Malware

Ranapama.1 information

Malware Removal

The Ranapama.1 is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware - Review 2020

GridinSoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend to use GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the TRIAL period.
6-day free trial available.

What Ranapama.1 virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Behavioural detection: Executable code extraction – unpacking
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Possible date expiration check, exits too soon after checking local time
  • A process attempted to delay the analysis task.
  • Dynamic (imported) function loading detected
  • Performs HTTP requests potentially not found in PCAP.
  • CAPE extracted potentially suspicious content
  • Authenticode signature is invalid
  • Behavioural detection: Injection (Process Hollowing)
  • Executed a process and injected code into it, probably while unpacking
  • Behavioural detection: Injection (inter-process)
  • Installs itself for autorun at Windows startup
  • Attempts to modify proxy settings
  • Creates a copy of itself

How to determine Ranapama.1?


File Info:

name: 1A25AEBFC7C501E1B8A7.mlw
path: /opt/CAPEv2/storage/binaries/e4124e7228a2a8ee8ad5a8a75138829cab2f0f3f5b8824863f16a91c1dc3969a
crc32: 0E42E173
md5: 1a25aebfc7c501e1b8a7dac8c91d2570
sha1: 929fbf42e7798ceb39f89a3ccdb7db7cc30c5e98
sha256: e4124e7228a2a8ee8ad5a8a75138829cab2f0f3f5b8824863f16a91c1dc3969a
sha512: e95c2c0d48834a5b1d4e7f50579c57df6154d35b4631bf87c49cf9246adeaebb3191c8c7a94497b471caaa8156b0a651f0eaca3fff77621f4788031fa5fce125
ssdeep: 3072:nRwU7j4jH8zO0c+eGWUhAnAxt/fzBxyCG/034hMT+zwsqvb:RwUcD8zkd4fzBjP4cScz
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T141F39E2025D4C076E26324B589E1C7B14E5B7C795BA1A9CF3FCA19BA5F385E2932031F
sha3_384: 749f78731c615d48b595eaa4919b5569687c51e944f9fadc3d2dfa64b67c41eef88165517b0ce1e3ed5e19b6ae4532a3
ep_bytes: e8462b0000e989feffff8bff558bec81
timestamp: 2014-11-11 05:27:11

Version Info:

0: [No Data]

Ranapama.1 also known as:

BkavW32.AIDetect.malware2
MicroWorld-eScanGen:Variant.Ranapama.1
FireEyeGeneric.mg.1a25aebfc7c501e1
CAT-QuickHealTrojanDownloader.Kuluoz.O4
ALYacGen:Variant.Ranapama.1
CylanceUnsafe
SangforTrojan.Win32.Save.a
K7AntiVirusNetWorm ( 0040f9511 )
K7GWNetWorm ( 0040f9511 )
Cybereasonmalicious.fc7c50
VirITTrojan.Win32.Generic.EPM
CyrenW32/Trojan.WUYU-7394
Elasticmalicious (high confidence)
ESET-NOD32Win32/TrojanDownloader.Zortob.H
APEXMalicious
Paloaltogeneric.ml
ClamAVWin.Trojan.Agent-1223354
KasperskyHEUR:Trojan.Win32.Generic
BitDefenderGen:Variant.Ranapama.1
NANO-AntivirusTrojan.Win32.Kuluoz.dinxxf
SUPERAntiSpywareTrojan.Agent/Gen-Kuluoz
AvastWin32:Malware-gen
RisingMalware.FakeXLS/ICON!1.9C3D (CLASSIC)
Ad-AwareGen:Variant.Ranapama.1
SophosML/PE-A + Troj/Weelsof-JC
ComodoTrojWare.Win32.Spy.Zbot.AOT@5hj40k
DrWebBackDoor.Kuluoz.4
ZillyaWorm.Aspxor.Win32.9655
TrendMicroBKDR_KULUOZ.SM19
McAfee-GW-EditionBehavesLike.Win32.Downloader.ch
Trapminemalicious.high.ml.score
EmsisoftGen:Variant.Ranapama.1 (B)
IkarusNet-Worm.Win32.Aspxor
GDataGen:Variant.Ranapama.1
JiangminWorm/Aspxor.pk
WebrootW32.Infostealer.Zeus
AviraHEUR/AGEN.1242587
MAXmalware (ai score=88)
MicrosoftTrojanDownloader:Win32/Kuluoz
CynetMalicious (score: 100)
AhnLab-V3Win-Trojan/Injector.172032.DE
McAfeePacked-BZ!1A25AEBFC7C5
TACHYONWorm/W32.Aspxor.172032.F
VBA32BScope.Trojan-Dropper.8612
MalwarebytesTrojan.Email.FakeDoc
TrendMicro-HouseCallBKDR_KULUOZ.SM19
TencentMalware.Win32.Gencirc.10b2e2e0
YandexTrojan.DL.Zortob!91Jwm+GJH3I
SentinelOneStatic AI – Malicious PE
MaxSecureTrojan.Malware.7674521.susgen
FortinetW32/Zortob.H!tr.dldr
BitDefenderThetaGen:NN.ZexaF.34742.kmW@aG!kk8ki
AVGWin32:Malware-gen
PandaTrj/Genetic.gen
CrowdStrikewin/malicious_confidence_100% (W)

How to remove Ranapama.1?

Ranapama.1 removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment