Trojan

Trojan.Win32.Ekstak.amgbq (file analysis)

Malware Removal

The Trojan.Win32.Ekstak.amgbq is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Trojan.Win32.Ekstak.amgbq virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Dynamic (imported) function loading detected
  • Reads data out of its own binary image
  • The binary contains an unknown PE section name indicative of packing
  • Authenticode signature is invalid
  • Uses Windows utilities for basic functionality
  • Behavioural detection: Transacted Hollowing
  • Collects and encrypts information about the computer likely to send to C2 server
  • Likely virus infection of existing system binary

How to determine Trojan.Win32.Ekstak.amgbq?



File Info:

name: 2760CDFADA8EC5F06D25.mlw
path: /opt/CAPEv2/storage/binaries/d5e0a0f39c66767bb9b9c0c8fc633b42ff93a93fbf8c7ca2d35cdc234fb1a8b4
crc32: B5977D89
md5: 2760cdfada8ec5f06d25ffb5c758119a
sha1: 5eaf477775c47f9890087b05d5c2ab8b11e9d816
sha256: d5e0a0f39c66767bb9b9c0c8fc633b42ff93a93fbf8c7ca2d35cdc234fb1a8b4
sha512: aa207751d5dc1f7a4cdc4e91c66a630407ac7e644f25d436aa464631a4cee1b178e8a1ccf7c39f603c7a2e1ba201329e91ed49c128412a90c01e4af6cecd8973
ssdeep: 196608:FvtlFZKW0qSjxKL6fbkhv7aA8iB0/SU9gCneI59oAP:JtlSLUL6fYJOivU9NeI59og
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T1F8763381A9A2D4A9E514DC7C8C3B01167696BD1BFDF4BA01F7C44C8F9E4EC9228DB1E4
sha3_384: 92042bf42544c04234aa9d4666518582868a1227183df241ed198762ebf6c9e450ecdd7850dc23a266cb40c449f2703e
ep_bytes: 558bec83c4cc53565733c08945f08945
timestamp: 1992-06-19 22:22:17


Version Info:

Comments: This installation was built with Inno Setup.
CompanyName: Vseev Sv. Pv.                                               
FileDescription: viewfe.ucpa.ru                                              
FileVersion: 3.5.0.0             
LegalCopyright:                                                                                                     
Translation: 0x0409 0x04e4

Trojan.Win32.Ekstak.amgbq also known as:

LionicTrojan.Win32.Ekstak.4!c
McAfeeArtemis!2760CDFADA8E
CylanceUnsafe
SangforRiskware.Win32.Agent.ky
K7AntiVirusTrojan ( 005722f11 )
AlibabaTrojanDropper:Win32/Ekstak.01874065
K7GWTrojan ( 005722f11 )
Elasticmalicious (high confidence)
ESET-NOD32a variant of Win32/TrojanDropper.Agent.SLC
Paloaltogeneric.ml
KasperskyTrojan.Win32.Ekstak.amgbq
AvastWin32:Adware-gen [Adw]
McAfee-GW-EditionBehavesLike.Win32.Dropper.vc
SophosMal/Generic-S
GDataWin32.Backdoor.Bodelph.DSNW6J
WebrootW32.Trojan.Gen
MicrosoftTrojan:Win32/Wacatac.B!ml
MalwarebytesMalware.AI.1867052505
TrendMicro-HouseCallTROJ_GEN.R002H0DFA22
RisingMalware.Generic!8.BA4C (CLOUD)
AVGWin32:Adware-gen [Adw]

How to remove Trojan.Win32.Ekstak.amgbq?

Trojan.Win32.Ekstak.amgbq removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment