Malware

Troj/DwnLd-XH (file analysis)

Malware Removal

The Troj/DwnLd-XH is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Troj/DwnLd-XH virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Possible date expiration check, exits too soon after checking local time
  • Dynamic (imported) function loading detected
  • Enumerates the modules from a process (may be used to locate base addresses in process injection)
  • Reads data out of its own binary image
  • A process created a hidden window
  • CAPE extracted potentially suspicious content
  • Authenticode signature is invalid
  • A scripting utility was executed
  • Uses Windows utilities for basic functionality
  • Uses Windows utilities for basic functionality
  • Behavioural detection: Injection (Process Hollowing)
  • Executed a process and injected code into it, probably while unpacking
  • Detects Sandboxie through the presence of a library
  • Detects Avast Antivirus through the presence of a library
  • Behavioural detection: Injection (inter-process)
  • Checks for the presence of known windows from debuggers and forensic tools
  • Created a process from a suspicious location
  • CAPE detected the OnlyLogger malware family
  • Checks the presence of disk drives in the registry, possibly for anti-virtualization
  • Attempts to disable Windows Defender
  • Attempts to modify Windows Defender using PowerShell
  • Attempts to execute suspicious powershell command arguments

How to determine Troj/DwnLd-XH?



File Info:

name: 1E0474031DDCFAE981CC.mlw
path: /opt/CAPEv2/storage/binaries/91fc037507b52d6aae4dd9136899b889de98f74e94c21a00ad80d9c4722842e1
crc32: 4BE0C45B
md5: 1e0474031ddcfae981cc7fdeeb02a90c
sha1: 25f7384dc4e0786bae4a1d76c707c2a793db5069
sha256: 91fc037507b52d6aae4dd9136899b889de98f74e94c21a00ad80d9c4722842e1
sha512: 6bd6f0dc83ca0404d43dc6e95aac64fa93890d483bbccf23aceed09595ddaaf83022bbf98c9406b4cb18bd20b0938790c4064d052a27227c451d1642823fa828
ssdeep: 196608:JafUvhJLae982p93/bBAMEBB3C8bvRTDNpGlFgLxLhXQBLEj:Ja85AKLBjEBB3dbv9DNQlFoXQ5Ej
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T1AA7633C480CDE40BF51F5976488B84B41CF856F9F519DAAB9B60B16E16F3603F282B4B
sha3_384: 477b3301862cbf321395641b7fee0181068f0a138fb4d3d8c4bb5eb2d9c0a8d06da385434c6b10a92723429509c276e3
ep_bytes: 81ecd40200005356576a205f33db6801
timestamp: 2020-08-01 02:44:18


Version Info:

0: [No Data]

Troj/DwnLd-XH also known as:

BkavW32.AIDetect.malware2
Elasticmalicious (high confidence)
DrWebTrojan.DownLoader44.35446
CynetMalicious (score: 100)
FireEyeGeneric.mg.1e0474031ddcfae9
CAT-QuickHealTrojan.Win64RI.S25839259
McAfeeArtemis!1E0474031DDC
Cybereasonmalicious.31ddcf
BitDefenderThetaGen:NN.ZexaF.34182.pq0@aKOfXPpG
CyrenW32/Stealer.AA.gen!Eldorado
SymantecML.Attribute.HighConfidence
ESET-NOD32multiple detections
TrendMicro-HouseCallTROJ_GEN.R03FC0DAU22
Paloaltogeneric.ml
ClamAVWin.Packed.Barys-9859531-0
KasperskyTrojan-PSW.Win32.Stealer.aema
BitDefenderDropped:Trojan.GenericKD.38752869
NANO-AntivirusRiskware.Win32.PSWTool.hqsnsl
AvastWin32:DropperX-gen [Drp]
EmsisoftDropped:Trojan.GenericKD.38752869 (B)
ComodoApplicUnwnt@#1oskvm236onaf
TrendMicroTROJ_GEN.R03FC0DAU22
McAfee-GW-EditionBehavesLike.Win32.Generic.wc
SophosTroj/DwnLd-XH
IkarusTrojan-Downloader.Win32.SmokeLoader
AviraHEUR/AGEN.1144141
Antiy-AVLTrojan/Generic.ASMalwS.351AACE
KingsoftWin32.Hack.Undef.(kcloud)
MicrosoftTrojan:Win32/Sabsik.FL.A!ml
ZoneAlarmHEUR:Trojan-Spy.Win32.Stealer.pef
GDataDropped:Trojan.GenericKD.38752869
VBA32BScope.Trojan.Convagent
ALYacDropped:Trojan.GenericKD.38752869
MAXmalware (ai score=82)
MalwarebytesTrojan.MalPack.GS
APEXMalicious
RisingDropper.Agent/NSIS!1.D805 (CLASSIC:dGZlOgXIP4QWbzPn9A)
SentinelOneStatic AI – Suspicious PE
eGambitUnsafe.AI_Score_59%
FortinetW32/Packed.GBE!tr
AVGWin32:DropperX-gen [Drp]
PandaTrj/CI.A

How to remove Troj/DwnLd-XH?

Troj/DwnLd-XH removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment