Win32/Packed.Enigma.AL malicious file

The Win32/Packed.Enigma.AL is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.

DOWNLOAD NOW

6-day free trial available.

What Win32/Packed.Enigma.AL virus can do?

• Behavioural detection: Executable code extraction – unpacking
• Yara rule detections observed from a process memory dump/dropped files/CAPE
• Creates RWX memory
• NtSetInformationThread: attempt to hide thread from debugger
• Enumerates the modules from a process (may be used to locate base addresses in process injection)
• Enumerates running processes
• Reads data out of its own binary image
• CAPE extracted potentially suspicious content
• The binary contains an unknown PE section name indicative of packing
• The binary likely contains encrypted or compressed data.
• Authenticode signature is invalid
• Queries information on disks, possibly for anti-virtualization
• Checks for the presence of known windows from debuggers and forensic tools
• Uses IOCTL_SCSI_PASS_THROUGH control codes to manipulate drive/MBR which may be indicative of a bootkit
• CAPE detected the EnigmaStub malware family
• Checks for the presence of known devices from debuggers and forensic tools
• Harvests cookies for information gathering
• Anomalous binary characteristics

How to determine Win32/Packed.Enigma.AL?

File Info:
name: 086F89C85E074606C5BB.mlw
path: /opt/CAPEv2/storage/binaries/8eff5edd5729657a995c7bcecda972c1eb6359bde89d603ed01976a58ce522ec
crc32: 2872AEB1
md5: 086f89c85e074606c5bba7f971a5c4ec
sha1: 2c8fb132e9102c74cc69b1a79b8c08b199d96f68
sha256: 8eff5edd5729657a995c7bcecda972c1eb6359bde89d603ed01976a58ce522ec
sha512: 6ad9454d99546a7c8e322da76f7f779a267d2cfc004e5397f825c7cd380b4ccffd3b1d6d84f309f6907181ae4e019ee99412ffb690888759d54b95a1849146eb
ssdeep: 49152:CYbUbFDI842X7X54TSVqyZ83snp3WG+3iP9fqL6o5QI92pO:CKUbS8DX7JCKD83snv+3OyV5/MO
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T101A53340906A43A5EC2D43FB1167860E87BB5D4ADE09D026C5DB38FF663FF9B450889B
sha3_384: dcb5c19d85a3b9c262ad116b3207d2486eb79fc7f25e4f34602eae378ab7046e31399be10a97fba6079e24e3c62c9498
ep_bytes: eb08000001000000000060e800000000
timestamp: 2017-01-05 15:55:45

Version Info:
Translation: 0x0000 0x04b0
CompanyName: uncleua
FileDescription: vsa em
FileVersion: 2.4.6214.32272
InternalName: vsa45em.exe
LegalCopyright: (c) 2016-2017
OriginalFilename: vsa45em.exe
ProductVersion: 2.4.6214.32272
Assembly Version: 2.4.6214.32272

Win32/Packed.Enigma.AL also known as:

How to remove Win32/Packed.Enigma.AL?

• Download and install GridinSoft Anti-Malware.
• Open GridinSoft Anti-Malware and perform a “Standard scan“.
• “Move to quarantine” all items.
• Open “Tools” tab – Press “Reset Browser Settings“.
• Select proper browser and options – Click “Reset”.
• Restart your computer.