Malware

Ursu.840959 (file analysis)

Malware Removal

The Ursu.840959 is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Ursu.840959 virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • Sample contains Overlay data
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Reads data out of its own binary image
  • CAPE extracted potentially suspicious content
  • Drops a binary and executes it
  • The binary contains an unknown PE section name indicative of packing
  • Authenticode signature is invalid
  • Uses Windows utilities for basic functionality
  • Behavioural detection: Injection (inter-process)
  • Behavioural detection: Injection with CreateRemoteThread in a remote process
  • Deletes executed files from disk

How to determine Ursu.840959?



File Info:

name: 61D8053375F624560635.mlw
path: /opt/CAPEv2/storage/binaries/3ce4987fd03a337644ce5810a38f6812d2b099c0f9eb1a229a0113ec8b82bfcd
crc32: C15C04B6
md5: 61d8053375f62456063510bcf7ef89a9
sha1: 8d4310acdfb0e75a0b0f4c5e8c42db0ed042e1b4
sha256: 3ce4987fd03a337644ce5810a38f6812d2b099c0f9eb1a229a0113ec8b82bfcd
sha512: eaa4cca683f02cda13fbcdbcff2c7a9356bad3e816b0166945dc9a45f5fda1f05c75970fcb186bd1ebc02305f6edaf8f042527602185adb9cedae67934604875
ssdeep: 49152:wqicR5Bqp6unb3e0xu1jIvES45vIeQna2hA4H5YKy:Fd3Up6uHu1g45InjhVZYX
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T133E5F13FB268613EC5AE0B3245B39320997BBB61A85B8C1E47F4090DCF665601E3F765
sha3_384: d55f34db22ba1103c5580baa986d2828a5625b07eb8f24bc3090fa49be7dc5630d0875a7ac9bf7e682c9871620d360ab
ep_bytes: 558bec83c49053565733c08945c08945
timestamp: 2020-03-14 13:01:15


Version Info:

Comments: This installation was built with Inno Setup.
CompanyName:                                                             
FileDescription: Wflash Setup                                                
FileVersion:                     
LegalCopyright:                                                                                                     
OriginalFileName:                                                   
ProductName: Wflash                                                      
ProductVersion: 2                                                 
Translation: 0x0000 0x04b0

Ursu.840959 also known as:

Elasticmalicious (high confidence)
MicroWorld-eScanGen:Variant.Ursu.840959
FireEyeGen:Variant.Ursu.840959
ALYacGen:Variant.Ursu.840959
VIPREGen:Variant.Ursu.840959
ESET-NOD32a variant of Win32/Injector.ELOS
KasperskyTrojan.Win32.Inject.amymj
BitDefenderGen:Variant.Ursu.840959
NANO-AntivirusExploit.Win32.Shellcode.honfxc
AvastWin32:Trojan-gen
TencentWin32.Trojan.Inject.Wozw
ZillyaExploit.Shellcode.Win32.4
EmsisoftGen:Variant.Ursu.840959 (B)
GDataGen:Variant.Ursu.840959
JiangminBackdoor.Remcos.bfj
GoogleDetected
AviraTR/AD.NsisInject.udtuk
MAXmalware (ai score=84)
Antiy-AVLTrojan/Generic.ASMalwS.5406
MicrosoftTrojan:Win32/Occamy.C91
CynetMalicious (score: 99)
RisingTrojan.Generic@AI.85 (RDMK:N11Q1wP8x0Yi4SAO75S/8g)
IkarusTrojan-Downloader.Win32.Rugmi
AVGWin32:Trojan-gen

How to remove Ursu.840959?

Ursu.840959 removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment