Malware

About “Win32/Farfli.BWS” infection

Malware Removal

The Win32/Farfli.BWS is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Win32/Farfli.BWS virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Behavioural detection: Executable code extraction – unpacking
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Dynamic (imported) function loading detected
  • Reads data out of its own binary image
  • Drops a binary and executes it
  • Unconventionial language used in binary resources: Chinese (Simplified)
  • The binary contains an unknown PE section name indicative of packing
  • The binary likely contains encrypted or compressed data.
  • The executable is compressed using UPX
  • Authenticode signature is invalid
  • A ping command was executed with the -n argument possibly to delay analysis
  • Uses Windows utilities for basic functionality
  • Deletes its original binary from disk
  • Created a process from a suspicious location
  • Anomalous binary characteristics

How to determine Win32/Farfli.BWS?



File Info:

name: 81C7580FEFF141A9D377.mlw
path: /opt/CAPEv2/storage/binaries/11a595327544d6efebc1145c8d9d19f4fb69a6049b00535ad602dbec61b9329f
crc32: D15A1F34
md5: 81c7580feff141a9d3776be8b025475e
sha1: 54ffda922e0771755476e751cc344a0d561d5db4
sha256: 11a595327544d6efebc1145c8d9d19f4fb69a6049b00535ad602dbec61b9329f
sha512: 87b36d60cb34f2651dd12b28e77bc6f88c5e9e3e4c50b76bb1b2a752eb03a62d64b8c91627c0060168949d297ddd6fd2edebcfa77fbd83f1e5047ed67b697eae
ssdeep: 3072:DnzDvcfdA53A+vDoHDaEI+uuuTVfFi1dgbzzWoOdm6tVNi:DnzDYA53/vkNI+uuu7iDgbzzWoOd1tVQ
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T113041256ABCCD3F4F9B6AB7209B638FA4873955A722EC732C69D00975CA05B0DDB4108
sha3_384: a63297c3ab58ffccfe708c23f6e97243158b7cde27df1ef09283a16fe819807cf3bf4c023d774542c1ac477dfff4956e
ep_bytes: 60be002043008dbe00f0fcff5783cdff
timestamp: 2015-11-26 07:12:43


Version Info:

CompanyName: Microsoft Corporation
FileDescription: Microsoft® HTML Editing Component's Resource DLL
FileVersion: 7.00.5730.13 (longhorn(wmbla).070711-1130)
InternalName: MSHTMLER.DLL
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFilename: MSHTMLER.DLL
ProductName: Windows® Internet Explorer
ProductVersion: 7.00.5730.13
OleSelfRegister: 
Translation: 0x0409 0x04b0

Win32/Farfli.BWS also known as:

Elasticmalicious (high confidence)
MicroWorld-eScanGen:Trojan.Heur.lmMfz0jxHIlj
ALYacGen:Trojan.Heur.lmMfz0jxHIlj
CylanceUnsafe
SangforSuspicious.Win32.Save.a
K7AntiVirusRansomware ( 004ce30e1 )
K7GWRansomware ( 004ce30e1 )
CrowdStrikewin/malicious_confidence_100% (D)
CyrenW32/Venik.M.gen!Eldorado
SymantecML.Attribute.HighConfidence
tehtrisGeneric.Malware
ESET-NOD32a variant of Win32/Farfli.BWS
APEXMalicious
ClamAVWin.Trojan.Hupigon-7623999-0
KasperskyP2P-Worm.Win32.Palevo.hyik
BitDefenderGen:Trojan.Heur.lmMfz0jxHIlj
NANO-AntivirusTrojan.Win32.Dwn.dyzqqe
AvastWin32:Malware-gen
TencentP2P-Worm.Win32.Palevo.za
Ad-AwareGen:Trojan.Heur.lmMfz0jxHIlj
EmsisoftGen:Trojan.Heur.lmMfz0jxHIlj (B)
ComodoTrojWare.Win32.Farfli.BVW@6a54oc
DrWebTrojan.DownLoader17.60890
ZillyaAdware.BrowseFox.Win32.229020
McAfee-GW-EditionBehavesLike.Win32.Fake.cc
FireEyeGeneric.mg.81c7580feff141a9
SophosML/PE-A + Mal/Venik-B
SentinelOneStatic AI – Suspicious PE
GDataWin32.Trojan.Palevo.E
JiangminWorm.Palevo.jz
AviraTR/Crypt.XPACK.330551
ArcabitTrojan.Heur.lmMfz0jxHIlj
MicrosoftTrojan:Win32/Wacatac.B!ml
CynetMalicious (score: 100)
AhnLab-V3Dropper/Win32.Banki.R169299
McAfeeGenericRXAA-AA!81C7580FEFF1
MAXmalware (ai score=87)
VBA32Worm.Palevo
MalwarebytesMalware.AI.513609328
RisingBackdoor.Farfli!1.A275 (RDMK:cmRtazqYcxeWhONvXPLNi/v8ETd0)
IkarusTrojan.Win32.Farfli
MaxSecureTrojan.Malware.121218.susgen
FortinetW32/Farfli.BVW!tr
BitDefenderThetaAI:Packer.A9D6503C1C
AVGWin32:Malware-gen
Cybereasonmalicious.feff14
PandaTrj/Genetic.gen

How to remove Win32/Farfli.BWS?

Win32/Farfli.BWS removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment