PUA

BetterHash (PUA) removal guide

Malware Removal

The BetterHash (PUA) is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What BetterHash (PUA) virus can do?

  • Sample contains Overlay data
  • Presents an Authenticode digital signature
  • Installs OpenCL library, probably to mine Bitcoins
  • Unconventionial binary language: Romanian
  • Unconventionial language used in binary resources: Romanian
  • The binary contains an unknown PE section name indicative of packing
  • Authenticode signature is invalid
  • Behavioural detection: Transacted Hollowing
  • Checks the CPU name from registry, possibly for anti-virtualization
  • Attempts to modify proxy settings
  • Accessed credential storage registry keys
  • A cryptomining command was executed
  • Attempts to disable Windows Defender
  • Collects information to fingerprint the system
  • Uses suspicious command line tools or Windows utilities

How to determine BetterHash (PUA)?



File Info:

name: 1AD649BB71FAF6615B1E.mlw
path: /opt/CAPEv2/storage/binaries/cf44ad94ea603f7ed5baa289dc1607fd4c9941bb7b0f6d3e57365448d843d21f
crc32: 2197012C
md5: 1ad649bb71faf6615b1e56b17169fa5d
sha1: 5a80001d01bfcc37178314a4aeff8d9c04266443
sha256: cf44ad94ea603f7ed5baa289dc1607fd4c9941bb7b0f6d3e57365448d843d21f
sha512: 9c4beb0cd3279fdcf3472369515094cbcf5d46fca20ff9473f8db29808ad41ddb952b085e5705b06e3531c7b975647b14cb6557c73c1b4db48f5d9ec7eeb4806
ssdeep: 49152:OQasxwS0/36vDA4GGQ3W2zcRNuM1x6bZK98XTADLrlvb:k+0/3wkNWcuNuK8AP9b
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T160D6E72171809BD3DF11D7708846E1ED059A6EE7A80A1C0EFE3FBE39E7722111C5E699
sha3_384: 362bb5ac576a6328014a5d4127be1fa724adf62a12adf93776490c6787a75b0dc656f8c6e6e50dfb06f34c7be06eed73
ep_bytes: 558becb90b0000006a006a004975f951
timestamp: 1992-06-19 22:22:17


Version Info:

CompanyName: Innovative Solutions
FileDescription: BetterHash
FileVersion: 3.165.0.138
InternalName: BetterHash
LegalCopyright: Innovative Solutions
LegalTrademarks: Innovative Solutions
OriginalFilename: betterhash.exe
ProductName: BetterHash
ProductVersion: 3.165
Comments: BetterHash
Translation: 0x0418 0x04e2

BetterHash (PUA) also known as:

SkyhighArtemis
Cylanceunsafe
CrowdStrikewin/grayware_confidence_90% (D)
Elasticmalicious (high confidence)
ClamAVMultios.Coinminer.Miner-6781728-2
SophosBetterHash (PUA)
DrWebProgram.Unwanted.4536
SentinelOneStatic AI – Suspicious PE
WebrootW32.Miner
GoogleDetected
McAfeeArtemis!1AD649BB71FA
VBA32TScope.Trojan.Delf
RisingTrojan.Generic@AI.90 (RDML:pw/sIjf2pdJA9iEsG9SoQA)

How to remove BetterHash (PUA)?

BetterHash (PUA) removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment