Ransom

What is “Ransom:Win32/Bosloki.A”?

Malware Removal

The Ransom:Win32/Bosloki.A is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Ransom:Win32/Bosloki.A virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Behavioural detection: Executable code extraction – unpacking
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Dynamic (imported) function loading detected
  • Enumerates running processes
  • Repeatedly searches for a not-found process, may want to run with startbrowser=1 option
  • Reads data out of its own binary image
  • CAPE extracted potentially suspicious content
  • The binary likely contains encrypted or compressed data.
  • Authenticode signature is invalid
  • Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config
  • Collects and encrypts information about the computer likely to send to C2 server
  • Installs itself for autorun at Windows startup
  • Creates known CypherIT/Frenchy Shellcode mutexes

How to determine Ransom:Win32/Bosloki.A?



File Info:

name: AE33A84431F7120D14AD.mlw
path: /opt/CAPEv2/storage/binaries/77a9d3bb30d4c76152b423bed43622b6117ffa61781b69b03b805577fdde018d
crc32: FAE09762
md5: ae33a84431f7120d14ad23962679e770
sha1: 25c20c4f55414b0815194ab53947c6a29472ce7f
sha256: 77a9d3bb30d4c76152b423bed43622b6117ffa61781b69b03b805577fdde018d
sha512: c77e2c090c8d7d267d2b834743629d4aead4cadeddff3705a29265d63a52e6a9d286ee2cd625bd851ba45311606b9f1ce1dfc4f44120a22c03f3b65fe233d7c1
ssdeep: 24576:bAHnh+eWsN3skA4RV1Hom2KXMmHaIDHpKzWH1TNCj5:2h+ZkldoPK8YaIjmEO
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T1AA35AD02B3D1D076FFAA92739B66F20556BC7D290133852F13982DB9BD701B1263E663
sha3_384: 07f1e68aaa40c9adbc69bba302d29c7f07f56a9ac9532ae6f2ae31df9cae04ccdb3a260525d0c9c2306eaeb434f20f98
ep_bytes: e8c8d00000e97ffeffffcccccccccccc
timestamp: 2019-09-24 13:23:02


Version Info:

FileDescription: EhStorAuthn
OriginalFilename: replace
CompanyName: FirstLogonAnim
FileVersion: 11.229.373.742
LegalCopyright: bootux
ProductName: control
ProductVersion: 792.218.924.482
Translation: 0x0409 0x04b0

Ransom:Win32/Bosloki.A also known as:

BkavW32.AIDetect.malware1
LionicHacktool.Win32.Gamehack.3!e
Elasticmalicious (high confidence)
DrWebTrojan.KillProc2.6520
MicroWorld-eScanGen:Trojan.Heur.AutoIT.16
FireEyeGen:Trojan.Heur.AutoIT.16
CAT-QuickHealTrojan.AgentSM.S6640034
ALYacGen:Trojan.Heur.AutoIT.16
CylanceUnsafe
K7AntiVirusRiskware ( 0040eff71 )
AlibabaBackdoor:AutoIt/AutoitInject.c9478bd2
K7GWRiskware ( 0040eff71 )
Cybereasonmalicious.431f71
BitDefenderThetaAI:Packer.C93748341A
CyrenW32/AutoIt.RK.gen!Eldorado
SymantecPacked.Generic.548
ESET-NOD32a variant of Win32/Injector.Autoit.EIJ
TrendMicro-HouseCallBackdoor.AutoIt.BLADABINDI.SMP
Paloaltogeneric.ml
ClamAVWin.Malware.Autoit-7191337-0
KasperskyTrojan.Script.Obit.gen
BitDefenderGen:Trojan.Heur.AutoIT.16
NANO-AntivirusTrojan.Win32.Bladabindi.gaxdbv
AvastAutoIt:Dropper-DL [Trj]
TencentMsil.Backdoor.Bladabindi.Lnxr
Ad-AwareGen:Trojan.Heur.AutoIT.16
EmsisoftGen:Trojan.Heur.AutoIT.16 (B)
VIPRETrojan.Win32.Generic!BT
TrendMicroBackdoor.AutoIt.BLADABINDI.SMP
McAfee-GW-EditionBehavesLike.Win32.TrojanAitInject.tc
SophosMal/Generic-S
IkarusTrojan.Autoit
GDataGen:Trojan.Heur.AutoIT.16
AviraDR/AutoIt.Gen8
MAXmalware (ai score=87)
Antiy-AVLTrojan/Generic.ASCommon.168
ArcabitTrojan.Heur.AutoIT.16
MicrosoftRansom:Win32/Bosloki.A
CynetMalicious (score: 99)
AhnLab-V3Trojan/AU3.Wacatac.S1079
McAfeeArtemis!AE33A84431F7
VBA32Trojan.KillProc
MalwarebytesMalware.AI.1690431854
APEXMalicious
RisingTrojan.Obfus/Autoit!1.BD7E (CLASSIC)
MaxSecureTrojan.Malware.300983.susgen
FortinetAutoIt/Injector.EIE!tr
AVGAutoIt:Dropper-DL [Trj]
PandaTrj/Genetic.gen
CrowdStrikewin/malicious_confidence_80% (D)

How to remove Ransom:Win32/Bosloki.A?

Ransom:Win32/Bosloki.A removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment