Ransom

What is “Ransom:Win32/ContiCrypt!MTB”?

Malware Removal

The Ransom:Win32/ContiCrypt!MTB is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Ransom:Win32/ContiCrypt!MTB virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Behavioural detection: Executable code extraction – unpacking
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Guard pages use detected – possible anti-debugging.
  • Attempts to connect to a dead IP:Port (255 unique times)
  • Dynamic (imported) function loading detected
  • Enumerates running processes
  • Reads data out of its own binary image
  • CAPE extracted potentially suspicious content
  • Creates an autorun.inf file
  • Authenticode signature is invalid
  • Writes a potential ransom message to disk
  • Collects and encrypts information about the computer likely to send to C2 server
  • Performs a large number of encryption calls using the same key possibly indicative of ransomware file encryption behavior

How to determine Ransom:Win32/ContiCrypt!MTB?



File Info:

name: 1B7C8D81177204C1C364.mlw
path: /opt/CAPEv2/storage/binaries/7b8ceef482d52990e0bc7f46c73c9fa756c8ef3107e55c3af65defac5522f887
crc32: DD4D2A32
md5: 1b7c8d81177204c1c3640cfaef4f7126
sha1: 74388d6a24a707c722f0237c3e654d747367b8dc
sha256: 7b8ceef482d52990e0bc7f46c73c9fa756c8ef3107e55c3af65defac5522f887
sha512: 73288cbd4ceccd40f67dda3b697a78160826558e878c923dff9aaba309480d6b13bcb7327c733d1b5a159554425a5ac591025d11102379cbd736745b9a19485d
ssdeep: 24576:l/Fvl0vUEA9obiMebVtST6XhizSalqH0rLMxw1R/SG7V//Ejf8aWPH9yTxEGPGgb:lr
type: PE32 executable (console) Intel 80386, for MS Windows
tlsh: T1D3A5BFB876047DE6A66F537BDE96ADDC03B627239A8BA4CD806477C30563375FE02804
sha3_384: 2135d1d7ced474813f9f0e92b522055ef4b334ee68eb4c5dedd9357a3562e4d909372064cccd93e421827e5dafbded39
ep_bytes: e8dc050000e974feffffc20000558bec
timestamp: 2022-01-30 12:27:05


Version Info:

0: [No Data]

Ransom:Win32/ContiCrypt!MTB also known as:

BkavW32.AIDetect.malware1
LionicTrojan.Win32.Cryptor.j!c
MicroWorld-eScanTrojan.GenericKD.48257954
FireEyeTrojan.GenericKD.48257954
McAfeeArtemis!1B7C8D811772
MalwarebytesMalware.AI.3769947163
SangforRansom.Win32.Cryptor.gen
K7AntiVirusRiskware ( 00584baa1 )
AlibabaRansom:Win32/generic.ali2000010
K7GWRiskware ( 00584baa1 )
SymantecML.Attribute.HighConfidence
ESET-NOD32a variant of Generik.BUSVWRF
TrendMicro-HouseCallRansom_ContiCrypt.R06CC0DB722
Paloaltogeneric.ml
KasperskyHEUR:Trojan-Ransom.Win32.Cryptor.gen
BitDefenderTrojan.GenericKD.48257954
AvastWin32:Malware-gen
Ad-AwareTrojan.GenericKD.48257954
EmsisoftTrojan.GenericKD.48257954 (B)
TrendMicroRansom_ContiCrypt.R06CC0DB722
McAfee-GW-EditionArtemis!Trojan
SophosMal/Generic-S
APEXMalicious
GDataTrojan.GenericKD.48257954
JiangminTrojanSpy.KeyLogger.omx
AviraTR/AD.ContiRansom.ttggl
Antiy-AVLTrojan/Generic.ASMalwS.3523A71
GridinsoftRansom.Win32.Conti.sa
ZoneAlarmHEUR:Trojan-Ransom.Win32.Cryptor.gen
MicrosoftRansom:Win32/ContiCrypt!MTB
CynetMalicious (score: 100)
AhnLab-V3Malware/Win.Malware-gen.C4949296
ALYacTrojan.GenericKD.48257954
MAXmalware (ai score=89)
CylanceUnsafe
RisingRansom.Cryptor!8.10A9 (CLOUD)
IkarusTrojan.ContiRansom
FortinetPossibleThreat.MPH.H
AVGWin32:Malware-gen
PandaTrj/CI.A

How to remove Ransom:Win32/ContiCrypt!MTB?

Ransom:Win32/ContiCrypt!MTB removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment