Malware

Ser.Ursu.6464 removal instruction

Malware Removal

The Ser.Ursu.6464 is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware - Review 2020

GridinSoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend to use GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the TRIAL period.
6-day free trial available.

What Ser.Ursu.6464 virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Sample contains Overlay data
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Dynamic (imported) function loading detected
  • Enumerates running processes
  • Reads data out of its own binary image
  • CAPE extracted potentially suspicious content
  • Drops a binary and executes it
  • The binary contains an unknown PE section name indicative of packing
  • The binary likely contains encrypted or compressed data.
  • Creates an autorun.inf file
  • Authenticode signature is invalid
  • Behavioural detection: Injection (Process Hollowing)
  • Executed a process and injected code into it, probably while unpacking
  • Detects Sandboxie through the presence of a library
  • Detects Avast Antivirus through the presence of a library
  • Behavioural detection: Injection (inter-process)
  • Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config
  • Created a process from a suspicious location
  • Installs itself for autorun at Windows startup
  • Checks the presence of disk drives in the registry, possibly for anti-virtualization
  • Creates a copy of itself
  • Attempts to disable UAC
  • Attempts to disable Windows Auto Updates
  • Attempts to modify or disable Security Center warnings
  • Attempts to modify Explorer settings to prevent hidden files from being displayed

How to determine Ser.Ursu.6464?


File Info:

name: 7F9086D7B398B3049FBD.mlw
path: /opt/CAPEv2/storage/binaries/022f77d988dd1ee20327ded5eb4c6ec3b3b491e013ca4b5d30283a6de1a3fbe1
crc32: 64CE8BC4
md5: 7f9086d7b398b3049fbda2a25fa53506
sha1: ed5cbd162118baf65cc1b4b210ec101af200bb61
sha256: 022f77d988dd1ee20327ded5eb4c6ec3b3b491e013ca4b5d30283a6de1a3fbe1
sha512: 8759526e9dcf67d3e27f894680547bc60773a32cf333f2af165265d2e52ac050d9d5fb4c09180a3e74dccc7da4b142c989560ce255a791fe3bd79b73a772ec0b
ssdeep: 1536:uurJvfXfW7sIpDQm/C+Zpqh0RgqKURtySo3+DKsXvgx8WBgabeREN+hW:jJXuwQDa+Hqh0iSo3+GsXvLocEN
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T18F24CF1B75A2AD56F016D7705467C7B25332786E4B070F1B2E0977292EA3F604E2AF83
sha3_384: 72cbd9cd3325ef1c4d5db97fc36c800b058ea42cf9faecf5aae007f35fd31a57368d296b546e2ec9e864133796b4184f
ep_bytes: 6830124000e8eeffffff000000000000
timestamp: 2014-08-12 08:51:17

Version Info:

Translation: 0x0409 0x04b0
CompanyName: fvcvdfcvdfd
ProductName: hkhkjuhukhjjhjj
FileVersion: 5.00.0454
ProductVersion: 5.00.0454
InternalName: mlpoopopopop
OriginalFilename: mlpoopopopop.exe

Ser.Ursu.6464 also known as:

BkavW32.AIDetect.malware1
LionicTrojan.Win32.VB.4!c
Elasticmalicious (high confidence)
MicroWorld-eScanGen:Variant.Ser.Ursu.6464
FireEyeGeneric.mg.7f9086d7b398b304
CAT-QuickHealTrojan.VBCrypt.MF.1517
McAfeeW32/Worm-FIU!7F9086D7B398
CylanceUnsafe
VIPREGen:Variant.Ser.Ursu.6464
SangforVISUAL BASIC4
K7AntiVirusTrojan-Downloader ( 004b919f1 )
AlibabaTrojan:Win32/Injector.2b38d5ae
K7GWTrojan-Downloader ( 004b919f1 )
CrowdStrikewin/malicious_confidence_100% (W)
CyrenW32/Trojan.ARAY-2119
SymantecML.Attribute.HighConfidence
tehtrisGeneric.Malware
ESET-NOD32Win32/Injector.BJUA
APEXMalicious
Paloaltogeneric.ml
ClamAVWin.Trojan.Vbran-7588425-0
KasperskyTrojan.Win32.VB.copv
BitDefenderGen:Variant.Ser.Ursu.6464
NANO-AntivirusTrojan.Win32.VB.hhocne
SUPERAntiSpywareTrojan.Agent/Gen-FalComp
AvastWin32:Sality [Inf]
RisingHackTool.VBInject!8.1A0 (CLOUD)
Ad-AwareGen:Variant.Ser.Ursu.6464
EmsisoftGen:Variant.Ser.Ursu.6464 (B)
DrWebBackDoor.Tishop.122
ZillyaTrojan.VB.Win32.510922
TrendMicroTROJ_GEN.R002C0PFO22
McAfee-GW-EditionBehavesLike.Win32.Infected.dt
Trapminemalicious.high.ml.score
SophosML/PE-A + Troj/VB-HLV
SentinelOneStatic AI – Malicious PE
GDataGen:Variant.Ser.Ursu.6464
JiangminTrojan/VB.cwri
WebrootTrojanspy:Win32/Fitmu.A
AviraTR/Beebone.plis
MAXmalware (ai score=86)
Antiy-AVLTrojan/Generic.ASMalwS.1F
ArcabitTrojan.Ser.Ursu.D1940
ViRobotTrojan.Win32.Agent.87633
MicrosoftTrojan:Win32/Wacatac.B!ml
CynetMalicious (score: 100)
AhnLab-V3Trojan/Win32.VBInject.R219878
BitDefenderThetaGen:NN.ZevbaF.34582.nq3@amu3P3ai
ALYacGen:Variant.Ser.Ursu.6464
TACHYONTrojan/W32.VB-Agent.225403
VBA32Trojan.VB
MalwarebytesSpyware.Zbot.ED
TrendMicro-HouseCallTROJ_GEN.R002C0PFO22
TencentMalware.Win32.Gencirc.114ccd8f
YandexTrojan.GenAsa!bA/KaC+OAdQ
IkarusTrojan.Win32.Inject
MaxSecureTrojan.Malware.7303868.susgen
FortinetW32/Injector.BJHT!tr
AVGWin32:Sality [Inf]
Cybereasonmalicious.7b398b
PandaTrj/Genetic.gen

How to remove Ser.Ursu.6464?

Ser.Ursu.6464 removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment