Ransom

Ransom:Win32/StopCrypt.PAF!MTB (file analysis)

Malware Removal

The Ransom:Win32/StopCrypt.PAF!MTB is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Ransom:Win32/StopCrypt.PAF!MTB virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Behavioural detection: Executable code extraction – unpacking
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Possible date expiration check, exits too soon after checking local time
  • Dynamic (imported) function loading detected
  • A process created a hidden window
  • CAPE extracted potentially suspicious content
  • The binary contains an unknown PE section name indicative of packing
  • Authenticode signature is invalid
  • Behavioural detection: Injection (Process Hollowing)
  • Executed a process and injected code into it, probably while unpacking
  • Behavioural detection: Injection (inter-process)
  • Created a process from a suspicious location

How to determine Ransom:Win32/StopCrypt.PAF!MTB?



File Info:

name: B550316670C31D8F504B.mlw
path: /opt/CAPEv2/storage/binaries/77129196060be9eb3bca0c32bf15ca853c2d9d0e77eb05fd2383ee57b81115de
crc32: F4D1CBCD
md5: b550316670c31d8f504bbc8895464e32
sha1: bb101dd32c17ffcc5e941d28cd0aac2a561fe50e
sha256: 77129196060be9eb3bca0c32bf15ca853c2d9d0e77eb05fd2383ee57b81115de
sha512: 7840d683a2c08e2ec631985cdcfcac18ce7a37ea95da92a3b1584cb7ef882189afc236b0e27b9e2f86e8c76b6408e416d0752bcaec2bf582fae60342aaecd68e
ssdeep: 3072:qxmaeoP/qEskN7X+U5GDVPsHxk6ZCzxQbv6hs:qvbquNaa+Pzxovl
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T16144AE227AE0C43EC6F7593574B0CAA46E3BB9125A71814F376917EE6F332918E25307
sha3_384: d49a0aaa385f6c72809899a769d71ccb563cec819b40b20388002074d6d173eab02a416cbab5812e2d743483b6c30c18
ep_bytes: e849320000e978feffffcccccccccccc
timestamp: 2021-06-09 12:02:52


Version Info:

InternationalName: bomgvioci.iwa
Copyright: Copyrighz (C) 2021, fudkort
ProjectVersion: 3.14.70.27
Translation: 0x0129 0x0794

Ransom:Win32/StopCrypt.PAF!MTB also known as:

BkavW32.AIDetect.malware1
LionicTrojan.Multi.Generic.4!c
Elasticmalicious (high confidence)
DrWebTrojan.Siggen16.26460
MicroWorld-eScanTrojan.GenericKD.47834081
FireEyeGeneric.mg.b550316670c31d8f
ALYacTrojan.GenericKD.47834081
MalwarebytesTrojan.MalPack.GS
SangforTrojan.Win32.Save.a
AlibabaRansom:Win32/StopCrypt.2a6d579d
CrowdStrikewin/malicious_confidence_100% (W)
BitDefenderThetaGen:NN.ZexaF.34114.quW@a0KWeJaK
CyrenW32/Kryptik.FWV.gen!Eldorado
SymantecPacked.Generic.525
ESET-NOD32a variant of Win32/Kryptik.HNXF
TrendMicro-HouseCallTROJ_GEN.R002H06A522
Paloaltogeneric.ml
ClamAVWin.Dropper.Tofsee-9919472-0
KasperskyHEUR:Trojan-Ransom.Win32.Stop.gen
BitDefenderTrojan.GenericKD.47834081
AvastWin32:CrypterX-gen [Trj]
Ad-AwareTrojan.GenericKD.47834081
EmsisoftTrojan.GenericKD.47834081 (B)
McAfee-GW-EditionBehavesLike.Win32.Generic.dt
SophosMal/Generic-R + Mal/Agent-AWV
IkarusTrojan.Win32.Crypt
GDataTrojan.GenericKD.47834081
AviraTR/Crypt.Agent.ircus
ArcabitTrojan.Generic.D2D9E3E1
MicrosoftRansom:Win32/StopCrypt.PAF!MTB
CynetMalicious (score: 100)
AhnLab-V3Trojan/Win.MalPE.R462691
Acronissuspicious
McAfeePacked-GEE!B550316670C3
MAXmalware (ai score=85)
CylanceUnsafe
APEXMalicious
RisingRansom.Stop!8.10810 (CLOUD)
SentinelOneStatic AI – Malicious PE
FortinetW32/GenKryptik.ERHN!tr
AVGWin32:CrypterX-gen [Trj]
Cybereasonmalicious.32c17f
PandaTrj/GdSda.A

How to remove Ransom:Win32/StopCrypt.PAF!MTB?

Ransom:Win32/StopCrypt.PAF!MTB removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment