Ransom

Ransom.Troldesh.187 (B) removal guide

Malware Removal

The Ransom.Troldesh.187 (B) is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Ransom.Troldesh.187 (B) virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Behavioural detection: Executable code extraction – unpacking
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Possible date expiration check, exits too soon after checking local time
  • Dynamic (imported) function loading detected
  • A process created a hidden window
  • CAPE extracted potentially suspicious content
  • The binary contains an unknown PE section name indicative of packing
  • The binary likely contains encrypted or compressed data.
  • The executable is compressed using UPX
  • Authenticode signature is invalid
  • Uses Windows utilities for basic functionality
  • Uses Windows utilities for basic functionality
  • Deletes its original binary from disk
  • Steals private information from local Internet browsers
  • Exhibits behavior characteristic of Pony malware
  • Collects information about installed applications
  • Harvests cookies for information gathering
  • Harvests credentials from local FTP client softwares
  • Harvests information related to installed mail clients

How to determine Ransom.Troldesh.187 (B)?



File Info:

name: 168D67202711196B78A1.mlw
path: /opt/CAPEv2/storage/binaries/3f843125ffb5b89b7232cf92b14d230bd8d1e03a7fc762f494b2bb268159600f
crc32: E1565970
md5: 168d67202711196b78a1f90f1d6c67cc
sha1: 730c0808a9c1145a44e95fe54bc322d5760c9f0a
sha256: 3f843125ffb5b89b7232cf92b14d230bd8d1e03a7fc762f494b2bb268159600f
sha512: b5573f42064ace15fc42e80ae587fbf3dd0fc615361b807092b9bf8c9fc695b8e7351b84a279ebd72b8e9ffb9ba8ace523646872aabc8a2d39a65c0b3c091c76
ssdeep: 12288:zty+gtca7emncOHayKFPl/i8qjM0XBzK2XV:zgVcg3Bal/ARXBzrXV
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T1C5A4CD0ED7A6A295D3E43B32306860625C316C6DB9C0C5CFF6DFB97976789E13420B26
sha3_384: 4c92d3761686a4efd89d241b32a125068c3a7f3b9de82e75183bd9bbff17fc6480460f4758a5cb273a576131fe068c70
ep_bytes: 60be00b045008dbe0060faff57eb0b90
timestamp: 2018-09-23 17:25:03


Version Info:

FileVersion: 2.5.4.8
PrivateBuild: 2.5.4.8
LegalTrademarks: ©Marco D'Amato. All rights reserved.
InternalName: Firepower Kewl
FileDescription: Constrains Aerdrme
Languages: English
CompanyName: Marco D'Amato
LegalCopyright: ©Marco D'Amato. All rights reserved.
ProductName: Firepower Kewl
ProductVersion: 2.5.4.8
Translation: 0x0409 0x04b0

Ransom.Troldesh.187 (B) also known as:

BkavW32.AIDetect.malware2
Elasticmalicious (high confidence)
DrWebTrojan.PWS.Stealer.1932
CynetMalicious (score: 100)
FireEyeGeneric.mg.168d67202711196b
McAfeeGenericRXAA-AA!168D67202711
CylanceUnsafe
ZillyaTrojan.Fareit.Win32.28079
SangforInfostealer.Win32.Fareit.ekjy
CrowdStrikewin/malicious_confidence_90% (W)
AlibabaTrojanPSW:Win32/Fareit.a9540a37
K7GWPassword-Stealer ( 003bbfec1 )
K7AntiVirusPassword-Stealer ( 003bbfec1 )
BitDefenderThetaGen:NN.ZexaF.34182.BmKfaWBFHUki
SymantecTrojan Horse
ESET-NOD32Win32/PSW.Fareit.A
TrendMicro-HouseCallTSPY_FAREIT.THAOOAAH
Paloaltogeneric.ml
KasperskyTrojan-PSW.Win32.Fareit.ekjy
BitDefenderGen:Variant.Ransom.Troldesh.187
NANO-AntivirusTrojan.Win32.Fareit.figequ
MicroWorld-eScanGen:Variant.Ransom.Troldesh.187
AvastWin32:PWSX-gen [Trj]
TencentMalware.Win32.Gencirc.10ce0b7a
SophosMal/Generic-S
ComodoPacked.Win32.MUPX.Gen@24tbus
VIPRETrojan.Win32.Generic!BT
TrendMicroTSPY_FAREIT.THAOOAAH
McAfee-GW-EditionBehavesLike.Win32.Dropper.gc
EmsisoftGen:Variant.Ransom.Troldesh.187 (B)
IkarusTrojan-Ransom.Crysis
JiangminTrojan.PSW.Fareit.addl
WebrootW32.Trojan.Gen
AviraHEUR/AGEN.1121150
Antiy-AVLTrojan/Generic.ASMalwS.2A9BB26
MicrosoftPWS:Win32/Fareit
GDataGen:Variant.Ransom.Troldesh.187
AhnLab-V3Malware/Win32.Generic.C2735903
ALYacGen:Variant.Ransom.Troldesh.187
MAXmalware (ai score=100)
VBA32TrojanPSW.Fareit
APEXMalicious
RisingStealer.Fareit!8.170 (CLOUD)
YandexTrojan.PWS.Fareit!5C7VWtavgmo
SentinelOneStatic AI – Suspicious PE
FortinetW32/Kryptik.GKNI!tr.ransom
AVGWin32:PWSX-gen [Trj]
Cybereasonmalicious.027111
PandaTrj/GdSda.A

How to remove Ransom.Troldesh.187 (B)?

Ransom.Troldesh.187 (B) removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment