Strictor.271139 (file analysis)

Malware Removal

The Strictor.271139 is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware - Review 2020

GridinSoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend to use GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the TRIAL period.
6-day free trial available.

What Strictor.271139 virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Anomalous file deletion behavior detected (10+)
  • Dynamic (imported) function loading detected
  • Performs HTTP requests potentially not found in PCAP.
  • HTTPS urls from behavior.
  • Enumerates running processes
  • Drops a binary and executes it
  • Unconventionial binary language: Chinese (Simplified)
  • Unconventionial language used in binary resources: Chinese (Simplified)
  • The binary contains an unknown PE section name indicative of packing
  • The binary likely contains encrypted or compressed data.
  • The executable is likely packed with VMProtect
  • Authenticode signature is invalid
  • Tries to suspend Cuckoo threads to prevent logging of malicious activity
  • Attempts to modify desktop wallpaper
  • Tries to unhook or modify Windows functions monitored by Cuckoo
  • Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config
  • Created a process from a suspicious location
  • Network activity contains more than one unique useragent.
  • Attempts to modify proxy settings
  • Harvests cookies for information gathering

How to determine Strictor.271139?

File Info:

name: BA6A640AEBFCF04DF7F5.mlw
path: /opt/CAPEv2/storage/binaries/c6afd91ede96e9d055da7358a7849f6903c03a80c5302e7f91bf344a4ae3a3c6
crc32: 9772C7F5
md5: ba6a640aebfcf04df7f55d846d1cad58
sha1: 2b7412be968bf371486f30afefea1518130e9bed
sha256: c6afd91ede96e9d055da7358a7849f6903c03a80c5302e7f91bf344a4ae3a3c6
sha512: 1d93296eaa2ac3c261b0846956ae127f06c93dd8015e0e62674c7a4e3ae07f66c18d81946abdf240c7c5f020cac19cfa963a0c373c18d896d25a908c4fb63488
ssdeep: 196608:yyO3J5EGqHba22IJZYusNNSfX3xn2oKtqZiX:q3jEGq7arNNSfHxwt4K
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T14E66337B521575C1D6E98435C63BFEC431F65A3E8A81E8FDA8F6A8C116225E0D303B93
sha3_384: 3e62d8d138b3e465bd6aa13a9add4f3d41889c6ac1a13d045b82c7e031afe134faf16c2b7a4aa157da5f5143d677c112
ep_bytes: 68701152ffe8e5045e008b4c25006681
timestamp: 2019-08-25 13:02:36

Version Info:

Comments: 技术支持:979592141
CompanyName: 技术支持:979592141
FileDescription: 热血江湖
FileVersion: 2, 1, 7, 0
InternalName: 热血江湖
LegalCopyright: Copy Right (C) RXJH2 2008-2020
LegalTrademarks: 热血江湖
OriginalFilename: 热血江湖.EXE
ProductName: 热血江湖
ProductVersion: 2, 1, 7, 0
Translation: 0x0804 0x04b0

Strictor.271139 also known as:

Elasticmalicious (high confidence)
EmsisoftGen:Variant.Strictor.271139 (B)
SentinelOneStatic AI – Malicious PE
SophosGeneric ML PUA (PUA)
CynetMalicious (score: 100)
MAXmalware (ai score=84)
RisingTrojan.Generic@AI.98 (RDMK:cmRtazrYmTIc3vshSNUrb9IP96BM)

How to remove Strictor.271139?

Strictor.271139 removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment