Malware

About “Win32/Kryptik.GNXQ” infection

Malware Removal

The Win32/Kryptik.GNXQ is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Win32/Kryptik.GNXQ virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Behavioural detection: Executable code extraction – unpacking
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Possible date expiration check, exits too soon after checking local time
  • Dynamic (imported) function loading detected
  • Access the NetLogon registry key, potentially used for discovery or tampering
  • CAPE extracted potentially suspicious content
  • The binary likely contains encrypted or compressed data.
  • Authenticode signature is invalid
  • Behavioural detection: Injection (inter-process)
  • Behavioural detection: Transacted Hollowing
  • Tries to unhook or modify Windows functions monitored by Cuckoo
  • Creates a hidden or system file
  • CAPE detected the IcedIDStage1 malware family

How to determine Win32/Kryptik.GNXQ?



File Info:

name: AB5ECF9C4420A6672440.mlw
path: /opt/CAPEv2/storage/binaries/23def247dc254b50dfd9818d14f35e739d6538a63c94a4ad256e47bfc2be458b
crc32: D94A6700
md5: ab5ecf9c4420a66724404a342b80c256
sha1: ea64d64d9219597a1989f4052241d76e7cf7324f
sha256: 23def247dc254b50dfd9818d14f35e739d6538a63c94a4ad256e47bfc2be458b
sha512: 1ce4285cb036c1d034333b2dd5cc4f73edfb4314e8c4acb5ab915d6bc7a084a1cfe6ecc9daf5553a3462cc35d61414886ec353e9534d721aac6f5f3185c58868
ssdeep: 3072:Y3BEADWM+sCXnWS5T0a/Hmz3CbCFJyoo3g6U4W2DdCBgAUwVC9zd1ciW+n5ykemc:Y3+ASMEntYaayhookPPg9bjWCMIf
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T16B34AE007BA18431E677437B09698B11453EBD614F719ACBB3D85E0ED7BA6C0B731BA2
sha3_384: 630344eec6235cdfeeb0948e94be8242be431de990f5411bf3be66074f0f93cba6fa81efebc4370f0ab5a3eabed576a1
ep_bytes: e828880000e9000000006a1468486543
timestamp: 2014-11-20 10:15:06


Version Info:

CompanyName: Monk Development Once
ProductVersion: 14.3.11.13
ProductName: Whetherheard
LegalCopyright: Copyright © 2004 Monk Development Once. All rights reserved
FileDescription: Whetherheard
OriginalFilename: voiceproperty.exe
FileVersion: 14.3.11.13
InternalName: Whetherheard
Translation: 0x0409 0x04b0

Win32/Kryptik.GNXQ also known as:

Elasticmalicious (high confidence)
MicroWorld-eScanTrojan.Agent.DJXN
FireEyeGeneric.mg.ab5ecf9c4420a667
McAfeeUrsnif-FQLY!AB5ECF9C4420
CylanceUnsafe
ZillyaTrojan.GenKryptik.Win32.20854
K7AntiVirusTrojan ( 0054202a1 )
K7GWTrojan ( 0054202a1 )
Cybereasonmalicious.c4420a
ESET-NOD32a variant of Win32/Kryptik.GNXQ
APEXMalicious
ClamAVWin.Dropper.IcedID-7067317-0
KasperskyHEUR:Trojan.Win32.Generic
BitDefenderTrojan.Agent.DJXN
NANO-AntivirusTrojan.Win32.IcedID.fklqsw
SUPERAntiSpywareTrojan.Agent/Gen-Banker
AvastWin32:BankerX-gen [Trj]
TencentMalware.Win32.Gencirc.10ba4968
Ad-AwareTrojan.Agent.DJXN
SophosML/PE-A
DrWebTrojan.IcedID.15
McAfee-GW-EditionUrsnif-FQLY!AB5ECF9C4420
EmsisoftTrojan.Agent.DJXN (B)
GDataTrojan.Agent.DJXN
JiangminTrojan.Banker.IcedID.do
AviraHEUR/AGEN.1129707
Antiy-AVLTrojan/Generic.ASMalwS.298E113
MicrosoftTrojan:Win32/Sabsik.FL.B!ml
CynetMalicious (score: 100)
AhnLab-V3Malware/Win32.Generic.C2868826
Acronissuspicious
BitDefenderThetaGen:NN.ZexaF.34062.oq0@am6qFoni
ALYacTrojan.Agent.DJXN
MAXmalware (ai score=84)
VBA32TrojanBanker.IcedID
MalwarebytesMalware.AI.4251490776
RisingTrojan.Generic@ML.100 (RDML:2htQ+N0GX7Ae/QZexY0c6g)
YandexTrojan.PWS.IcedID!478fpt2+y1A
FortinetW32/GenKryptik.CRRJ!tr
AVGWin32:BankerX-gen [Trj]
PandaTrj/GdSda.A
CrowdStrikewin/malicious_confidence_60% (D)

How to remove Win32/Kryptik.GNXQ?

Win32/Kryptik.GNXQ removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment