Categories: Ransom

What is “Ransom:Win32/Bosloki.A”?

The Ransom:Win32/Bosloki.A is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Ransom:Win32/Bosloki.A virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Behavioural detection: Executable code extraction – unpacking
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Dynamic (imported) function loading detected
  • Enumerates running processes
  • Repeatedly searches for a not-found process, may want to run with startbrowser=1 option
  • Reads data out of its own binary image
  • CAPE extracted potentially suspicious content
  • The binary likely contains encrypted or compressed data.
  • Authenticode signature is invalid
  • Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config
  • Collects and encrypts information about the computer likely to send to C2 server
  • Installs itself for autorun at Windows startup
  • Creates known CypherIT/Frenchy Shellcode mutexes

How to determine Ransom:Win32/Bosloki.A?



File Info:

name: AE33A84431F7120D14AD.mlwpath: /opt/CAPEv2/storage/binaries/77a9d3bb30d4c76152b423bed43622b6117ffa61781b69b03b805577fdde018dcrc32: FAE09762md5: ae33a84431f7120d14ad23962679e770sha1: 25c20c4f55414b0815194ab53947c6a29472ce7fsha256: 77a9d3bb30d4c76152b423bed43622b6117ffa61781b69b03b805577fdde018dsha512: c77e2c090c8d7d267d2b834743629d4aead4cadeddff3705a29265d63a52e6a9d286ee2cd625bd851ba45311606b9f1ce1dfc4f44120a22c03f3b65fe233d7c1ssdeep: 24576:bAHnh+eWsN3skA4RV1Hom2KXMmHaIDHpKzWH1TNCj5:2h+ZkldoPK8YaIjmEOtype: PE32 executable (GUI) Intel 80386, for MS Windowstlsh: T1AA35AD02B3D1D076FFAA92739B66F20556BC7D290133852F13982DB9BD701B1263E663sha3_384: 07f1e68aaa40c9adbc69bba302d29c7f07f56a9ac9532ae6f2ae31df9cae04ccdb3a260525d0c9c2306eaeb434f20f98ep_bytes: e8c8d00000e97ffeffffcccccccccccctimestamp: 2019-09-24 13:23:02

Version Info:

FileDescription: EhStorAuthnOriginalFilename: replaceCompanyName: FirstLogonAnimFileVersion: 11.229.373.742LegalCopyright: bootuxProductName: controlProductVersion: 792.218.924.482Translation: 0x0409 0x04b0

Ransom:Win32/Bosloki.A also known as:

Bkav W32.AIDetect.malware1
Lionic Hacktool.Win32.Gamehack.3!e
Elastic malicious (high confidence)
DrWeb Trojan.KillProc2.6520
MicroWorld-eScan Gen:Trojan.Heur.AutoIT.16
FireEye Gen:Trojan.Heur.AutoIT.16
CAT-QuickHeal Trojan.AgentSM.S6640034
ALYac Gen:Trojan.Heur.AutoIT.16
Cylance Unsafe
K7AntiVirus Riskware ( 0040eff71 )
Alibaba Backdoor:AutoIt/AutoitInject.c9478bd2
K7GW Riskware ( 0040eff71 )
Cybereason malicious.431f71
BitDefenderTheta AI:Packer.C93748341A
Cyren W32/AutoIt.RK.gen!Eldorado
Symantec Packed.Generic.548
ESET-NOD32 a variant of Win32/Injector.Autoit.EIJ
TrendMicro-HouseCall Backdoor.AutoIt.BLADABINDI.SMP
Paloalto generic.ml
ClamAV Win.Malware.Autoit-7191337-0
Kaspersky Trojan.Script.Obit.gen
BitDefender Gen:Trojan.Heur.AutoIT.16
NANO-Antivirus Trojan.Win32.Bladabindi.gaxdbv
Avast AutoIt:Dropper-DL [Trj]
Tencent Msil.Backdoor.Bladabindi.Lnxr
Ad-Aware Gen:Trojan.Heur.AutoIT.16
Emsisoft Gen:Trojan.Heur.AutoIT.16 (B)
VIPRE Trojan.Win32.Generic!BT
TrendMicro Backdoor.AutoIt.BLADABINDI.SMP
McAfee-GW-Edition BehavesLike.Win32.TrojanAitInject.tc
Sophos Mal/Generic-S
Ikarus Trojan.Autoit
GData Gen:Trojan.Heur.AutoIT.16
Avira DR/AutoIt.Gen8
MAX malware (ai score=87)
Antiy-AVL Trojan/Generic.ASCommon.168
Arcabit Trojan.Heur.AutoIT.16
Microsoft Ransom:Win32/Bosloki.A
Cynet Malicious (score: 99)
AhnLab-V3 Trojan/AU3.Wacatac.S1079
McAfee Artemis!AE33A84431F7
VBA32 Trojan.KillProc
Malwarebytes Malware.AI.1690431854
APEX Malicious
Rising Trojan.Obfus/Autoit!1.BD7E (CLASSIC)
MaxSecure Trojan.Malware.300983.susgen
Fortinet AutoIt/Injector.EIE!tr
AVG AutoIt:Dropper-DL [Trj]
Panda Trj/Genetic.gen
CrowdStrike win/malicious_confidence_80% (D)

How to remove Ransom:Win32/Bosloki.A?

  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.
Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment
Share
Published by
Paul Valéry
Tags: Ransom:Win32/Bosloki.Areplace
2 years ago

Recent Posts

Packed.Win32.Krap.an information

The Packed.Win32.Krap.an is considered dangerous by lots of security experts. When this infection is active,…

2 mins ago

Win32:AutoRun-AYS [Wrm] removal guide

The Win32:AutoRun-AYS [Wrm] is considered dangerous by lots of security experts. When this infection is…

1 hour ago

Win32/StartPage.OUR information

The Win32/StartPage.OUR is considered dangerous by lots of security experts. When this infection is active,…

2 hours ago

How to remove “Trojan.Generic.33997309”?

The Trojan.Generic.33997309 is considered dangerous by lots of security experts. When this infection is active,…

2 hours ago

Cerbu.190164 (file analysis)

The Cerbu.190164 is considered dangerous by lots of security experts. When this infection is active,…

2 hours ago

Win32/Adware.Adposhel.AR information

The Win32/Adware.Adposhel.AR is considered dangerous by lots of security experts. When this infection is active,…

2 hours ago