Fake

Mal/Generic-R + Troj/FakeAV-CSI information

Malware Removal

The Mal/Generic-R + Troj/FakeAV-CSI is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Mal/Generic-R + Troj/FakeAV-CSI virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Presents an Authenticode digital signature
  • Creates RWX memory
  • Mimics the system’s user agent string for its own requests
  • Possible date expiration check, exits too soon after checking local time
  • Anomalous file deletion behavior detected (10+)
  • Dynamic (imported) function loading detected
  • At least one IP Address, Domain, or File Name was found in a crypto call
  • Performs HTTP requests potentially not found in PCAP.
  • Starts servers listening on 0.0.0.0:26860, :0
  • Enumerates running processes
  • Expresses interest in specific running processes
  • Reads data out of its own binary image
  • CAPE extracted potentially suspicious content
  • Drops a binary and executes it
  • Unconventionial language used in binary resources: Russian
  • The binary contains an unknown PE section name indicative of packing
  • The binary likely contains encrypted or compressed data.
  • The executable is compressed using UPX
  • Authenticode signature is invalid
  • Uses Windows utilities for basic functionality
  • Code injection with CreateRemoteThread in a remote process
  • Behavioural detection: Injection (inter-process)
  • Behavioural detection: Injection with CreateRemoteThread in a remote process
  • Tries to unhook or modify Windows functions monitored by Cuckoo
  • Steals private information from local Internet browsers
  • Collects and encrypts information about the computer likely to send to C2 server
  • Installs itself for autorun at Windows startup
  • Exhibits behavior characteristics of BlackRemote/BlackRAT RAT
  • Attempts to modify proxy settings
  • Attempts to modify browser security settings
  • Harvests credentials from local FTP client softwares
  • Collects information to fingerprint the system
  • Clears web history

How to determine Mal/Generic-R + Troj/FakeAV-CSI?



File Info:

name: CF57F777EA8EB102A9FA.mlw
path: /opt/CAPEv2/storage/binaries/9b13ae48ea6ade9046bc8fbfd725f385805223c03e4e3cb9907a43d03d9d1603
crc32: 5DE99E40
md5: cf57f777ea8eb102a9fa03561b354a34
sha1: 5e1787d8d129d638f49ce953668826062bfcf353
sha256: 9b13ae48ea6ade9046bc8fbfd725f385805223c03e4e3cb9907a43d03d9d1603
sha512: d602a8f74af3704eea3851cfec645e171cd4f5fdd653ec7fb9ef833371bd9827e2d28e282e64a7a156d273f6e70470179caedaffa123675bb62a1fab937a9125
ssdeep: 3072:I+yM2SHCXzagvJKj1NvrJ4JoIc0pp6yjTz+qY/KSzr1ndeENT:lFHezagv8JbIc0pEsuuSzJF
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T16FD31248FBF7193FD5655A3168C4B3031676B98DAA801B110C88D0C97CE2B897FBA65F
sha3_384: 2a79eaaf27ea1f9cecb013c8a0be66022e5b6a573f8446a96bed36eaeeb973211594154f7bd4772e158df5680de500e7
ep_bytes: 60be003042008dbe00e0fdff57eb0b90
timestamp: 2008-10-15 11:55:35


Version Info:

CompanyName: AVG Technologies CZ, s.r.o.
FileDescription: AVG Tray Monitor
FileVersion: 9.0.0.871
InternalName: avgtray
LegalCopyright: Copyright © 2010 AVG Technologies CZ, s.r.o.
OriginalFilename: avgtray.exe
ProductName: AVG Internet Security
ProductVersion: 9.0.0.871
PrivateBuild: Win32 Release_Unicode
SpecialBuild: Avg8VC8_2010_1109_133319(871), SVNRev 145063 (/branches/release/SmallUpdate9-12)
Translation: 0x0409 0x04e4

Mal/Generic-R + Troj/FakeAV-CSI also known as:

BkavW32.MosquitoQKK.Fam.Trojan
LionicTrojan.Win32.FakeAv.4!c
Elasticmalicious (high confidence)
DrWebTrojan.Fakealert.22483
MicroWorld-eScanGen:Heur.VIZ.!e!.1
FireEyeGeneric.mg.cf57f777ea8eb102
McAfeeArtemis!CF57F777EA8E
MalwarebytesMalware.AI.1553884152
ZillyaTrojan.FakeAV.Win32.148
SangforTrojan.Win32.Generic.ky
K7AntiVirusTrojan ( f1000f011 )
AlibabaTrojanPSW:Win32/Kryptik.4494828f
K7GWTrojan ( f1000f011 )
Cybereasonmalicious.7ea8eb
BitDefenderThetaGen:NN.ZexaF.34212.imLfaausVwbc
VirITTrojan.Win32.Fakealert.BHGT
CyrenW32/Zbot.CN.gen!Eldorado
SymantecTrojan.Zbot
ESET-NOD32a variant of Win32/Kryptik.LDY
TrendMicro-HouseCallTROJ_CRYPTR.SMAM
ClamAVWin.Trojan.FakeAV-178
KasperskyHEUR:Trojan.Win32.Generic
BitDefenderGen:Heur.VIZ.!e!.1
NANO-AntivirusTrojan.Win32.FakeAv.tivms
SUPERAntiSpywareTrojan.Agent/Gen-FakeAVG
AvastWin32:Kryptik-AHL [Trj]
TencentWin32.Trojan.Falsesign.Tayp
Ad-AwareGen:Heur.VIZ.!e!.1
SophosMal/Generic-R + Troj/FakeAV-CSI
ComodoMalware@#37jfj5q7k48bj
VIPREBackdoor.Win32.Qakbot.ax (v)
TrendMicroTROJ_CRYPTR.SMAM
McAfee-GW-EditionW32/Pinkslipbot.gen.ae
EmsisoftGen:Heur.VIZ.!e!.1 (B)
SentinelOneStatic AI – Malicious PE
JiangminTrojan/Fakeav.ksf
WebrootW32.Infostealer.Gen
AviraTR/Crypt.ULPM.Gen
Antiy-AVLTrojan/Generic.ASMalwS.75A058
MicrosoftPWS:Win32/Zbot.gen!Y
ZoneAlarmHEUR:Trojan.Win32.Generic
GDataGen:Heur.VIZ.!e!.1
CynetMalicious (score: 99)
AhnLab-V3Trojan/Win32.FraudPack.R3415
VBA32Trojan.Zeus.EA.0999
ALYacGen:Heur.VIZ.!e!.1
MAXmalware (ai score=100)
APEXMalicious
RisingTrojan.Kryptik!8.8 (CLOUD)
MaxSecureTrojan.Malware.1809730.susgen
FortinetW32/Kryptik.NAS!tr
AVGWin32:Kryptik-AHL [Trj]
PandaBck/Qbot.AO

How to remove Mal/Generic-R + Troj/FakeAV-CSI?

Mal/Generic-R + Troj/FakeAV-CSI removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment