Malware

About “Sirefef.3708” infection

Malware Removal

The Sirefef.3708 is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
6-day free trial available.

What Sirefef.3708 virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • At least one process apparently crashed during execution
  • Attempts to connect to a dead IP:Port (1 unique times)
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Guard pages use detected – possible anti-debugging.
  • A process attempted to delay the analysis task.
  • Dynamic (imported) function loading detected
  • Enumerates running processes
  • Expresses interest in specific running processes
  • Repeatedly searches for a not-found process, may want to run with startbrowser=1 option
  • Reads data out of its own binary image
  • A process created a hidden window
  • CAPE extracted potentially suspicious content
  • The binary contains an unknown PE section name indicative of packing
  • The binary likely contains encrypted or compressed data.
  • Uses Windows utilities to enumerate running processes
  • Authenticode signature is invalid
  • Uses Windows utilities for basic functionality
  • Behavioural detection: Injection (Process Hollowing)
  • Executed a process and injected code into it, probably while unpacking
  • Behavioural detection: Injection (inter-process)
  • Installs itself for autorun at Windows startup
  • Detects Bochs through the presence of a registry key
  • Attempts to disable Windows Auto Updates
  • Collects information to fingerprint the system
  • Anomalous binary characteristics
  • Attempts to modify Explorer settings to prevent hidden files from being displayed
  • Uses suspicious command line tools or Windows utilities

How to determine Sirefef.3708?


File Info:

name: 1380F097686EE67B40AB.mlw
path: /opt/CAPEv2/storage/binaries/d43df3483d3b81424eaad2b6c179da9b91600daeffb11190592a9e65def03474
crc32: BFA932DD
md5: 1380f097686ee67b40ab7a2a66bd17de
sha1: 0972ab84bee0296efebd5f8b051153aae4cb3d75
sha256: d43df3483d3b81424eaad2b6c179da9b91600daeffb11190592a9e65def03474
sha512: 2f6f59c180a2ae0493390dd09f8bb46c15b0e2ad27f1d7983533d3d48d2de58fc3d669a3aad2cb5b81427ba11225fd623fd1be5cc7729f16c7059c176b982a7a
ssdeep: 12288:/ClephVMo7IYJAB++2RrxRAjbeNC2v+clES+vYOqH:6OhKpYyB/MrxRAZMES+b+
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T1CEE42203BB6CEA21C0C0DAB10A9692E1B236BCC612C1BD477682FF896D757537DE4617
sha3_384: 5310666f59c693e1656dafe985227da729dc8063c2522e2b7c9360b4ee010559d026f853e1ee82f10153a593127114cf
ep_bytes: 68b8184000e8f0ffffff000040000000
timestamp: 2012-01-15 19:08:29

Version Info:

0: [No Data]

Sirefef.3708 also known as:

BkavW32.AIDetect.malware2
LionicTrojan.Win32.Generic.lu9W
Elasticmalicious (high confidence)
DrWebTrojan.VbCrypt.85
MicroWorld-eScanGen:Variant.Sirefef.3708
FireEyeGeneric.mg.1380f097686ee67b
CAT-QuickHealVirTool.Vbinder.Gen
ALYacGen:Variant.Sirefef.3708
CylanceUnsafe
ZillyaTrojan.Diple.Win32.26528
Sangfor[MICROSOFT VISUAL BASIC V6.0]
K7AntiVirusEmailWorm ( 003c363a1 )
K7GWEmailWorm ( 003c363a1 )
CrowdStrikewin/malicious_confidence_100% (W)
BitDefenderThetaGen:NN.ZevbaF.34582.QqW@aC!6Gqdi
VirITTrojan.Win32.Generic.TRW
CyrenW32/VBloader.I.gen!Eldorado
SymantecML.Attribute.HighConfidence
tehtrisGeneric.Malware
ESET-NOD32Win32/TrojanDropper.VB.NZX
TrendMicro-HouseCallTROJ_DROPPR.SM2
Paloaltogeneric.ml
ClamAVWin.Packer.VBCrypt-5731541-0
KasperskyWorm.Win32.Vobfus.exzu
BitDefenderGen:Variant.Sirefef.3708
NANO-AntivirusTrojan.Win32.VB.mjwii
SUPERAntiSpywareTrojan.Agent/Gen-Multi[VB]
TencentWorm.Win32.Vobfus.n
Ad-AwareGen:Variant.Sirefef.3708
TACHYONWorm/W32.Vobfus.696320
EmsisoftGen:Variant.Sirefef.3708 (B)
ComodoTrojWare.Win32.Agent.DHJE@4q0017
F-SecureTrojan.TR/Dropper.Gen
BaiduWin32.Trojan-Dropper.VB.al
VIPREGen:Variant.Sirefef.3708
TrendMicroTROJ_DROPPR.SM2
McAfee-GW-EditionBehavesLike.Win32.Generic.jc
Trapminemalicious.moderate.ml.score
SophosML/PE-A + W32/Vobfus-S
IkarusTrojan.Win32.Sirefef
GDataGen:Variant.Sirefef.3708
JiangminTrojan/Diple.dgkz
WebrootW32.Malware.Downloader
AviraTR/Dropper.Gen
KingsoftWin32.Heur.KVM011.a.(kcloud)
ArcabitTrojan.Sirefef.DE7C
ViRobotTrojan.Win32.A.Diple.696320
ZoneAlarmWorm.Win32.Vobfus.exzu
MicrosoftTrojanDownloader:Win32/Small
CynetMalicious (score: 100)
AhnLab-V3Trojan/Win32.Diple.R19366
McAfeeDownloader-CSH
MAXmalware (ai score=89)
VBA32BScope.Worm.WBNA
MalwarebytesTrojan.Zbot
PandaTrj/Genetic.gen
APEXMalicious
RisingTrojan.VB!1.65A7 (CLASSIC)
YandexTrojan.GenAsa!uYyxN/BLs1s
SentinelOneStatic AI – Malicious PE
MaxSecureTrojan.Malware.3498780.susgen
FortinetW32/Dropper.ZKU!tr
AVGWin32:Dropper-JSY [Drp]
Cybereasonmalicious.7686ee
AvastWin32:Dropper-JSY [Drp]

How to remove Sirefef.3708?

Sirefef.3708 removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment