Malware

What is “ML/PE-A + Troj/Agent-BFFW”?

Malware Removal

The ML/PE-A + Troj/Agent-BFFW is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What ML/PE-A + Troj/Agent-BFFW virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Behavioural detection: Executable code extraction – unpacking
  • Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Possible date expiration check, exits too soon after checking local time
  • Dynamic (imported) function loading detected
  • Reads data out of its own binary image
  • A process created a hidden window
  • CAPE extracted potentially suspicious content
  • Unconventionial language used in binary resources: Arabic (Tunisia)
  • Authenticode signature is invalid
  • Uses Windows utilities for basic functionality
  • Enumerates services, possibly for anti-virtualization
  • Behavioural detection: Injection (Process Hollowing)
  • Executed a process and injected code into it, probably while unpacking
  • Behavioural detection: Injection (inter-process)
  • Installs itself for autorun at Windows startup
  • Installs itself for autorun at Windows startup
  • CAPE detected the Tofsee malware family
  • Anomalous binary characteristics
  • Uses suspicious command line tools or Windows utilities

How to determine ML/PE-A + Troj/Agent-BFFW?



File Info:

name: EA6CE42CCC0B94BD54AC.mlw
path: /opt/CAPEv2/storage/binaries/086b1902e50d0ccea2ed094b04d88e97eb2f7c09cd09b8cb5f4d4e65f629f02f
crc32: 090233D7
md5: ea6ce42ccc0b94bd54ac16085c673e8f
sha1: 205ddb3b7136f808cf595de1af3ac69d20c9d13a
sha256: 086b1902e50d0ccea2ed094b04d88e97eb2f7c09cd09b8cb5f4d4e65f629f02f
sha512: 47bce98d96bbb9988168a0e09e02a5fe4fd72541dda0565b3aba2ff036faace34603db47157faee717848d30f9a4ad24b91330c808bbc773ff1d20e1b697f32d
ssdeep: 98304:ZdIdIdIdIdIdIdIdIdIdIdIdIdIdIdIdIdIdIdIdIdIdIdIdIdIdIdIdIdIdIdI0:
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T1C1C68C017BC1DC8AF41BB93CCA56E6FC66F5ECE5D982C35202043A6F2C77650A96B760
sha3_384: eeb8636e74639bba15f254597e9804cd1f1df3be4d8ddffd67cc6bc6f433c04b010f035c0efcc3527435819d8fa99e88
ep_bytes: e841150000e989feffff8bff558bec81
timestamp: 2019-07-05 05:23:17


Version Info:

InternalName: awizegpoz.im
LegalCopyright: Copyright (C) 2020, kilu
Translations: 0x0441 0x0315

ML/PE-A + Troj/Agent-BFFW also known as:

BkavW32.AIDetect.malware1
MicroWorld-eScanGen:Heur.Mint.Zard.52
FireEyeGeneric.mg.ea6ce42ccc0b94bd
McAfeePacked-GAY!EA6CE42CCC0B
MalwarebytesMalware.AI.1372492287
CrowdStrikewin/malicious_confidence_60% (D)
K7GWTrojan ( 00564f5a1 )
K7AntiVirusTrojan ( 0056809d1 )
CyrenW32/Kryptik.GBE.gen!Eldorado
SymantecML.Attribute.HighConfidence
ESET-NOD32a variant of Win32/Kryptik.HDSP
APEXMalicious
ClamAVWin.Packed.Tofsee-8011088-0
KasperskyHEUR:Trojan.Win32.Generic
BitDefenderGen:Heur.Mint.Zard.52
TencentMalware.Win32.Gencirc.1188cc2b
SophosML/PE-A + Troj/Agent-BFFW
DrWebBackDoor.Tofsee.199
McAfee-GW-EditionBehavesLike.Win32.Trojan.wh
EmsisoftGen:Heur.Mint.Zard.52 (B)
IkarusTrojan.Win32.Crypt
JiangminBackdoor.Tofsee.cjo
AviraHEUR/AGEN.1136028
Antiy-AVLTrojan[Backdoor]/Win32.Tofsee
ZoneAlarmHEUR:Trojan.Win32.Generic
GDataGen:Heur.Mint.Zard.52
CynetMalicious (score: 100)
AhnLab-V3Trojan/Win32.MalPe.R338764
VBA32Malware-Cryptor.Azorult.gen
ALYacGen:Heur.Mint.Zard.52
MAXmalware (ai score=87)
TrendMicro-HouseCallMal_Tofsee
RisingMalware.Heuristic!ET#100% (RDMK:cmRtazpcUO1uSuWEGOL8r2nVv0xS)
YandexTrojan.Agent!3/DGP1PPlac
SentinelOneStatic AI – Malicious PE
FortinetW32/GenKryptik.ELQV!tr
Cybereasonmalicious.ccc0b9
PandaTrj/GdSda.A

How to remove ML/PE-A + Troj/Agent-BFFW?

ML/PE-A + Troj/Agent-BFFW removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment