Ransom

Ransom:Win32/StopCrypt.PAQ!MTB removal guide

Malware Removal

The Ransom:Win32/StopCrypt.PAQ!MTB is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Ransom:Win32/StopCrypt.PAQ!MTB virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Behavioural detection: Executable code extraction – unpacking
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Possible date expiration check, exits too soon after checking local time
  • Dynamic (imported) function loading detected
  • Enumerates the modules from a process (may be used to locate base addresses in process injection)
  • CAPE extracted potentially suspicious content
  • Unconventionial language used in binary resources: Serbian
  • Authenticode signature is invalid
  • CAPE detected the RedLine malware family

How to determine Ransom:Win32/StopCrypt.PAQ!MTB?



File Info:

name: 39009978943EBAD87B5A.mlw
path: /opt/CAPEv2/storage/binaries/653fb57e3fbdbf7c33ddc71ceda58dcf23cd61e38ff5f848250893b641e24920
crc32: 286F8B78
md5: 39009978943ebad87b5af87be59bbf19
sha1: 6ad2f5ab9734c8b41ad057d5611ec3eb56168b2c
sha256: 653fb57e3fbdbf7c33ddc71ceda58dcf23cd61e38ff5f848250893b641e24920
sha512: 1350976b5bb3ad9e0ee07f068fa6f150d0228736913c33ae35f4c222cc69962822a770a3f99a39f8c9d282f26e3bb8e46e7b83e6ad1bc439c415c8c369ac2216
ssdeep: 6144:tqnQJL/s+pj7v8ZYOKdcG4RSNV3U84V3owLgAzi:yYrs+psXKdP4IN1UzXLgQi
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T18384F1313A90D431C0972A354916CFA05ABDBC3628B45A8777A92B6F6F323C1567B31F
sha3_384: 6ecb219f019d194a30a133c1e9378ee413049c78a985614997f02d3fd43b7429f255441e3d3f64f87765dba7c3fdf92d
ep_bytes: e815500000e979feffff832544a14500
timestamp: 2021-06-24 03:00:57


Version Info:

FileVersion: 21.29.120.69
InternationalName: bomgvioci.iwa
Copyright: Copyrighz (C) 2021, fudkorta
ProjectVersion: 1.10.70.57
Translations: 0x0121 0x03ca

Ransom:Win32/StopCrypt.PAQ!MTB also known as:

BkavW32.AIDetect.malware1
LionicTrojan.Win32.SmartFortress.lEDV
Elasticmalicious (high confidence)
MicroWorld-eScanTrojan.GenericKD.48015711
FireEyeGeneric.mg.39009978943ebad8
McAfeePacked-GEE!39009978943E
CylanceUnsafe
SangforTrojan.Win32.Save.a
K7AntiVirusTrojan ( 003e58dd1 )
AlibabaPacked:Application/Obfuscated.3c9c0474
K7GWTrojan ( 0058d45d1 )
CrowdStrikewin/malicious_confidence_100% (W)
BitDefenderThetaGen:NN.ZexaF.34160.yq0@aCe4GxiG
CyrenW32/Qbot.FK.gen!Eldorado
SymantecML.Attribute.HighConfidence
ESET-NOD32a variant of Win32/Kryptik.HOAX
APEXMalicious
Paloaltogeneric.ml
ClamAVWin.Malware.Generic-9936948-0
KasperskyTrojan-Spy.Win32.Stealer.azns
BitDefenderTrojan.GenericKD.48015711
AvastWin32:AceCrypter-B [Cryp]
Ad-AwareTrojan.GenericKD.48015711
SophosML/PE-A + Mal/Agent-AWV
DrWebTrojan.DownLoader44.34996
TrendMicroTROJ_GEN.R002C0PAK22
McAfee-GW-EditionBehavesLike.Win32.RansomWannaCry.fh
EmsisoftTrojan.Crypt (A)
IkarusTrojan.Win32.Crypt
GDataTrojan.GenericKD.48015711
AviraTR/AD.GenSHCode.vpkpp
MAXmalware (ai score=80)
Antiy-AVLTrojan/Generic.ASMalwS.350F4C7
KingsoftWin32.Troj.Undef.(kcloud)
ArcabitTrojan.Generic.D2DCA95F
MicrosoftRansom:Win32/StopCrypt.PAQ!MTB
CynetMalicious (score: 100)
AhnLab-V3Packed/Win.GEE.R466646
ALYacTrojan.GenericKD.48015711
VBA32BScope.Trojan.Convagent
MalwarebytesTrojan.MalPack.GS
TrendMicro-HouseCallTROJ_GEN.R002C0PAK22
RisingRansom.Stop!8.10810 (CLOUD)
SentinelOneStatic AI – Malicious PE
MaxSecureTrojan.Malware.300983.susgen
FortinetW32/GenKryptik.ERHN!tr
AVGWin32:AceCrypter-B [Cryp]
PandaTrj/GdSda.A

How to remove Ransom:Win32/StopCrypt.PAQ!MTB?

Ransom:Win32/StopCrypt.PAQ!MTB removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment