Spy

Win32/Spy.Autoit.FA removal instruction

Malware Removal

The Win32/Spy.Autoit.FA is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware - Review 2020

GridinSoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend to use GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the TRIAL period.
6-day free trial available.

What Win32/Spy.Autoit.FA virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Presents an Authenticode digital signature
  • Creates RWX memory
  • Possible date expiration check, exits too soon after checking local time
  • Guard pages use detected – possible anti-debugging.
  • A process attempted to delay the analysis task.
  • Dynamic (imported) function loading detected
  • Performs HTTP requests potentially not found in PCAP.
  • Enumerates running processes
  • CAPE extracted potentially suspicious content
  • The binary likely contains encrypted or compressed data.
  • Authenticode signature is invalid
  • Uses Windows utilities for basic functionality
  • Deletes its original binary from disk
  • Steals private information from local Internet browsers
  • Collects information about installed applications
  • Attempts to identify installed AV products by installation directory
  • Detects Bochs through the presence of a registry key
  • Attempts to modify proxy settings
  • Accessed credential storage registry keys
  • Harvests cookies for information gathering
  • Harvests credentials from local FTP client softwares
  • Creates Qulab/MASAD information stealer mutexes
  • Anomalous binary characteristics

How to determine Win32/Spy.Autoit.FA?


File Info:

name: 7B03865DC5660CEA68BA.mlw
path: /opt/CAPEv2/storage/binaries/415ceece3175ec7c62cac3f13dde05a242a8815fb3734c037d61c0d5588313ef
crc32: AB1A88BE
md5: 7b03865dc5660cea68ba92c3b90690d7
sha1: 9e1c18e8dd43ee7872220b0eb16cb676fb3c2b77
sha256: 415ceece3175ec7c62cac3f13dde05a242a8815fb3734c037d61c0d5588313ef
sha512: 81dd2b310c91e12a6d0dc1508a75415e0e92fb453928e64d4df00df514c5235af80e2f38df88a59d89979d7e47dc8c535d751083aecbb1599bc7f8beab4f1b3f
ssdeep: 49152:jh+ZkldoPK8YaoIzkYxb+BjvTKjwm+uDkhlig:M2cPK8JzkYxK17qeuw6
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T1F895E00263D1C036FFABA2739B6AF2415ABC79654133852F13982D79BD701B2273D663
sha3_384: 348f3c53999544228bee5e82298d36dcc5ce080aee63e9e9e2417c1249a029032fa7dd4443e2d4afebcb3e8bad95d349
ep_bytes: e8c8d00000e97ffeffffcccccccccccc
timestamp: 2019-12-23 05:03:07

Version Info:

Comments: gcuBlEgn3UdtzzVFWCCQaE2dDYPqYYX1mQGbSXtB5EA9SQZQQrNq66HFDV28GSe9WAR3
CompanyName: Windows Security Center ISV Proxy Stub
FileDescription: Библиотека API кластера
FileVersion: 4.1.7.4
InternalName: xcopy.exe
OriginalFilename: xcopy.exe
ProductVersion: 4.1.7.4
Translation: 0x0809 0x04b0

Win32/Spy.Autoit.FA also known as:

LionicHacktool.Win32.Gamehack.3!e
DrWebTrojan.PWS.Stealer.27517
MicroWorld-eScanGen:Trojan.Heur.AutoIT.173v2@amVdJAmi
FireEyeGen:Trojan.Heur.AutoIT.173v2@amVdJAmi
ALYacGen:Trojan.Heur.AutoIT.173v2@amVdJAmi
CylanceUnsafe
SangforVirus.Win32.Save.a
K7AntiVirusTrojan ( 700000111 )
BitDefenderGen:Trojan.Heur.AutoIT.173v2@amVdJAmi
K7GWTrojan ( 700000111 )
CrowdStrikewin/malicious_confidence_100% (W)
VirITTrojan.Win32.AutoIt.CDO
Elasticmalicious (high confidence)
ESET-NOD32Win32/Spy.Autoit.FA
TrendMicro-HouseCallTrojan.Win32.CRYPTINJECT.SMB
Paloaltogeneric.ml
ClamAVWin.Malware.Agen-6962462-0
KasperskyHEUR:Trojan-PSW.Win32.Masqulab.b
AlibabaMalware:Win32/km_2c67693.None
NANO-AntivirusTrojan.Win32.Stealer.gspeyk
RisingTrojan.Obfus/Autoit!1.BD86 (CLASSIC)
Ad-AwareGen:Trojan.Heur.AutoIT.173v2@amVdJAmi
SophosMal/Generic-R + Mal/SwiftG-Q
ComodoMalware@#hmhksn2vlh1y
TrendMicroTrojan.Win32.CRYPTINJECT.SMB
McAfee-GW-EditionArtemis
EmsisoftGen:Trojan.Heur.AutoIT.173v2@amVdJAmi (B)
WebrootW32.Trojan.Gen
AviraTR/Spy.Autoit.ipwvb
MicrosoftTrojan:Win32/Occamy.C41
GDataGen:Trojan.Heur.AutoIT.173v2@amVdJAmi
CynetMalicious (score: 99)
McAfeeArtemis!7B03865DC566
MAXmalware (ai score=82)
VBA32Trojan.Autoit.F
MalwarebytesTrojan.MalPack
PandaTrj/Genetic.gen
APEXMalicious
TencentWin32.Trojan.Falsesign.Agut
IkarusTrojan.Win32.Autoit
MaxSecureTrojan.Malware.74553206.susgen
FortinetAutoIt/Packed.OH!tr
AVGScript:SNH-gen [Trj]
Cybereasonmalicious.dc5660
AvastScript:SNH-gen [Trj]

How to remove Win32/Spy.Autoit.FA?

Win32/Spy.Autoit.FA removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment