Categories: Ransom

What is “Ransom:Win32/StopCrypt.PK!MTB”?

The Ransom:Win32/StopCrypt.PK!MTB is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Ransom:Win32/StopCrypt.PK!MTB virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Behavioural detection: Executable code extraction – unpacking
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Dynamic (imported) function loading detected
  • Performs HTTP requests potentially not found in PCAP.
  • HTTPS urls from behavior.
  • A process created a hidden window
  • CAPE extracted potentially suspicious content
  • Unconventionial language used in binary resources: Spanish (Paraguay)
  • The binary likely contains encrypted or compressed data.
  • Authenticode signature is invalid
  • Behavioural detection: Injection (Process Hollowing)
  • Executed a process and injected code into it, probably while unpacking
  • Behavioural detection: Injection (inter-process)
  • Created a process from a suspicious location
  • CAPE detected the STOP malware family
  • Attempts to modify proxy settings
  • Anomalous binary characteristics

Related domains:

wpad.local-net
api.2ip.ua

How to determine Ransom:Win32/StopCrypt.PK!MTB?



File Info:

name: C030F577A0E1CDC22E11.mlwpath: /opt/CAPEv2/storage/binaries/4f3677685dc2ab9b76b5d3e9e213d31b2f3e45e9c2a6c25e547b020eb8c92deacrc32: 774E391Fmd5: c030f577a0e1cdc22e11fcf41b1c0443sha1: 17a52df477d311e77bee1754dfe4607c1900d05dsha256: 4f3677685dc2ab9b76b5d3e9e213d31b2f3e45e9c2a6c25e547b020eb8c92deasha512: 25616aa703a314939e3fb8c66173039956c5b98283d3922f5313aeb5da8d76d55a3e6c92c935d795b2734a4fec968679f4337ef33a74607480349d0b214e28ccssdeep: 24576:z29OoiMqc8ivTbTYuWUoVH8ZsFIL0vnSh8koeUFia:a9BwDuWUq4sF40PJ2utype: PE32 executable (GUI) Intel 80386, for MS Windowstlsh: T12D05021067A1C034F5B612F49A7997B8B53F3EA09B6490CF92E512FA5B356E1EC3034Bsha3_384: 0584395bbdf6506f63e1b89d06e65e41e34d49f54f64c2a670a5665134ef02289f353570dccc9811d06917dc99ab71cbep_bytes: 8bff558bece8462c0000e8110000005dtimestamp: 2020-12-22 11:28:10

Version Info:

Translation: 0x0252 0x0011

Ransom:Win32/StopCrypt.PK!MTB also known as:

Lionic Trojan.Win32.Malicious.4!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.47208338
FireEye Generic.mg.c030f577a0e1cdc2
McAfee Packed-GDT!C030F577A0E1
Cylance Unsafe
Zillya Trojan.Stop.Win32.2647
Sangfor Trojan.Win32.Save.a
K7AntiVirus Riskware ( 00584baa1 )
Alibaba Malware:Win32/km_24afe.None
K7GW Riskware ( 00584baa1 )
Cybereason malicious.477d31
Baidu Win32.Trojan.Kryptik.jm
Cyren W32/Kryptik.FNY.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Kryptik.HMYX
APEX Malicious
Paloalto generic.ml
ClamAV Win.Trojan.Generic-9903804-0
Kaspersky HEUR:Trojan-Ransom.Win32.Stop.gen
BitDefender Trojan.GenericKD.47208338
Avast Win32:BotX-gen [Trj]
Tencent Win32.Trojan.Stop.Sumy
Ad-Aware Trojan.GenericKD.47208338
Sophos ML/PE-A + Troj/Krypt-DI
DrWeb Trojan.Siggen15.28174
TrendMicro Ransom_StopCrypt.R002C0DKN21
McAfee-GW-Edition BehavesLike.Win32.Packed.cc
Emsisoft Trojan.Crypt (A)
Ikarus Trojan.Agent
GData Trojan.GenericKD.47208338
Jiangmin Trojan.Stop.cho
MaxSecure Trojan.Malware.300983.susgen
Avira TR/AD.InstaBot.pjrjp
Antiy-AVL Trojan/Generic.ASMalwS.34BC639
Kingsoft Win32.Troj.Undef.(kcloud)
Gridinsoft Ransom.Win32.STOP.sa
ViRobot Trojan.Win32.Z.Stop.840256
Microsoft Ransom:Win32/StopCrypt.PK!MTB
Cynet Malicious (score: 100)
AhnLab-V3 Packed/Win.GDV.R446319
Acronis suspicious
ALYac Trojan.Ransom.Stop
MAX malware (ai score=80)
VBA32 TrojanRansom.Stop
Malwarebytes Trojan.MalPack.GS
TrendMicro-HouseCall Ransom_StopCrypt.R002C0DKN21
Rising Trojan.Kryptik!1.D9FE (CLASSIC)
SentinelOne Static AI – Malicious PE
eGambit Unsafe.AI_Score_75%
Fortinet W32/GenKryptik.FMHL!tr
AVG Win32:BotX-gen [Trj]
Panda Trj/GdSda.A
CrowdStrike win/malicious_confidence_80% (W)

How to remove Ransom:Win32/StopCrypt.PK!MTB?

  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.
Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment
Share
Published by
Paul Valéry
Tags: api.2ip.uaRansom:Win32/StopCrypt.PK!MTBwpad.local-net
2 years ago

Recent Posts

What is “Generic.MSIL.Bladabindi.53C2EC31”?

The Generic.MSIL.Bladabindi.53C2EC31 is considered dangerous by lots of security experts. When this infection is active,…

4 mins ago

Worm.Win32.Vobfus.dpfw malicious file

The Worm.Win32.Vobfus.dpfw is considered dangerous by lots of security experts. When this infection is active,…

4 mins ago

Win32:VB-YWM [Trj] removal guide

The Win32:VB-YWM [Trj] is considered dangerous by lots of security experts. When this infection is…

60 mins ago

Virus.Win32.Texel.k removal guide

The Virus.Win32.Texel.k is considered dangerous by lots of security experts. When this infection is active,…

1 hour ago

Application.Agent.ATT removal tips

The Application.Agent.ATT is considered dangerous by lots of security experts. When this infection is active,…

1 hour ago

About “Trojan-Downloader.Win32.Upatre.cdsp” infection

The Trojan-Downloader.Win32.Upatre.cdsp is considered dangerous by lots of security experts. When this infection is active,…

1 hour ago