Trojan.Ransom.Deathransom.B removal instruction

Report context

What to verify before removal

Trojan.Ransom.Deathransom.B removal instruction should be handled as a recovery-sensitive report, not as a routine deletion task. Before removing files, isolate the affected system and compare the detection with the notes below so encrypted data, restore points, and backups are not damaged.

Start by comparing the local file name with 15D96C2779FBDF8989FB.mlw, then review the behavior notes for file-encryption activity, ransom notes, renamed documents, and unexpected recovery blockers. This helps separate a matching detection from a different file that only shares a similar alert name.

Observed file: 15D96C2779FBDF8989FB.mlw

Compare the suspicious file name with 15D96C2779FBDF8989FB.mlw.
Confirm the detection name matches Trojan.Ransom.Deathransom.B removal instruction before removing related files.
Review the report for file-encryption activity, ransom notes, renamed documents, and unexpected recovery blockers so the cleanup is based on observed behavior, not only the label.
Disconnect the machine from the network before recovery work and avoid deleting encrypted samples until backups are checked.

The Trojan.Ransom.Deathransom.B is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

What Trojan.Ransom.Deathransom.B virus can do?

Behavioural detection: Executable code extraction – unpacking
Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution
Uses Windows utilities for basic functionality
Reads data out of its own binary image
CAPE extracted potentially suspicious content
Drops a binary and executes it
Unconventionial language used in binary resources: Slovak
The binary contains an unknown PE section name indicative of packing
Authenticode signature is invalid
Behavioural detection: Injection (Process Hollowing)
Behavioural detection: Injection (inter-process)
Behavioural detection: Injection with CreateRemoteThread in a remote process
CAPE detected the shellcode get eip malware family
Deletes executed files from disk
Anomalous binary characteristics
Uses suspicious command line tools or Windows utilities
Yara detections observed in process dumps, payloads or dropped files

How to determine Trojan.Ransom.Deathransom.B?


File Info:
name: 15D96C2779FBDF8989FB.mlw
path: /opt/CAPEv2/storage/binaries/7aacbaf1566a96ec23dfb7446aeb13d6482d6f78f83b3c9268f024f2ef099fde
crc32: 6DA7B152
md5: 15d96c2779fbdf8989fbfbda73c96963
sha1: 7c8bd3d785fa2488c845abeb474b5b4979c0847b
sha256: 7aacbaf1566a96ec23dfb7446aeb13d6482d6f78f83b3c9268f024f2ef099fde
sha512: e628844878f90b0b9efa5c7a94ab61d23b68ac139f29a64534814a3d03f7907a46e84df10b249f4bc10aece9f9e9a13e1964948ddfcbcf7e23c1d8fc02b869c3
ssdeep: 49152:9BqtCZCZCZCZCZCZCZCZCZCZCZCZCZCZCZCZCZCZCZCZCZCZCZCZCZCZCZCZCZCr:9o
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T1CAC65A2568B11AA7C4BA517CBF3D770C08EEFF604296CD7781256ED1852B7E22A8D10F
sha3_384: 3ee594fcd21baa4832b85ef857699227600f3b57590b93be12665456c7a7a5d687bcfea5a26982c858b5cd5399c4b927
ep_bytes: e818060000e98efeffff3b0d70304300
timestamp: 2019-04-25 03:10:40

Version Info:
FileVersion: 1.0.5.4
InternalName: fyukfuyk.exe
LegalCopyright: Copyright (C) 2019, ghjhfkh
ProductVersion: 1.7.6
TranslationOne: 0x0841 0x04c4

Trojan.Ransom.Deathransom.B also known as:

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Ransom.Deathransom.B
FireEye	Generic.mg.15d96c2779fbdf89
CAT-QuickHeal	Ransom.Stop.MP4
Skyhigh	BehavesLike.Win32.Generic.wh
McAfee	Trojan-FRON!15D96C2779FB
Cylance	unsafe
Zillya	Backdoor.Tofsee.Win32.2694
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Malware:Win32/km_2e9e7.None
K7GW	Trojan ( 0055c0061 )
K7AntiVirus	Trojan ( 0055c0061 )
BitDefenderTheta	Gen:NN.ZexaF.36802.@F0@aaAdCOpG
VirIT	Trojan.Win32.Packed2.CKIN
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Kryptik.GYQM
APEX	Malicious
TrendMicro-HouseCall	TROJ_GEN.R002C0DD124
ClamAV	Win.Dropper.ClipBanker-7403232-0
Kaspersky	HEUR:Backdoor.Win32.Tofsee.vho
BitDefender	Trojan.Ransom.Deathransom.B
NANO-Antivirus	Trojan.Win32.Packed2.gkvvqv
Avast	Win32:CrypterX-gen [Trj]
Tencent	Malware.Win32.Gencirc.10bfa820
Sophos	Mal/GandCrab-G
F-Secure	Heuristic.HEUR/AGEN.1312680
DrWeb	Trojan.Packed2.42133
VIPRE	Trojan.Ransom.Deathransom.B
TrendMicro	TROJ_GEN.R002C0DD124
Trapmine	suspicious.low.ml.score
Emsisoft	Trojan.Agent (A)
Ikarus	Trojan.Win32.Crypt
Jiangmin	Trojan.Diple.amnh
Google	Detected
Avira	HEUR/AGEN.1312680
Varist	W32/Kryptik.ASJ.gen!Eldorado
Antiy-AVL	Trojan[Backdoor]/Win32.Tofsee
Microsoft	Trojan:Win32/Emotet.PDS!MTB
Arcabit	Trojan.Ransom.Deathransom.B
ZoneAlarm	HEUR:Backdoor.Win32.Tofsee.vho
GData	Trojan.Ransom.Deathransom.B
Cynet	Malicious (score: 99)
AhnLab-V3	Trojan/Win32.MalPe.R300372
VBA32	BScope.Trojan.Download
ALYac	Trojan.Ransom.Deathransom.B
MAX	malware (ai score=82)
Malwarebytes	Crypt.Trojan.Malicious.DDS
Panda	Trj/GdSda.A
Rising	Trojan.Kryptik!1.BFC8 (CLASSIC)
SentinelOne	Static AI – Malicious PE
MaxSecure	Trojan.Malware.74655264.susgen
Fortinet	W32/Kryptik.ANT!tr
AVG	Win32:CrypterX-gen [Trj]
DeepInstinct	MALICIOUS
alibabacloud	Backdoor:Win/Emotet.PDS!MTB

How to remove Trojan.Ransom.Deathransom.B?

Recommended second-opinion scan

Verify the infection before changing system settings

Use GridinSoft Anti-Malware to run a full scan, review detected persistence entries, and quarantine confirmed threats before restarting Windows.

Download GridinSoft Anti-Malware

Download and install GridinSoft Anti-Malware.
Open GridinSoft Anti-Malware and perform a “Standard scan“.
“Move to quarantine” all items.
Open “Tools” tab – Press “Reset Browser Settings“.
Select proper browser and options – Click “Reset”.
Restart your computer.