Categories: Malware

Generic.ServStart.A.05DA2309 (file analysis)

The Generic.ServStart.A.05DA2309 is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.

DOWNLOAD NOW

6-day free trial available.

What Generic.ServStart.A.05DA2309 virus can do?

Executable code extraction
Injection with CreateRemoteThread in a remote process
Creates RWX memory
Attempts to connect to a dead IP:Port (6 unique times)
Starts servers listening on 0.0.0.0:21
Expresses interest in specific running processes
Repeatedly searches for a not-found process, may want to run with startbrowser=1 option
A process created a hidden window
Drops a binary and executes it
Unconventionial binary language: Chinese (Simplified)
Unconventionial language used in binary resources: Chinese (Simplified)
The binary likely contains encrypted or compressed data.
Uses Windows utilities for basic functionality
Tries to suspend Cuckoo threads to prevent logging of malicious activity
Code injection with CreateRemoteThread in a remote process
Crashed cuckoomon during analysis. Report this error to the Github repo.
A process attempted to delay the analysis task by a long amount of time.
Tries to unhook or modify Windows functions monitored by Cuckoo
Attempts to repeatedly call a single API many times in order to delay analysis time
Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config
Installs itself for autorun at Windows startup
Creates a hidden or system file
Clears Windows events or logs
Creates a copy of itself
Anomalous binary characteristics
Uses suspicious command line tools or Windows utilities

Related domains:

ilo.brenz.pl

supnewdmn.com

lianshangau.cc

513aushagou.cc

tvrstrynyvwstrtve.com

ant.trenz.pl

vvaonh.com

miajag.com

ayxdcd.com

btyexy.com

rtvwerjyuver.com

difuga.com

giismy.com

tobyyn.com

ufylyx.com

oxynap.com

wqerveybrstyhcerveantbe.com

rmineu.com

xofgoj.com

vsehiy.com

wjtxot.com

mahmek.com

didtjj.com

aeiviw.com

kvefxt.com

aajjzy.com

rreyzv.com

gadnkk.com

ayyywq.com

tsduzu.com

tdekcz.com

nqbibi.com

irmeiu.com

susyaa.com

fvbeaj.com

duitvg.com

emwggr.com

gyosoy.com

hbyftp.com

eihjuy.com

pubrru.com

xzypyp.com

buzrkw.com

nazesy.com

nbupha.com

gyiqae.com

lzmiao.com

iboajk.com

eynhhu.com

sipbuu.com

stcoum.com

auetoj.com

agewxo.com

kveioo.com

hpdoxm.com

biynfs.com

ooheze.com

yfeiio.com

kulvfs.com

yuaaif.com

yojklf.com

uuuukn.com

azoyrk.com

asoems.com

rplhia.com

hkiudd.com

pdvyju.com

euizfu.com

kganes.com

zuppak.com

eoaaat.com

udfzpw.com

lukpio.com

ztdadu.com

dibrpt.com

uopuzi.com

amkpie.com

soslwp.com

lphyop.com

qacnyt.com

czqywg.com

geuuys.com

ipmqgg.com

ybxjwb.com

fiahan.com

iupnue.com

rgssec.com

xxdnyj.com

etycom.com

ynvawu.com

qydejj.com

iuynyo.com

eevywm.com

rzxcgq.com

ybnjbd.com

nualyp.com

How to determine Generic.ServStart.A.05DA2309?


File Info:
crc32: 7C4BBDA5md5: 23ff29e277ce2e65001613c8f79f96ddname: 23FF29E277CE2E65001613C8F79F96DD.mlwsha1: ed107fd3ad8ec62824dd313cb13c64fbcb1e4e55sha256: a93c6922e26b1a9a9df022a5d5b85b11b84f2b83413f42851ac6ba0141228839sha512: e4d6e456580f942bddc54b7345d0a11f02f398e97e2be32e1c6f46363b1d6c3551b23e6dd4575e5c1ab511fd665cf8b5f56bea2149adeb7ff67b7fd5c99578a0ssdeep: 6144:4I0UZgbiyX3FZIRECe5iRA+MOZaWsqirkvOmGBN6IL1Q6xPue77l:lZgIRY5IA+PZasiLbMqQg2ettype: PE32 executable (GUI) Intel 80386, for MS Windows
Version Info:
LegalCopyright: x7248x6743x6240x6709(C) 2015InternalName: gyFileVersion: 1, 0, 0, 1CompanyName:  PrivateBuild: LegalTrademarks: Comments: ProductName:   gySpecialBuild: ProductVersion: 1, 0, 0, 1FileDescription: gyOriginalFilename: gy.datTranslation: 0x0804 0x04b0

Generic.ServStart.A.05DA2309 also known as:

Bkav	W32.Tmgrtext.PE
K7AntiVirus	Trojan ( 0051b1671 )
Elastic	malicious (high confidence)
DrWeb	Trojan.AVKill.63055
Cynet	Malicious (score: 100)
CMC	Virus.Win32.Ramit.1!O
CAT-QuickHeal	W32.Ramnit.BA
ALYac	Generic.ServStart.A.05DA2309
Cylance	Unsafe
Zillya	Virus.Nimnul.Win32.1
Sangfor	Win.Trojan.Ramnit-1847
CrowdStrike	win/malicious_confidence_100% (D)
K7GW	Trojan ( 0051b1671 )
Cybereason	malicious.277ce2
Baidu	Win32.Virus.Nimnul.a
Cyren	W32/Ramnit.B!Generic
Symantec	W32.Ramnit.B!inf
ESET-NOD32	Win32/Ramnit.H
Zoner	Trojan.Win32.82649
APEX	Malicious
Avast	Win32:RmnDrp [Inf]
ClamAV	Win.Trojan.Ramnit-1847
Kaspersky	Virus.Win32.Nimnul.a
BitDefender	Generic.ServStart.A.05DA2309
NANO-Antivirus	Virus.Win32.Nimnul.bqjjnb
ViRobot	Win32.Nimnul.A
MicroWorld-eScan	Generic.ServStart.A.05DA2309
Tencent	Virus.Win32.Nimnul.f
Ad-Aware	Generic.ServStart.A.05DA2309
Sophos	ML/PE-A + W32/Ramnit-A
Comodo	Virus.Win32.Ramnit.K@37eb7u
BitDefenderTheta	AI:FileInfector.9425D5100E
VIPRE	Virus.Win32.Ramnit.b (v)
TrendMicro	PE_RAMNIT.DEN
McAfee-GW-Edition	BehavesLike.Win32.Ramnit.fc
FireEye	Generic.mg.23ff29e277ce2e65
Emsisoft	Generic.ServStart.A.05DA2309 (B)
SentinelOne	Static AI – Malicious PE
Jiangmin	Win32/IRCNite.wi
Avira	W32/Ramnit.C
eGambit	Unsafe.AI_Score_100%
Antiy-AVL	Trojan/Generic.ASVirus.1EB
Microsoft	Virus:Win32/Ramnit.J
Gridinsoft	Trojan.Win32.Malex.dd!n
Arcabit	Generic.ServStart.A.05DA2309
GData	Win32.Virus.Nimnul.A
TACHYON	Virus/W32.Ramnit
AhnLab-V3	Win32/Ramnit.G
Acronis	suspicious
McAfee	W32/Ramnit.a
MAX	malware (ai score=84)
VBA32	Virus.Win32.Nimnul.b
Malwarebytes	Neshta.Virus.FileInfector.DDS
Panda	W32/Cosmu.E
TrendMicro-HouseCall	PE_RAMNIT.DEN
Rising	Malware.Heuristic!ET#87% (RDMK:cmRtazppoX97wXZt4A1IaCMq+4tB)
Yandex	Trojan.GenAsa!rluJXE67ft0
Ikarus	Backdoor.Win32.Inject
MaxSecure	Virus.Nimnul.A
Fortinet	W32/Ramnit.A
AVG	Win32:RmnDrp [Inf]