Malware

What is “Exploit:Win32/DDEDownloader!ml”?

Malware Removal

The Exploit:Win32/DDEDownloader!ml is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Exploit:Win32/DDEDownloader!ml virus can do?

  • Executable code extraction
  • Creates RWX memory
  • Expresses interest in specific running processes
  • Reads data out of its own binary image
  • Drops a binary and executes it
  • Detects Sandboxie through the presence of a library
  • Checks for the presence of known windows from debuggers and forensic tools
  • The following process appear to have been packed with Themida: 6.exe, lv.exe, 4.exe
  • Network activity detected but not expressed in API logs
  • Attempts to identify installed AV products by installation directory
  • Checks for the presence of known devices from debuggers and forensic tools
  • Detects the presence of Wine emulator via registry key
  • Checks the version of Bios, possibly for anti-virtualization
  • Detects VirtualBox through the presence of a registry key
  • Anomalous binary characteristics

How to determine Exploit:Win32/DDEDownloader!ml?



File Info:

crc32: F935C474
md5: b50087cc5e9bd6ba7f675ffc7baaa51c
name: B50087CC5E9BD6BA7F675FFC7BAAA51C.mlw
sha1: 46f8a0bcb299ee4cedfbfe69d465f30c99d8f486
sha256: 2170c3133ee9e4ea8546a695ac58ada27602dc24d56f573cffac9aa3c69adff6
sha512: 543dff1ca2edfb099abecf6eb2c99f716fcfc2c71968db59f56b75cf04c28acc58ae4c8a8c6a9bca6411fa601b757f460fb27166b482184ad795d24466ffe17e
ssdeep: 98304:tLHu1g6D70sCZa9eNz9MkS7HSLs6igh/2/OEvEvI1fUj756vaO7fGPDEkbnBHmyp:tj6Ya9eNa77HSLs/CL6V1fUApGbEkLBB
type: PE32 executable (GUI) Intel 80386, for MS Windows


Version Info:

LegalCopyright: Holaroks
ProductVersion: 5.61.47.0
FileVersion: 5.61.47.0
FileDescription: 
Translation: 0x0000 0x04b0

Exploit:Win32/DDEDownloader!ml also known as:

Elasticmalicious (high confidence)
MicroWorld-eScanTrojan.GenericKD.44991706
FireEyeGeneric.mg.b50087cc5e9bd6ba
ALYacTrojan.GenericKD.44991706
MalwarebytesTrojan.MalPack.Themida
SangforMalware
K7AntiVirusTrojan ( 0056e5201 )
BitDefenderTrojan.GenericKD.44991706
K7GWTrojan ( 0056e5201 )
CyrenW32/Agent.BXE.gen!Eldorado
SymantecML.Attribute.HighConfidence
APEXMalicious
AvastWin32:TrojanX-gen [Trj]
KasperskyHEUR:Trojan-Dropper.Win32.Scrop.vho
AlibabaPacked:Win32/Themida.67521eac
AegisLabTrojan.Win32.Scrop.b!c
RisingTrojan.Generic@ML.100 (RDMK:45M0Mwd4aqZKrFVFvAKLyA)
Ad-AwareTrojan.GenericKD.44991706
EmsisoftTrojan.GenericKD.44991706 (B)
ComodoMalware@#23ifvd2vmmucb
F-SecureHeuristic.HEUR/AGEN.1102892
DrWebTrojan.PWS.Stealer.29663
McAfee-GW-EditionBehavesLike.Win32.Dropper.tc
SophosMal/Generic-S
IkarusTrojan.Win32.Themida
WebrootW32.Trojan.Gen
AviraTR/Drop.Scrop.muyim
MAXmalware (ai score=88)
MicrosoftExploit:Win32/DDEDownloader!ml
ArcabitTrojan.Generic.D2AE84DA
ZoneAlarmHEUR:Trojan-Dropper.Win32.Scrop.vho
GDataWin32.Trojan-Stealer.CoinStealer.8AU0ZT
CynetMalicious (score: 100)
AhnLab-V3Malware/Win32.Generic.C4261745
McAfeeArtemis!B50087CC5E9B
VBA32TScope.Malware-Cryptor.SB
CylanceUnsafe
PandaTrj/CI.A
ESET-NOD32multiple detections
TrendMicro-HouseCallTROJ_GEN.R002H0CLC20
SentinelOneStatic AI – Suspicious PE
eGambitUnsafe.AI_Score_99%
FortinetW32/Generic!tr
BitDefenderThetaGen:NN.ZexaF.34688.TzWaai!blde
AVGWin32:TrojanX-gen [Trj]
Paloaltogeneric.ml
Qihoo-360Win32/Trojan.Dropper.273

How to remove Exploit:Win32/DDEDownloader!ml?

Exploit:Win32/DDEDownloader!ml removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment