Categories: Malware

Fragtor.25286 removal

The Fragtor.25286 is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Fragtor.25286 virus can do?

  • Executable code extraction
  • Injection (inter-process)
  • Injection (Process Hollowing)
  • Creates RWX memory
  • Attempts to connect to a dead IP:Port (81 unique times)
  • Starts servers listening on 0.0.0.0:2239
  • Reads data out of its own binary image
  • A process created a hidden window
  • Drops a binary and executes it
  • Unconventionial language used in binary resources: Polish
  • Uses Windows utilities for basic functionality
  • Enumerates services, possibly for anti-virtualization
  • Executed a process and injected code into it, probably while unpacking
  • Deletes its original binary from disk
  • A process attempted to delay the analysis task by a long amount of time.
  • Attempts to repeatedly call a single API many times in order to delay analysis time
  • Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config
  • Installs itself for autorun at Windows startup
  • A possible cryptomining command was executed
  • Makes SMTP requests, possibly sending spam or exfiltrating data.
  • Attempts to interact with an Alternate Data Stream (ADS)
  • Anomalous binary characteristics

Related domains:

z.whorecord.xyz
microsoft-com.mail.protection.outlook.com
defeatwax.ru
a.tomx.xyz
158.102.105.176.dnsbl.sorbs.net
158.102.105.176.bl.spamcop.net
158.102.105.176.zen.spamhaus.org
158.102.105.176.sbl-xbl.spamhaus.org
158.102.105.176.cbl.abuseat.org
fastpool.xyz
mx1c40.carrierzone.com
mx1.hanmail.net
mx4.hanmail.net
al-ip4-mx-vip2.prodigy.net
emig.freenet.de
mx01.schlund.de
mxa-0050b901.gslb.pphosted.com
mxb-00544602.gslb.pphosted.com
mx3.naver.com
mx.lycos.de.cust.b.hostedemail.com
mxb-00660201.gslb.pphosted.com
mx5.telemach.net
smtp-in.sfr.fr
mx1.akson.si
mxb-00320f01.gslb.pphosted.com
mxb-0042f101.gslb.pphosted.com
mx.wp.pl
mxb-000a9401.gslb.pphosted.com
mx1.ocps.net.gslb.pphosted.com
mailhub.siol.net
mx01.mail.icloud.com
smtp-good-in-1.t-2.net
mx02.mocospace.com
mxb-0019e102.gslb.pphosted.com
nam.olc.protection.outlook.com
mxa-0010d501.gslb.pphosted.com
acmenet.net.mx1.logical.rcimx.net
mail.h-email.net
mx.acorncontracting.com
actaccess.net.mx1.greymail.rcimx.net
mx0a-00191d01.pphosted.com
r-smtp4.korea.com
mx3.qq.com
mx37.m1bp.com
westcreekfarms.com.1.0001.arsmtp.com
mx00.mail.com
d98962a.ess.barracudanetworks.com
mail.debindo-ite.com
mail.mailerhost.net
mail2.mailinator.com
inbound-smtp.us-west-2.amazonaws.com
mx0b-00191d01.pphosted.com
mx156.hostedmxserver.com
mail1.cowshed.us
mxa-00143702.gslb.pphosted.com
mx.powered.name
_dc-mx.1040b0d0bc31.tendermela.com
smtp.yopmail.com
mx1.comcast.net
mx02.mail.icloud.com
mta6.am0.yahoodns.net
ms18.tcnoc.com
mx.angelfire.com.cust.b.hostedemail.com
mail.thesoubrettes.com
help.steampowered.com
us.puma.com
mail.pelikan.be
i.instagram.com
mx4.beavis99.com
mxa-001a4c01.gslb.pphosted.com

How to determine Fragtor.25286?



File Info:

crc32: 3611FCC7md5: 341ff5bd65ac81e9a1f8219f28457e44name: 341FF5BD65AC81E9A1F8219F28457E44.mlwsha1: 0fc02247e1b2642f32b955e7c6ed2d6b11f9fb45sha256: b493b2eedafa078155595f5ff85550375c511c34d1b8a5c4db352887e11bce1asha512: adb12826df4c9b9ec744616f7a7ac4978b01c613217442526c79653b3db084935c29739238888dac74d2583d6599d2b05b6d878996381fb622db15513b27bfeessdeep: 6144:JV1JcYUHsh4pp+Mbs1sX1pLGGh+9fxca:JV1iYUHO4plgChz+R+atype: PE32 executable (GUI) Intel 80386, for MS Windows

Version Info:

Translation: 0x1209 0x04b8

Fragtor.25286 also known as:

Bkav W32.AIDetect.malware1
Elastic malicious (high confidence)
DrWeb BackDoor.Tofsee.199
ClamAV Win.Packed.Generic-9896523-0
CAT-QuickHeal Ransom.Stop.Z5
ALYac Gen:Variant.Fragtor.25286
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (D)
K7GW Trojan ( 005880311 )
K7AntiVirus Trojan ( 005880311 )
Cyren W32/Kryptik.FJN.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Kryptik.HMPL
APEX Malicious
Avast Win32:DropperX-gen [Drp]
Cynet Malicious (score: 100)
Kaspersky HEUR:Exploit.Win32.Shellcode.gen
BitDefender Gen:Variant.Fragtor.25286
MicroWorld-eScan Gen:Variant.Fragtor.25286
Ad-Aware Gen:Variant.Fragtor.25286
Sophos Mal/Generic-S
BitDefenderTheta Gen:NN.ZexaF.34170.ru0@aWQ2MHmO
McAfee-GW-Edition BehavesLike.Win32.MultiPlug.dm
FireEye Generic.mg.341ff5bd65ac81e9
Emsisoft Trojan.Crypt (A)
SentinelOne Static AI – Malicious PE
Jiangmin Exploit.ShellCode.epi
Avira TR/AD.Tofsee.tztsf
Antiy-AVL Trojan/Generic.ASMalwS.34A4AB7
Microsoft Ransom:Win32/StopCrypt.MIK!MTB
GData Gen:Variant.Fragtor.25286
AhnLab-V3 CoinMiner/Win.Glupteba.R442664
Acronis suspicious
McAfee Packed-GDT!341FF5BD65AC
MAX malware (ai score=85)
VBA32 Malware-Cryptor.Azorult.gen
Malwarebytes Trojan.MalPack.GS
Panda Trj/GdSda.A
TrendMicro-HouseCall Ransom_StopCrypt.R067C0DIU21
Rising Trojan.Kryptik!1.D9C0 (CLASSIC)
Ikarus Trojan.Win32.Crypt
Fortinet W32/GenKryptik.FLGE!tr
AVG Win32:DropperX-gen [Drp]
Paloalto generic.ml

How to remove Fragtor.25286?

  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.
Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment
Share
Published by
Paul Valéry
Tags: _dc-mx.1040b0d0bc31.tendermela.com158.102.105.176.bl.spamcop.net158.102.105.176.cbl.abuseat.org158.102.105.176.dnsbl.sorbs.net158.102.105.176.sbl-xbl.spamhaus.org158.102.105.176.zen.spamhaus.orga.tomx.xyzacmenet.net.mx1.logical.rcimx.netactaccess.net.mx1.greymail.rcimx.netal-ip4-mx-vip2.prodigy.netd98962a.ess.barracudanetworks.comdefeatwax.ruemig.freenet.defastpool.xyzFragtor.25286help.steampowered.comi.instagram.cominbound-smtp.us-west-2.amazonaws.commail.debindo-ite.commail.h-email.netmail.mailerhost.netmail.pelikan.bemail.thesoubrettes.commail1.cowshed.usmail2.mailinator.commailhub.siol.netmicrosoft-com.mail.protection.outlook.comms18.tcnoc.commta6.am0.yahoodns.netmx.acorncontracting.commx.angelfire.com.cust.b.hostedemail.commx.lycos.de.cust.b.hostedemail.commx.powered.namemx.wp.plmx00.mail.commx01.mail.icloud.commx01.schlund.demx02.mail.icloud.commx02.mocospace.commx0a-00191d01.pphosted.commx0b-00191d01.pphosted.commx1.akson.simx1.comcast.netmx1.hanmail.netmx1.ocps.net.gslb.pphosted.commx156.hostedmxserver.commx1c40.carrierzone.commx3.naver.commx3.qq.commx37.m1bp.commx4.beavis99.commx4.hanmail.netmx5.telemach.netmxa-0010d501.gslb.pphosted.commxa-00143702.gslb.pphosted.commxa-001a4c01.gslb.pphosted.commxa-0050b901.gslb.pphosted.commxb-000a9401.gslb.pphosted.commxb-0019e102.gslb.pphosted.commxb-00320f01.gslb.pphosted.commxb-0042f101.gslb.pphosted.commxb-00544602.gslb.pphosted.commxb-00660201.gslb.pphosted.comnam.olc.protection.outlook.comr-smtp4.korea.comsmtp-good-in-1.t-2.netsmtp-in.sfr.frsmtp.yopmail.comus.puma.comwestcreekfarms.com.1.0001.arsmtp.comz.whorecord.xyz
3 years ago

Recent Posts

About “Tedy.563972” infection

The Tedy.563972 is considered dangerous by lots of security experts. When this infection is active,…

13 mins ago

Jaik.225774 (B) (file analysis)

The Jaik.225774 (B) is considered dangerous by lots of security experts. When this infection is…

24 mins ago

Zusy.494313 (file analysis)

The Zusy.494313 is considered dangerous by lots of security experts. When this infection is active,…

45 mins ago

Fragtor.158799 (file analysis)

The Fragtor.158799 is considered dangerous by lots of security experts. When this infection is active,…

49 mins ago

Win32/Adware.Agent.NPP removal tips

The Win32/Adware.Agent.NPP is considered dangerous by lots of security experts. When this infection is active,…

50 mins ago

How to remove “Trojan.Agent.VB.BNU (B)”?

The Trojan.Agent.VB.BNU (B) is considered dangerous by lots of security experts. When this infection is…

1 hour ago