Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

Mallox Ransomware (.mallox)

  • Distribution Method : Remote access through Remote Desktop Protocol(RDP) or Terminal Services
  • MD5 : 315aaf1f0128e50999fd5b82949a9267
  • Major Detection Name : Ransom.FileCryptor (Malwarebytes), Trojan:MSIL/AgentTesla.KA!MTB (Microsoft)
  • Encrypted File Pattern : .mallox
  • Malicious File Creation Location :
     - C:\Users\%UserName%\AppData\Local\Temp\AdvancedRun.exe
     - C:\Users\%UserName%\AppData\Local\Temp\Blffpekna.vbs
     - C:\Users\%UserName%\AppData\Local\Temp\MSBuild.exe
     - C:\Users\%UserName%\AppData\Local\Temp\Yubhigusnhbrkitykwictqkill$.bat
  • Payment Instruction File : HOW TO RECOVER !!.TXT / RECOVERY INFORMATION.txt
  • Major Characteristics :
     - Offline Encryption
     - Oppo Ransomware series
     - File encryption using Microsoft .NET Framework clean file "%Temp%\MSBuild.exe"
     - Disable a Windows Defender
     - Block processes execution (fdhost.exe, httpd.exe, java.exe, reportingservicesservice.exe, softmgrlite.exe, sqlservr.exe etc.)
     - Delete multi services (MSSQLFDLauncher, QcSoftService, SQLBrowser, SQLSERVERAGENT, SQLWriter, VMTools etc.)
     - Stop multi services (Apache2.4, HaoZipSvc, igfxCUIService2.0.0.0, memcached Server, MSComplianceAudit, U8WorkerService1 etc.)
     - Disable system restore (vssadmin.exe delete shadows /all /quiet, bcdedit /set {current} bootstatuspolicy ignoreallfailures, bcdedit /set {current} recoveryenabled no)