Videos
Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.
- Distribution Method : Unknown
- MD5 : 0e0b9f6050496c876ff199e8583d7b87
- Major Detection Name : Downloader/Win.Agent.C5219811 (AhnLab V3), Trojan-Downloader.Win32.Alien.pbg (Kaspersky)
- Encrypted File Pattern : .FARGO2
- Malicious File Creation Location :
- C:\Users\%UserName%\AppData\Local\Temp\IXP000.TMP
- C:\Users\%UserName%\AppData\Local\Temp\IXP000.TMP\Avvertire.xls
- C:\Users\%UserName%\AppData\Local\Temp\IXP000.TMP\Come.exe.pif
- C:\Users\%UserName%\AppData\Local\Temp\IXP000.TMP\qqDqlmoWMvo.dll
- Payment Instruction File : FILE RECOVERY.txt
- Major Characteristics :
- Mallox Ransomware series
- Encrypt the file using the AutoIt v3 Script legitimate file "C:\Users\%UserName%\AppData\Local\Temp\IXP000.TMP\Come.exe.pif"
- Encrypt files with specific file extensions (.dbf, .dmp, .hdd, .ibd, .lck, .mdb, .nvram, .oraenv, .rar, .sql, .vdi, .vhd, .vhdx, .vmdk, .vmem, .vmsd, .vmsn, .vmss, .vmx, .zip) and then encrypt other files.
- Block processes execution (fdhost.exe, fdlauncher.exe, mysql.exe, oracle.exe, ReportingServecesService.exe, sqlservr.exe etc.)
- Stop multi services (MSSQLFDLauncher, MSSQLServerOLAPService, ReportServer)
- Delete multi services (B1Workflow, backup*, MsDtsServer100, MSSQL$SOPHOS, SAP Business One RSP Agent Service, SBOClientAgent etc.)
- Disable system restore (bcdedit /set {current} bootstatuspolicy ignoreallfailures, bcdedit /set {current} recoveryenabled no, vssadmin.exe delete shadows /all /quiet)