Categories: Malware

Win32/Kryptik.BUYX removal instruction

The Win32/Kryptik.BUYX is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.

DOWNLOAD NOW

6-day free trial available.

What Win32/Kryptik.BUYX virus can do?

Behavioural detection: Executable code extraction – unpacking
Yara rule detections observed from a process memory dump/dropped files/CAPE
Presents an Authenticode digital signature
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
A process attempted to delay the analysis task.
Dynamic (imported) function loading detected
Performs HTTP requests potentially not found in PCAP.
HTTPS urls from behavior.
CAPE extracted potentially suspicious content
Unconventionial binary language: Russian
Unconventionial language used in binary resources: Russian
The binary likely contains encrypted or compressed data.
Authenticode signature is invalid
Deletes its original binary from disk
Behavioural detection: Injection (inter-process)
Behavioural detection: Injection with CreateRemoteThread in a remote process
Attempts to modify proxy settings
CAPE detected injection into a browser process, likely for Man-In-Browser (MITB) infostealing

How to determine Win32/Kryptik.BUYX?


File Info:
name: F334AFAED79AF1B01809.mlwpath: /opt/CAPEv2/storage/binaries/a057ba56ead3556e6902dc074ade457502191e8789a31ace87560495c88fefcecrc32: FE826191md5: f334afaed79af1b0180915a6f026a028sha1: 2286cae66b3d2d5d9b3f9d04733ff36a95fdcf96sha256: a057ba56ead3556e6902dc074ade457502191e8789a31ace87560495c88fefcesha512: 636fe09610f93b9243e89e9d71eac3a1bf7dfa5294ab48274cf49d6e44f5578aa9a47bbbc8a8ed649bc04220370d0c21f2b3a2bf61d38934ecfd92dbb75d80c9ssdeep: 768:2yMtnHtvgXT30XpU6URhEVzJ9MNd05XhJD0dmphpKpSpzv4CkD/:2rHJg4ZPCE1JFnD0dCvutype: PE32 executable (GUI) Intel 80386, for MS Windowstlsh: T1CF13E636259B88BBF3E79F78BCAA2B6508636D73DB05F0F314594C8C8435691D070E2Asha3_384: 359206556f31b370882082a66711d14c0f3441a0087e71549fa3b6fbbad55b9525500b8f48d4f2c0389c12ffc41f4ad3ep_bytes: 558bec892da0854000e872fdffff5dc3timestamp: 2012-12-06 04:23:36
Version Info:
CompanyName: Корпорация МайкрософтFileDescription: ProQuotaFileVersion: 5.1.2600.5512 (xpsp.080413-2113)InternalName: proquotaLegalCopyright: © Корпорация Майкрософт. Все права защищены.OriginalFilename: proquota.exeProductName: Операционная система Microsoft® Windows®ProductVersion: 5.1.2600.5512Translation: 0x0419 0x04b0

Win32/Kryptik.BUYX also known as:

Lionic	Trojan.Win32.Injector.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
FireEye	Generic.mg.f334afaed79af1b0
ALYac	Gen:Heur.Japik.6
Cylance	Unsafe
Zillya	Trojan.FakeAV.Win32.244438
Sangfor	Trojan.Win32.Injector.gnqs
K7AntiVirus	Trojan ( 0040f02a1 )
Alibaba	VirTool:Win32/Obfuscator.44fb629d
K7GW	Trojan ( 0040f02a1 )
Cybereason	malicious.ed79af
VirIT	Trojan.Win32.Generic.VCK
Cyren	W32/S-79760d50!Eldorado
Symantec	Packed.Generic.459
ESET-NOD32	a variant of Win32/Kryptik.BUYX
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan-Dropper.Win32.Injector.gnqs
BitDefender	Gen:Heur.Japik.6
NANO-Antivirus	Trojan.Win32.Inject.bdfjtq
SUPERAntiSpyware	Trojan.Agent/Gen-Kryptik
MicroWorld-eScan	Gen:Heur.Japik.6
Avast	Win32:Karagany
Tencent	Win32.Trojan-dropper.Injector.Eamm
Ad-Aware	Gen:Heur.Japik.6
Sophos	Mal/Generic-R + Troj/Zbot-DHN
Comodo	TrojWare.Win32.Kryptik.ARJD@4t2k3w
DrWeb	Trojan.DownLoader7.3225
VIPRE	Trojan.Win32.FakeAlert.bns (v)
TrendMicro	TROJ_SIGEKAF.SM
McAfee-GW-Edition	PWS-Zbot.gen.xd
Emsisoft	Gen:Heur.Japik.6 (B)
GData	Gen:Heur.Japik.6
Jiangmin	TrojanDropper.Injector.bokk
Webroot	W32.Rogue.Gen
Avira	TR/Crypt.ZPACK.Gen
MAX	malware (ai score=99)
Antiy-AVL	Trojan[Dropper]/Win32.Injector
Kingsoft	Win32.Heur.KVMH019.a.(kcloud)
Arcabit	Trojan.Japik.6
ZoneAlarm	Trojan-Dropper.Win32.Injector.gnqs
Microsoft	Rogue:Win32/FakeDef
AhnLab-V3	Dropper/Win32.Injector.R47014
Acronis	suspicious
McAfee	PWS-Zbot.gen.xd
TACHYON	Trojan/W32.Small.45440.G
VBA32	BScope.Malware-Cryptor.SB.01798
Malwarebytes	Generic.Malware/Suspicious
TrendMicro-HouseCall	TROJ_SIGEKAF.SM
Rising	Dropper.Injector!8.DC (CLOUD)
Ikarus	Trojan-Dropper.Win32.Injector
eGambit	Generic.Downloader
Fortinet	W32/Zbot.APRF!tr
BitDefenderTheta	Gen:NN.ZexaF.34212.cq1@aix3cvmc
AVG	Win32:Karagany
Panda	Trj/Agent.MIZ
CrowdStrike	win/malicious_confidence_90% (W)
MaxSecure	Trojan.Malware.4950784.susgen