Malware

AdWare.Win32.Ruco (file analysis)

Malware Removal

The AdWare.Win32.Ruco is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware - Review 2020

GridinSoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend to use GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the TRIAL period.
6-day free trial available.

What AdWare.Win32.Ruco virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Performs HTTP requests potentially not found in PCAP.
  • Reads data out of its own binary image
  • Attempts to modify Internet Explorer’s start page
  • CAPE extracted potentially suspicious content
  • Drops a binary and executes it
  • Unconventionial binary language: Chinese (Simplified)
  • Unconventionial language used in binary resources: Chinese (Simplified)
  • The binary likely contains encrypted or compressed data.
  • Authenticode signature is invalid
  • Uses Windows utilities for basic functionality
  • Attempts to modify proxy settings
  • Attempts to modify browser security settings

How to determine AdWare.Win32.Ruco?


File Info:

name: A63DB91FD3349B19AD1C.mlw
path: /opt/CAPEv2/storage/binaries/7a7c5eba53fb69aa838d4a4e103caf27f9b618e99514c00f43101034ce920304
crc32: 77FFB021
md5: a63db91fd3349b19ad1cfe4dd619201c
sha1: 2715acd5240d5277ec5ac6e8bb6ab3d9ffaa75a1
sha256: 7a7c5eba53fb69aa838d4a4e103caf27f9b618e99514c00f43101034ce920304
sha512: 684f4cd5e683c24beb7d1e7bfc8948e842acb149d307094457e6bc0dc1532a56002a4ca224652b617b5f542c1c70cc58770e0155e5b653acf946bb9a824a58d4
ssdeep: 49152:ik2NsWC0UxLTazpDWoZgUMv5/mY3MML/kk+kpkkkkkkkkkkXL0PVkkkkh:z2eWNUtsDLZO5/mm/TL0H
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T158C5CF52BA81D0F2C7991530C0B727F699379E96CA2B8F83E390FE6C79321516937136
sha3_384: c15463ffcd3560e9743c273cb3263e12ef385c32f489c6260fc2cbcc6dc06e35d433b20ea3d790eec679b79fd7318d1d
ep_bytes: 558bec6aff68a03c6400681810460064
timestamp: 2015-06-13 15:57:21

Version Info:

FileVersion: 1.0.0.0
FileDescription: 棉花团图像格式转换v1.3
ProductName: 棉花团图像格式转换v1.3
ProductVersion: 1.0.0.0
CompanyName: 棉花团图像格式转换v1.3
LegalCopyright: 棉花团图像格式转换v1.3 版权所有
Comments: 棉花团图像格式转换v1.3
Translation: 0x0804 0x04b0

AdWare.Win32.Ruco also known as:

BkavW32.AIDetect.malware2
LionicTrojan.Win32.Generic.lqzi
tehtrisGeneric.Malware
FireEyeGeneric.mg.a63db91fd3349b19
CAT-QuickHealTrojan.Generic.2919
CylanceUnsafe
ZillyaAdware.Ruco.Win32.575
SangforAdware.Win32.Agent.Vxxf
K7AntiVirusTrojan ( 005246d51 )
AlibabaAdWare:Win32/BScope.c6c6ad36
K7GWAdware ( 004b87ea1 )
Cybereasonmalicious.5240d5
BitDefenderThetaGen:NN.ZexaF.34606.Ds0@a4O5Xxlb
CyrenW32/Trojan.CLL.gen!Eldorado
SymantecML.Attribute.HighConfidence
Elasticmalicious (high confidence)
ESET-NOD32a variant of Win32/Packed.FlyStudio.AA potentially unwanted
APEXMalicious
Paloaltogeneric.ml
ClamAVWin.Malware.Generic-9820446-0
Kasperskynot-a-virus:HEUR:AdWare.Win32.Ruco.gen
AvastWin32:Trojan-gen
ComodoWorm.Win32.Dropper.RA@1qraug
F-SecureTrojan:W32/DelfInject.R
McAfee-GW-EditionBehavesLike.Win32.Generic.vh
Trapminemalicious.moderate.ml.score
SophosMal/Generic-S (PUA)
SentinelOneStatic AI – Malicious PE
GDataWin32.Trojan.PSE.11D15LD
JiangminAdWare.Ruco.uo
GoogleDetected
Antiy-AVLTrojan/Win32.FlyStudio.a
ZoneAlarmnot-a-virus:HEUR:AdWare.Win32.Ruco.gen
MicrosoftTrojan:Win32/Wacatac.A!ml
CynetMalicious (score: 100)
McAfeeArtemis!A63DB91FD334
VBA32BScope.Trojan.Downloader
MalwarebytesTrojan.MalPack.FlyStudio
TrendMicro-HouseCallTROJ_GEN.R002H0CHE22
IkarusHackTool.Win32.WPEPRO
MaxSecureTrojan.Malware.300983.susgen
FortinetW32/CoinMiner.ELG!tr.pws
AVGWin32:Trojan-gen
CrowdStrikewin/malicious_confidence_60% (W)

How to remove AdWare.Win32.Ruco?

AdWare.Win32.Ruco removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment