Ransom

Should I remove “Ransom:Win32/StopCrypt.PMA!MTB”?

Malware Removal

The Ransom:Win32/StopCrypt.PMA!MTB is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware - Review 2020

GridinSoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend to use GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the TRIAL period.
6-day free trial available.

What Ransom:Win32/StopCrypt.PMA!MTB virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Behavioural detection: Executable code extraction – unpacking
  • Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Dynamic (imported) function loading detected
  • Performs HTTP requests potentially not found in PCAP.
  • Reads data out of its own binary image
  • A process created a hidden window
  • CAPE extracted potentially suspicious content
  • Drops a binary and executes it
  • Unconventionial language used in binary resources: Uzbek (Latin)
  • Authenticode signature is invalid
  • Uses Windows utilities for basic functionality
  • Enumerates services, possibly for anti-virtualization
  • Behavioural detection: Injection (Process Hollowing)
  • Executed a process and injected code into it, probably while unpacking
  • Behavioural detection: Injection (inter-process)
  • Behavioural detection: Injection with CreateRemoteThread in a remote process
  • Installs itself for autorun at Windows startup
  • Installs itself for autorun at Windows startup
  • Creates a hidden or system file
  • CAPE detected the Tofsee malware family
  • Anomalous binary characteristics
  • Uses suspicious command line tools or Windows utilities

How to determine Ransom:Win32/StopCrypt.PMA!MTB?


File Info:

name: 6F4F82161F72D6A175B7.mlw
path: /opt/CAPEv2/storage/binaries/ca426f9393efe0c5fd3fe67704a17e29cbadec8c779195c4389a1cdca8b8630a
crc32: C04A5B3C
md5: 6f4f82161f72d6a175b7db1cbf451e31
sha1: b6a639867dcd9ef0f79dc23d3e892a602bf04b2d
sha256: ca426f9393efe0c5fd3fe67704a17e29cbadec8c779195c4389a1cdca8b8630a
sha512: 5eb7bf01712f9b2b1492c3ddfe0cfdcb46ee4f2d3f9e8fc1ae4a6027ae5dede983c00d7f1a47175d583725615dc3ba26fc49e99cc813026cdaf4228c93e04081
ssdeep: 6144:i5YgxbYSPYEHHTF929QbjCf0YUp8Td4lelCL:i59b3PJHHTF9/yXUOKv
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T154B638C077B5E40EE2329970B925D6F64526FCA2E826168B365B7F0FB8312114EDDB13
sha3_384: 099b3bfd5f2163be85f59b8d64963664feee3e7654cd39699884b36dff50da004adb2a6aa1f6b6ed3810a6fac974717e
ep_bytes: 8bff558bece8668a0000e8110000005d
timestamp: 2021-07-31 09:29:34

Version Info:

Translations: 0x0798 0x02be

Ransom:Win32/StopCrypt.PMA!MTB also known as:

BkavW32.AIDetect.malware2
tehtrisGeneric.Malware
MicroWorld-eScanTrojan.GenericKDZ.87168
ALYacTrojan.GenericKDZ.87168
CylanceUnsafe
SangforTrojan.Win32.Save.a
K7AntiVirusRiskware ( 00584baa1 )
K7GWRiskware ( 00584baa1 )
Cybereasonmalicious.67dcd9
CyrenW32/Kryptik.GKO.gen!Eldorado
SymantecML.Attribute.HighConfidence
Elasticmalicious (high confidence)
ESET-NOD32a variant of Win32/Kryptik.HPLK
APEXMalicious
ClamAVWin.Packed.Filerepmalware-9947507-0
KasperskyHEUR:Backdoor.Win32.Gulpix.gen
BitDefenderTrojan.GenericKDZ.87168
AvastWin32:AceCrypter-W [Cryp]
Ad-AwareTrojan.GenericKDZ.87168
EmsisoftTrojan.GenericKDZ.87168 (B)
DrWebTrojan.PWS.Stealer.32991
TrendMicroMal_Tofsee
McAfee-GW-EditionBehavesLike.Win32.Generic.vm
FireEyeGeneric.mg.6f4f82161f72d6a1
SophosML/PE-A + Troj/Krypt-FV
IkarusTrojan-Ransom.StopCrypt
GDataWin32.Trojan.PSE.12ZYE8D
MicrosoftRansom:Win32/StopCrypt.PMA!MTB
CynetMalicious (score: 100)
AhnLab-V3Trojan/Win.MalPE.R488344
Acronissuspicious
McAfeePacked-GEE!6F4F82161F72
MAXmalware (ai score=87)
VBA32TrojanSpy.Stealer
MalwarebytesTrojan.MalPack.GS
TrendMicro-HouseCallMal_Tofsee
RisingTrojan.Generic@AI.100 (RDML:cQAm+E2Cx/q4CS2kpXWHpw)
SentinelOneStatic AI – Malicious PE
MaxSecureTrojan.Malware.300983.susgen
FortinetW32/Packed.GEE!tr
AVGWin32:AceCrypter-W [Cryp]
PandaTrj/GdSda.A

How to remove Ransom:Win32/StopCrypt.PMA!MTB?

Ransom:Win32/StopCrypt.PMA!MTB removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment