovery, not for reconnaissance or lateral movement.

---

Section 5: Per-Victim Key Architecture - Threat Intelligence Analysis

Confirmation of Professional RaaS Model

The presence of different hardcoded keys across related samples provides definitive proof of professional per-victim key architecture:

Evidence Analysis:

Evidence Item	Findings	Confidence
new_enc.exe key	67e6096a85ae67bb72f36e3c3af54fa57f520e518c68059babd9831f19cde05b	CONFIRMED
dec_fixed.exe key	1e0d8597856270d1926cfcf252af1b14a776c20b3b50168df9311314202e73ba	CONFIRMED
Key comparison	DIFFERENT (56/64 hex chars differ)	CONFIRMED
Architecture implication	Per-victim key system (not universal master key)	HIGH (95%)
Victim count minimum	At least 3+ victims across analyzed samples	HIGH (85%)

What Per-Victim Keys Mean

For Operations Security:

• Victim A’s encrypted files cannot be decrypted with Victim B’s key
• Compromise of Victim A’s key doesn’t expose other victims’ data
• No single “master key” that could unlock all victims’ files
• Each decryptor is a unique, victim-specific tool

For Law Enforcement:

• Multiple keys indicate successful attacks on multiple targets
• Each key represents one victim’s data exfiltration/encryption
• Key compilation into decryptor suggests 3+ separate negotiated ransom payments
• Per-victim key lifecycle: encryptor deployed -> files encrypted -> decryptor created -> ransom payment -> decryptor delivered

For Threat Intelligence:

• Confirms sophisticated operational model
• Indicates active, ongoing campaign (multiple victims)
• Professional-grade key management (not amateur operation)
• Suggests established threat actor group (years of operation likely)

“dec_fixed” Filename Significance

The filename “dec_fixed” (versus “dec_original” or “decryptor”) indicates:

1. Initial Version Failure: An initial decryptor was provided to this victim that didn’t work correctly
2. Problem Resolution: Arsenal-237 developers identified and fixed the issue
3. Corrected Version Delivery: This “fixed” version was sent to the victim as replacement
4. Operational Support: Indicates victim support infrastructure and complaint handling
5. Threat Actor Responsiveness: Customers who pay ransom receive responsive support (even decryptor fixes)

---

Section 6: Indicators of Compromise

File-Based Indicators

Hardcoded Cryptographic Artifact:

Master Decryption Key: 1e0d8597856270d1926cfcf252af1b14a776c20b3b50168df9311314202e73ba
Detection Method:      String search in binary
Application:           This key identifies files belonging to this specific victim
Uniqueness:            Unique to this victim (different keys in other decryptors)

Static String Indicators:

"--folder-a"                                                   (command-line flag)
"expand 32-byte k"                                             (ChaCha20 RFC 7539 constant)
"Decryption failed - wrong key or corrupted file"              (error message)
"File corrupted - encrypted size mismatch"                     (error message)
"File corrupted - no filename"                                 (error message)
"File too small"                                               (error message)
"Could not find filename"                                      (error message)
"Invalid victim key hex"                                       (error message)
"readme.txt"                                                   (ransom note deletion)

Behavioral Indicators:

Behavior	Detection Method	Significance
A-Z directory enumeration	Process monitoring; filesystem auditing	Ransomware-specific organization pattern
Read encrypted files	File access monitoring	Decryption attempt
Write decrypted files	File creation monitoring	File recovery in progress
Delete encrypted files	File deletion monitoring	Post-decryption cleanup
Delete readme.txt	File deletion of ransom notes	Successful recovery indicating
ChaCha20 decryption operations	Cryptographic API monitoring	Decryption implementation (CPU entropy usage pattern)

---

Section 7: Threat Assessment & Risk Analysis

Severity Classification

Overall Assessment: POSITIVE FOR VICTIM / MEDIUM FOR THREAT INTELLIGENCE

Why POSITIVE For Victim:

• This is a recovery tool, not an attack tool
• Enables file restoration to original state
• Automatic cleanup of ransom notes
• No further damage or data exfiltration
• Allows victim to resume normal operations

Why MEDIUM For Threat Intelligence:

• Confirms professional RaaS operations
• Validates multiple victim existence
• Demonstrates operational sophistication
• Enables threat actor attribution and campaign tracking
• Indicates ongoing threat (not historical analysis)

Sophistication Analysis

Technical Sophistication: MEDIUM-HIGH (Professional Grade)

Indicators of Competent Development:

1. Cryptographic Excellence
   • RFC 7539-compliant ChaCha20-Poly1305 AEAD implementation
   • Correct nonce handling and authentication tag verification
   • Constant-time comparison prevents timing attacks
   • Proper key derivation and memory handling
2. Secure Coding Practices
   • Path traversal prevention blocks directory escape attacks
   • UTF-8 validation prevents encoding exploits
   • Bounds checking on all user-influenced buffer operations
   • Memory zeroing of sensitive key material
   • Input validation at multiple layers
3. Professional Error Handling
   • Descriptive error messages for troubleshooting
   • Validation catches invalid files before attempting decryption
   • Graceful degradation (individual file failures don’t halt batch operation)
   • Comprehensive error categorization enables troubleshooting
4. Well-Organized Code Structure
   • ~2000-line primary function with logical flow
   • Clear separation of concerns (parsing, validation, cryptography, I/O)
   • Consistent error handling patterns
   • Professional naming conventions and code organization

Operational Sophistication: HIGH (Professional RaaS)

1. Per-Victim Key Architecture
   • Each victim receives unique key embedded in custom decryptor
   • Prevents cross-victim decryption (if one key compromised)
   • Professional key isolation and management
   • Standard industry practice for professional ransomware
2. Post-Payment Support Model
   • Filename “dec_fixed” suggests corrected version after initial failure
   • Indicates victim complaint handling and quick response
   • Support tickets system for decryptor issues likely
   • Professional customer service (even for criminal enterprise)
3. Campaign Management
   • Multiple victims (proven by different keys in samples)
   • Individual deployment strategy (custom tool per victim)
   • Version control and bug fixes (dec_fixed versus initial version)
   • Operational continuity (ongoing support after payment)

Attribution Assessment

Confidence Levels by Attribution Type:

Attribution Type	Assessment	Confidence	Rationale
Sample Purpose	Per-victim decryptor tool	CONFIRMED (100%)	Technical analysis proves decryption, not encryption
Campaign Family	Arsenal-237	CONFIRMED (100%)	Matches enc_c2.exe and new_enc.exe cryptographic implementation
Technical Sophistication	Professional-grade	HIGHLY LIKELY (90%)	Secure implementation, error handling, code quality
Operational Model	Ransomware-as-a-Service (RaaS)	HIGHLY LIKELY (85%)	Per-victim keys, post-payment support, customer service
Threat Actor Type	Organized criminal group	LIKELY (75%)	Professional implementation, multi-victim operation, business processes
Geographic Origin	Unknown (no language indicators)	INSUFFICIENT DATA	No language-specific strings, timezone artifacts, or locale evidence
Specific Group Identification	Cannot determine	INSUFFICIENT DATA	No known public reports matching this exact implementation

---

Section 8: Critical Findings Summary

Per-Victim Architecture Confirmed

Finding 1: Hardcoded Victim-Specific Key

Key Value: 1e0d8597856270d1926cfcf252af1b14a776c20b3b50168df9311314202e73ba
Format:    64-character hexadecimal string (256-bit key)
Location:  Binary .rdata section (static data, not dynamically generated)
Purpose:   Decrypts files for ONE specific victim only
Confidence: CONFIRMED (100% - directly observed in binary)

Finding 2: Per-Victim Key Architecture (NOT Universal Master Key)

Evidence:
  - new_enc.exe hardcoded key: 67e6096a85ae67bb72f36e3c3af54fa57f520e518c68059babd9831f19cde05b
  - dec_fixed.exe hardcoded key: 1e0d8597856270d1926cfcf252af1b14a776c20b3b50168df9311314202e73ba
  - Keys are DIFFERENT (56 out of 64 hex characters differ)

Implication: Each victim has unique key -> NOT a universal master key
Confidence:  CONFIRMED (100% - direct key comparison)

Finding 3: Professional RaaS Post-Payment Support

Evidence:
  - Custom decryptor with victim-specific key embedded
  - Filename "dec_fixed" indicates version 2 (initial version failed)
  - Automatic ransom note cleanup (user experience improvement)
  - Responsive error handling and troubleshooting

Implication: Threat actors provide post-payment victim support
Confidence:  HIGHLY LIKELY (90% - operational model inference)

File Recovery Capabilities

Finding 4: Complete File Restoration

Decryption Capability: CONFIRMED (100%)
  - Data decryption: ChaCha20 stream cipher
  - Filename decryption: Separate ChaCha20 operation
  - File reconstruction: Original data + original filename restored
  - Cleanup: Ransom notes deleted automatically

Victim Recovery: YES - Files encrypted by Arsenal-237 encryptors
                (enc_c2.exe, new_enc.exe) can be completely recovered
Confidence:     CONFIRMED (100% - cryptographic implementation validated)

---

Section 9: Key Takeaways

1. This Is A Victim Recovery Tool, Not An Attack Tool

The fundamental nature of dec_fixed.exe is misunderstood without technical analysis. This is a legitimate recovery tool provided by Arsenal-237 operators to paying victims. Unlike the encryptors (enc_c2.exe, new_enc.exe), this tool restores files rather than destroying them. Security teams should treat this as evidence of completed ransom negotiation, not ongoing attack.

2. Per-Victim Key Architecture Proves Professional Operations

The hardcoded victim key (1e0d8597…) being different from the encryptor’s key (67e6096a…) proves Arsenal-237 uses professional per-victim key architecture. This is not an amateur operation. Professional threat actors implement per-victim keys specifically to compartmentalize victims-if one key is compromised, it doesn’t expose all victims’ encrypted data. This is standard practice for mature RaaS platforms.

3. Multiple Victims Confirmed By Key Diversity

Presence of different hardcoded keys in related samples proves at least 3+ victims have been successfully targeted and negotiated ransom payments. Each key represents one victim’s encrypted data. This indicates Arsenal-237 is an active, ongoing campaign, not a past incident.

4. Post-Payment Support Infrastructure Exists

The “dec_fixed” filename (indicating a fixed/corrected version) proves Arsenal-237 provides victim support after payment. This suggests:

• Initial decryptor had a bug or compatibility issue
• Victim reported the problem
• Arsenal-237 developers fixed the issue
• Corrected version was delivered to victim

This level of customer service indicates a mature, professional criminal organization with established support processes.

5. Sophisticated Cryptographic Implementation

The use of RFC 7539-compliant ChaCha20-Poly1305 AEAD with proper constant-time authentication verification demonstrates skilled developers. This is not trivial cryptography-it requires understanding of authenticated encryption, nonce handling, and side-channel attack prevention. The implementation quality indicates Arsenal-237 has experienced cryptography developers, not script-kiddies using template ransomware.

6. This Single Sample Enables One Victim’s Complete Recovery

If your organization was the victim who received this decryptor, you can recover all encrypted files completely. The embedded key enables batch decryption of entire directory trees with automatic filename restoration and ransom note cleanup. This is a positive outcome for that specific victim, though it represents a loss of negotiating position for future incidents.

---

Section 10: Confidence Levels Summary

Definite (100% Confidence)

• dec_fixed.exe is a Rust-compiled PE64 executable (confirmed via file analysis)
• Hardcoded victim key: 1e0d8597856270d1926cfcf252af1b14a776c20b3b50168df9311314202e73ba (confirmed via static analysis)
• ChaCha20-Poly1305 AEAD cryptographic implementation (confirmed via code inspection)
• File format: [Encrypted Data][16B Auth Tag][Encrypted Filename][4B Length] (confirmed via code analysis)
• Primary function decrypts Arsenal-237 encryptor output (confirmed via cryptographic algorithm matching)

Highly Likely (80-95% Confidence)

• Per-victim key system, NOT universal master key (95% confidence): Different keys in related samples (new_enc.exe: 67e6096a…, dec_fixed.exe: 1e0d8597…) prove per-victim architecture
• Professional threat actor group (90% confidence): Sophisticated implementation, per-victim key isolation, post-payment support model
• RaaS operational model (85% confidence): Per-victim decryptors, post-payment support, version corrections indicate professional business processes
• At least 3+ victims in campaign (85% confidence): Multiple different hardcoded keys across samples indicate multiple successful attacks

Likely (65-80% Confidence)

• Arsenal-237 is actively ongoing campaign (75% confidence): Multiple victims, post-payment support, version updates suggest recent operation
• Victims receive responsive support (70% confidence): “dec_fixed” version name suggests corrected version provided after initial failure
• Threat actors located in non-English speaking region (68% confidence): Rust is popular in Eastern Europe, professional criminal infrastructure typical of organized groups from that region (speculative)

Possible (40-65% Confidence)

• Potential link to known threat actor group (50% confidence): Could match infrastructure or tactics of established RaaS platform, but insufficient public data for confirmation
• Possible involvement of threat actor syndicate (45% confidence): Sophistication level and multi-victim operation could indicate multiple small groups using shared platform, or single organized group (speculative)

---

Section 11: Forensic Preservation & Investigation Coordination

If Your Organization Is The Victim

If your organization was targeted and received this specific decryptor:

1. DO NOT execute immediately - Coordinate with incident response team and law enforcement first
2. Preserve evidence - Create forensic images of encrypted files before attempting decryption
3. Document everything - Screenshots, logs, and timeline of ransom negotiation
4. Contact law enforcement - FBI (if US), Europol (if EU), or equivalent national cybercrime unit
5. Consider professional IR - Incident response firms can coordinate decryption and forensic investigation
6. Selective decryption - Decrypt critical files first, preserve others for investigation
7. Post-recovery security - Forensic investigation to determine initial breach vector

If Your Organization Is NOT The Victim (Intelligence Analysis)

1. Campaign Intelligence - Track per-victim key diversity to estimate victim count
2. Threat Actor Profiling - Document operational model, support infrastructure, technical competence
3. Shared Intelligence - Distribute decryptor analysis to threat intelligence community
4. Defense Implementation - Use file format knowledge to create detection rules
5. Victim Assistance - Share decryptor with No More Ransom Project (if appropriate)
6. Infrastructure Blocking - Document related C2 infrastructure from encryptor analysis

---

Section 12: Detection & Hunting Indicators

File Detection (Low Priority)

Note: Detection of this file is LOW PRIORITY because it is a recovery tool, not an attack tool. Organizations should NOT treat presence of this decryptor as an active threat. However, if detected, it indicates:

1. Prior ransomware infection (by Arsenal-237)
2. Victim negotiated ransom payment
3. Victim recovery phase initiated

Hash-Based Detection:

SHA256: d73c4f127c5c0a7f9bf0f398e95dd55c7e8f6f6a5783c8cb314bd99c2d1c9802
MD5:    7c5493a0a5df52682a5c2ba433634601
SHA1:   29014d4d6fc42219cd9cdc130b868382cf2c14c2

String-Based Detection:

Hardcoded Key: 1e0d8597856270d1926cfcf252af1b14a776c20b3b50168df9311314202e73ba
ChaCha20 Constant: "expand 32-byte k"
Error Messages: "Decryption failed - wrong key or corrupted file"
              : "File corrupted - encrypted size mismatch"
Command Flag: "--folder-a"

Behavioral Detection (Process Level)

File Access Pattern:

• Recursive enumeration of A-Z subdirectories
• Read operations on files with Arsenal-237 encrypted format
• Write operations creating decrypted files in original locations
• Delete operations on encrypted files and readme.txt files

Command-Line Signature:

Process: dec_fixed.exe
Arguments: --folder-a <directory_path>
Parent Process: cmd.exe or PowerShell.exe (typically)
Working Directory: Usually victim-controlled directory with encrypted files

---

License

(c) 2026 Threat Intelligence Team. All rights reserved. Free to read, but reuse requires written permission.