Categories: Ransom

Ransom:Win32/Nemty.D information

The Ransom:Win32/Nemty.D is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.

DOWNLOAD NOW

6-day free trial available.

What Ransom:Win32/Nemty.D virus can do?

Executable code extraction
Attempts to connect to a dead IP:Port (3 unique times)
Creates RWX memory
A process attempted to delay the analysis task.
Attempts to execute a powershell command with suspicious parameter/s
A process created a hidden window
HTTP traffic contains suspicious features which may be indicative of malware related traffic
Performs some HTTP requests
Executed a very long command line or script command which may be indicative of chained commands or obfuscation
A scripting utility was executed
Uses Windows utilities for basic functionality
Attempts to delete volume shadow copies
Modifies boot configuration settings
Network activity contains more than one unique useragent.
Writes a potential ransom message to disk
Contacts C&C server HTTP check-in (Banking Trojan)
Attempts to modify proxy settings
Clears Windows events or logs
Attempts to interact with an Alternate Data Stream (ADS)
Uses suspicious command line tools or Windows utilities

Related domains:

z.whorecord.xyz

www.myexternalip.com

a.tomx.xyz

ocsp.pki.goog

api.db-ip.com

nemty10.hk

How to determine Ransom:Win32/Nemty.D?


File Info:
crc32: E6FBA759md5: a5d962de3761c8ed95e97d49dcde8f12name: nem.exesha1: c8f960f1747c7325e4cfaaa87a8fc3ed452a0f50sha256: 5c59f79a1706bbdb2cd0f0d34baea40cee5f15220599c24dca5a535c1c6654a1sha512: 7048d65a807741a81f8ff155fb7fe01860fba4634e8c7167f38c3c8a2221f8fa19b07432c0f12a2c187a0845fb1029492ebb3a8045b79818c0cba6c4ec8676b6ssdeep: 1536:RStOoo6j+5UTeLNSTQjn0WLg4xI1kXcteRYVzgQxSOrjpBrO:RKHp+5UiZSqzguRcs4zgQxSOPLrOtype: PE32 executable (GUI) Intel 80386, for MS Windows
Version Info:
0: [No Data]

Ransom:Win32/Nemty.D also known as:

MicroWorld-eScan	Gen:Heur.Ransom.Imps.1
McAfee	Ransom-Nemty!A5D962DE3761
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Malware
CrowdStrike	win/malicious_confidence_90% (W)
BitDefender	Gen:Heur.Ransom.Imps.1
K7GW	Trojan ( 00556c621 )
K7AntiVirus	Trojan ( 00556c621 )
Arcabit	Trojan.Ransom.Imps.1
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Filecoder.Nemty.A
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Zenpak.vho
Alibaba	Ransom:Win32/Genasom.ali1000102
NANO-Antivirus	Trojan.Win32.Encoder.gxsssr
Rising	Ransom.Nemty!1.BD61 (CLASSIC)
Endgame	malicious (high confidence)
Emsisoft	Gen:Heur.Ransom.Imps.1 (B)
F-Secure	Trojan.TR/Downloader.Gen
DrWeb	Trojan.Encoder.30832
Zillya	Trojan.Filecoder.Win32.12172
Invincea	heuristic
McAfee-GW-Edition	BehavesLike.Win32.Rimecud.nh
Fortinet	W32/Filecoder_Nemty.A!tr
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.a5d962de3761c8ed
Sophos	Mal/Generic-S
SentinelOne	DFI – Malicious PE
Jiangmin	Trojan.Zenpak.axc
Webroot	W32.Malware.Gen
Avira	TR/Downloader.Gen
MAX	malware (ai score=84)
Microsoft	Ransom:Win32/Nemty.D
ZoneAlarm	HEUR:Trojan.Win32.Zenpak.vho
AhnLab-V3	Trojan/Win32.Nemty.C3974898
Acronis	suspicious
VBA32	BScope.Trojan.Encoder
ALYac	Gen:Heur.Ransom.Imps.1
Ad-Aware	Gen:Heur.Ransom.Imps.1
Panda	Trj/GdSda.A
TrendMicro-HouseCall	Ransom_Nemty.R015C0DB820
Tencent	Win32.Trojan.Filecoder.Loht
GData	Gen:Heur.Ransom.Imps.1
BitDefenderTheta	AI:Packer.8D8C4BDE1E
AVG	Win32:RansomX-gen [Ransom]
Cybereason	malicious.e3761c
Avast	Win32:RansomX-gen [Ransom]
MaxSecure	Trojan.Malware.74773626.susgen