Ransom

What is “Ransom.StopcryptPMF.S26293797”?

Malware Removal

The Ransom.StopcryptPMF.S26293797 is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Ransom.StopcryptPMF.S26293797 virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Behavioural detection: Executable code extraction – unpacking
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Possible date expiration check, exits too soon after checking local time
  • Dynamic (imported) function loading detected
  • A process created a hidden window
  • CAPE extracted potentially suspicious content
  • Unconventionial language used in binary resources: Chinese (Hongkong)
  • The binary contains an unknown PE section name indicative of packing
  • The binary likely contains encrypted or compressed data.
  • Authenticode signature is invalid
  • Behavioural detection: Injection (Process Hollowing)
  • Executed a process and injected code into it, probably while unpacking
  • Detects Sandboxie through the presence of a library
  • Detects Avast Antivirus through the presence of a library
  • Behavioural detection: Injection (inter-process)
  • Created a process from a suspicious location
  • Checks the presence of disk drives in the registry, possibly for anti-virtualization

How to determine Ransom.StopcryptPMF.S26293797?



File Info:

name: 78D105392A4D52905841.mlw
path: /opt/CAPEv2/storage/binaries/b78eee4c74c92a2fab01a5037c89d981594209af890362494342fbe9b5c978f5
crc32: 6CCFC076
md5: 78d105392a4d52905841b42ca50072d4
sha1: 6e2a149608db1d718862d847cf3b3554ae49590f
sha256: b78eee4c74c92a2fab01a5037c89d981594209af890362494342fbe9b5c978f5
sha512: abef7c1a930552989bd0c00bc438d2fab585efbdeadb8d01647eecc6fdf206b5dc13dc647059540c94d3fbdcd81f1418fcfad4d36b1600f6b15aa8d130cc2cd3
ssdeep: 6144:9VlJVwNFmfaWVsB4zzI2O4xsm8CNDgG0lnwHP/LjE6:Hr24fumvI2NxsGNDwUPjI
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T11354AE00BBA0D035F1B752F8597A93ADB52E3AB1572490CF52D22AEE16396F4DC3170B
sha3_384: 7e51b98c957a5903d1cb06f18c48e2e6dd15d0144f8f404ea139eb36c987b3dea64f9a51c78ae71e782ddaf7b9853aba
ep_bytes: 8bff558bece8a6720000e8110000005d
timestamp: 2020-11-22 21:17:33


Version Info:

0: [No Data]

Ransom.StopcryptPMF.S26293797 also known as:

BkavW32.AIDetect.malware1
LionicTrojan.Multi.Generic.4!c
Elasticmalicious (high confidence)
MicroWorld-eScanTrojan.GenericKD.47924581
FireEyeGeneric.mg.78d105392a4d5290
CAT-QuickHealRansom.StopcryptPMF.S26293797
ALYacTrojan.GenericKD.47924581
MalwarebytesTrojan.MalPack.GS
SangforTrojan.Win32.Save.a
CrowdStrikewin/malicious_confidence_90% (W)
BitDefenderTrojan.GenericKD.47924581
K7GWTrojan ( 0058d1e71 )
K7AntiVirusTrojan ( 0058d1e71 )
CyrenW32/Kryptik.GAL.gen!Eldorado
SymantecML.Attribute.HighConfidence
ESET-NOD32a variant of Win32/Kryptik.HOAB
BaiduWin32.Trojan.Kryptik.jm
TrendMicro-HouseCallRansom_StopCrypt.R03FC0DAK22
AvastWin32:CrypterX-gen [Trj]
ClamAVWin.Dropper.Mikey-9917324-0
KasperskyHEUR:Backdoor.Win32.Mokes.gen
AlibabaTrojan:Application/Generic.3c4daa5b
RisingBackdoor.Mokes!8.619 (CLOUD)
Ad-AwareTrojan.GenericKD.47924581
SophosMal/Generic-S + Troj/Krypt-FV
DrWebTrojan.Siggen16.34474
ZillyaTrojan.Kryptik.Win32.3672916
TrendMicroRansom_StopCrypt.R03FC0DAK22
McAfee-GW-EditionBehavesLike.Win32.Generic.dh
SentinelOneStatic AI – Malicious PE
EmsisoftTrojan.Crypt (A)
APEXMalicious
JiangminBackdoor.Mokes.fal
Antiy-AVLTrojan[Backdoor]/Win32.Mokes
KingsoftWin32.Troj.Generic_a.a.(kcloud)
MicrosoftRansom:Win32/StopCrypt.PAH!MTB
ZoneAlarmHEUR:Backdoor.Win32.Mokes.gen
GDataWin32.Trojan.BSE.11WL534
CynetMalicious (score: 100)
AhnLab-V3Infostealer/Win.SmokeLoader.R465570
Acronissuspicious
McAfeeRDN/Generic.hbg
VBA32BScope.Backdoor.Mokes
CylanceUnsafe
PandaTrj/Genetic.gen
TencentWin32.Backdoor.Mokes.Akpd
YandexTrojan.Kryptik!xsEzsKa5X64
MAXmalware (ai score=81)
FortinetW32/Kryptik.HNZY!tr
AVGWin32:CrypterX-gen [Trj]
Cybereasonmalicious.608db1
Paloaltogeneric.ml

How to remove Ransom.StopcryptPMF.S26293797?

Ransom.StopcryptPMF.S26293797 removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment