Ransom

What is “Ransom:Win32/StopCrypt.PAY!MTB”?

Malware Removal

The Ransom:Win32/StopCrypt.PAY!MTB is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
6-day free trial available.

What Ransom:Win32/StopCrypt.PAY!MTB virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Behavioural detection: Executable code extraction – unpacking
  • Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Dynamic (imported) function loading detected
  • Reads data out of its own binary image
  • A process created a hidden window
  • CAPE extracted potentially suspicious content
  • Authenticode signature is invalid
  • Uses Windows utilities for basic functionality
  • Enumerates services, possibly for anti-virtualization
  • Installs itself for autorun at Windows startup
  • Installs itself for autorun at Windows startup
  • CAPE detected the Tofsee malware family
  • Anomalous binary characteristics
  • Uses suspicious command line tools or Windows utilities

How to determine Ransom:Win32/StopCrypt.PAY!MTB?


File Info:

name: 5F55F19C3B8B10A19A00.mlw
path: /opt/CAPEv2/storage/binaries/c75311ec4549dd2f54d08eb9c0652328e6170db0e89337b462ccca141fdccbaa
crc32: F7D2650D
md5: 5f55f19c3b8b10a19a005b41bc0a80be
sha1: afa0bb3f823141d275417fb99e6045dac043e7c4
sha256: c75311ec4549dd2f54d08eb9c0652328e6170db0e89337b462ccca141fdccbaa
sha512: ca36a50a5ab0604669457d30ffb9ce483e72f5fa109a7393caf40d6dcffba0c1e5cbb20572c0698a289871c900d70293647d5b59dcd9b2bd7b63405a18f73fb5
ssdeep: 98304:sjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj:
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T17AD66BDA6BE1D945E5E64E30B83997E8523BFC829830A21EE254FF0F3CB17911592353
sha3_384: 3f4beb5c9f6d25c585fe11e89646d6c63a405d41e59bfc6480334f9b92827a128c7a1875848f4d76d832406943df0a28
ep_bytes: e8712f0000e978feffff8bff558bec8b
timestamp: 2021-06-26 19:25:13

Version Info:

FileVersion: 21.79.125.49
InternationalName: povgwaoci.iwe
Copyrighz: Copyrighz (C) 2021, fuzkorta
Translations: 0x0127 0x010f

Ransom:Win32/StopCrypt.PAY!MTB also known as:

BkavW32.AIDetect.malware2
Elasticmalicious (high confidence)
MicroWorld-eScanTrojan.GenericKDZ.84207
FireEyeGeneric.mg.5f55f19c3b8b10a1
CAT-QuickHealRansom.Stop.P5
ALYacTrojan.GenericKDZ.84207
CylanceUnsafe
SangforTrojan.Win32.Save.a
K7AntiVirusTrojan ( 0058eae71 )
K7GWTrojan ( 0058eae71 )
BitDefenderThetaGen:NN.ZexaF.34606.@t0@aScS4gce
CyrenW32/Kryptik.EYC.gen!Eldorado
SymantecML.Attribute.HighConfidence
ESET-NOD32a variant of Win32/Kryptik.HOMC
APEXMalicious
CynetMalicious (score: 100)
KasperskyHEUR:Trojan.Win32.Bingoml.gen
BitDefenderTrojan.GenericKDZ.84207
NANO-AntivirusTrojan.Win32.Kryptik.jmxxha
AvastWin32:AceCrypter-F [Cryp]
TencentTrojan.Win32.Bingoml.16000307
Ad-AwareTrojan.GenericKDZ.84207
EmsisoftTrojan.Crypt (A)
DrWebTrojan.MulDrop19.53567
ZillyaTrojan.Kryptik.Win32.3704517
TrendMicroMal_Tofsee
McAfee-GW-EditionBehavesLike.Win32.Lockbit.rh
SophosMal/Generic-R + Mal/Agent-AWV
IkarusTrojan.Win32.Crypt
GDataTrojan.GenericKDZ.84207
JiangminTrojanDropper.Agent.gqbv
MAXmalware (ai score=87)
Antiy-AVLTrojan/Generic.ASMalwS.3533F82
MicrosoftRansom:Win32/StopCrypt.PAY!MTB
AhnLab-V3Infostealer/Win.SmokeLoader.R473956
Acronissuspicious
McAfeeGenericRXRX-VG!5F55F19C3B8B
VBA32BScope.Trojan.DiskWriter
MalwarebytesTrojan.MalPack.GS
TrendMicro-HouseCallMal_Tofsee
RisingMalware.Obscure!1.A3BB (RDMK:cmRtazoNaK6nTvYlynlseWJuQy5n)
SentinelOneStatic AI – Malicious PE
FortinetW32/Azorult.7BBD!tr
AVGWin32:AceCrypter-F [Cryp]
PandaTrj/GdSda.A
CrowdStrikewin/malicious_confidence_100% (W)

How to remove Ransom:Win32/StopCrypt.PAY!MTB?

Ransom:Win32/StopCrypt.PAY!MTB removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment