Ransom

Ransom.Polyglot.12 malicious file

Malware Removal

The Ransom.Polyglot.12 is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware - Review 2020

GridinSoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend to use GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the TRIAL period.
6-day free trial available.

What Ransom.Polyglot.12 virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • Sample contains Overlay data
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Reads data out of its own binary image
  • CAPE extracted potentially suspicious content
  • Unconventionial language used in binary resources: Chinese (Simplified)
  • The binary contains an unknown PE section name indicative of packing
  • Authenticode signature is invalid
  • Behavioural detection: Injection (Process Hollowing)
  • Behavioural detection: Injection (inter-process)
  • Creates a copy of itself
  • Anomalous binary characteristics

How to determine Ransom.Polyglot.12?


File Info:

name: B496C6FFF97405AB7BA1.mlw
path: /opt/CAPEv2/storage/binaries/cdffd927e8b81548f80c5a3a0ce4e8afd84b162c4f7bc203fdba09cf91fcddba
crc32: 23328B86
md5: b496c6fff97405ab7ba1673905aa5787
sha1: 0b74d1e49037b4e554e87216ba8065927f9f48fc
sha256: cdffd927e8b81548f80c5a3a0ce4e8afd84b162c4f7bc203fdba09cf91fcddba
sha512: b97dacdc72c644ca88f23b9f1f4f6ec03893d62e5d520a2f015f3c2a5ffc8a7c52bb2100074c112cdaef442762383c4c63238ab8c012f810735fa4ffab55b9bc
ssdeep: 3072:tBs8F3AqwRwMPzdMNKJZfanQFvEJjHf4ckRn4O:bs63AdPzdMNKnFemz
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T18CD3E113A8474271F3519AB4247B57B493A7BCFD4F228AAB1794FE1D1835681BC3239C
sha3_384: dedb71adee93b288d22b9bee949c31329f7425a2e3448e6fd38ae4ebe02a94befceeabae30e5006696d5109202db1777
ep_bytes: 558bec6aff68186e4000686e4d400064
timestamp: 2014-05-05 18:50:21

Version Info:

Comments:
CompanyNaSe:
FileDescription: cluster
FileVersion: 1, 0, 0, 1
InternalName: cluster
LegalCopyright: Copyright ? 2014
LegalTrademarks:
OriginalFilename: cluster.exe
PrivateBuild:
ProductName: cluster
ProductVersion: 1, 0, 0, 1
SpecialBuild:
Translation: 0x0810 0x04b0

Ransom.Polyglot.12 also known as:

BkavW32.AIDetect.malware1
Elasticmalicious (high confidence)
MicroWorld-eScanGen:Variant.Ransom.Polyglot.12
FireEyeGeneric.mg.b496c6fff97405ab
CAT-QuickHealTrojanPWS.Zbot.AP4
ALYacGen:Variant.Ransom.Polyglot.12
CylanceUnsafe
VIPREGen:Variant.Ransom.Polyglot.12
SangforSuspicious.Win32.Save.ins
K7AntiVirusRiskware ( 0040eff71 )
BitDefenderGen:Variant.Ransom.Polyglot.12
K7GWRiskware ( 0040eff71 )
Cybereasonmalicious.ff9740
BitDefenderThetaGen:NN.ZexaF.34646.iq3@aaH5cjp
VirITTrojan.Win32.Inject2.ADZB
SymantecML.Attribute.HighConfidence
tehtrisGeneric.Malware
ESET-NOD32Win32/Injector.BDMK
APEXMalicious
KasperskyHEUR:Trojan.Win32.Generic
NANO-AntivirusTrojan.Win32.Crypted.cxpkbb
CynetMalicious (score: 100)
RisingTrojan.DllCheck!8.117DB (TFE:1:TKbJja44gZS)
Ad-AwareGen:Variant.Ransom.Polyglot.12
SophosML/PE-A + Mal/Zbot-QU
ComodoTrojWare.Win32.Xpack.SFSS@5a5ibq
DrWebTrojan.Winlock.8004
ZillyaTrojan.Inject.Win32.74123
TrendMicroTROJ_ROVNIX.SMW
McAfee-GW-EditionPWSZbot-FXE!B496C6FFF974
Trapminemalicious.moderate.ml.score
EmsisoftGen:Variant.Ransom.Polyglot.12 (B)
IkarusVirus.Win32.Zbot
JiangminBackdoor/DarkKomet.fno
AviraTR/Dropper.Gen
Antiy-AVLTrojan/Generic.ASMalwS.330C
MicrosoftTrojan:Win32/DllCheck.A!MSR
SUPERAntiSpywareTrojan.Agent/Gen-Graftor
GDataWin32.Trojan.EmotetSpamBot.B
GoogleDetected
AhnLab-V3Win-Trojan/Unruy.138248
McAfeePWSZbot-FXE!B496C6FFF974
MAXmalware (ai score=83)
VBA32Trojan.Inject
MalwarebytesMachineLearning/Anomalous.100%
PandaTrj/Genetic.gen
TrendMicro-HouseCallTROJ_ROVNIX.SMW
TencentMalware.Win32.Gencirc.1169f329
YandexTrojan.Inject!tXW6Jr3Y7jc
SentinelOneStatic AI – Suspicious PE
FortinetW32/Krypt.DE!tr
AVGWin32:Crypt-REG [Trj]
AvastWin32:Crypt-REG [Trj]
CrowdStrikewin/malicious_confidence_100% (W)

How to remove Ransom.Polyglot.12?

Ransom.Polyglot.12 removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment