Categories: Malware

About “Win32/Kryptik.GNXQ” infection

The Win32/Kryptik.GNXQ is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.

DOWNLOAD NOW

6-day free trial available.

What Win32/Kryptik.GNXQ virus can do?

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction – unpacking
Yara rule detections observed from a process memory dump/dropped files/CAPE
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
Dynamic (imported) function loading detected
Access the NetLogon registry key, potentially used for discovery or tampering
CAPE extracted potentially suspicious content
The binary likely contains encrypted or compressed data.
Authenticode signature is invalid
Behavioural detection: Injection (inter-process)
Behavioural detection: Transacted Hollowing
Tries to unhook or modify Windows functions monitored by Cuckoo
Creates a hidden or system file
CAPE detected the IcedIDStage1 malware family

How to determine Win32/Kryptik.GNXQ?


File Info:
name: AB5ECF9C4420A6672440.mlwpath: /opt/CAPEv2/storage/binaries/23def247dc254b50dfd9818d14f35e739d6538a63c94a4ad256e47bfc2be458bcrc32: D94A6700md5: ab5ecf9c4420a66724404a342b80c256sha1: ea64d64d9219597a1989f4052241d76e7cf7324fsha256: 23def247dc254b50dfd9818d14f35e739d6538a63c94a4ad256e47bfc2be458bsha512: 1ce4285cb036c1d034333b2dd5cc4f73edfb4314e8c4acb5ab915d6bc7a084a1cfe6ecc9daf5553a3462cc35d61414886ec353e9534d721aac6f5f3185c58868ssdeep: 3072:Y3BEADWM+sCXnWS5T0a/Hmz3CbCFJyoo3g6U4W2DdCBgAUwVC9zd1ciW+n5ykemc:Y3+ASMEntYaayhookPPg9bjWCMIftype: PE32 executable (GUI) Intel 80386, for MS Windowstlsh: T16B34AE007BA18431E677437B09698B11453EBD614F719ACBB3D85E0ED7BA6C0B731BA2sha3_384: 630344eec6235cdfeeb0948e94be8242be431de990f5411bf3be66074f0f93cba6fa81efebc4370f0ab5a3eabed576a1ep_bytes: e828880000e9000000006a1468486543timestamp: 2014-11-20 10:15:06
Version Info:
CompanyName: Monk Development OnceProductVersion: 14.3.11.13ProductName: WhetherheardLegalCopyright: Copyright © 2004 Monk Development Once. All rights reservedFileDescription: WhetherheardOriginalFilename: voiceproperty.exeFileVersion: 14.3.11.13InternalName: WhetherheardTranslation: 0x0409 0x04b0

Win32/Kryptik.GNXQ also known as:

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Agent.DJXN
FireEye	Generic.mg.ab5ecf9c4420a667
McAfee	Ursnif-FQLY!AB5ECF9C4420
Cylance	Unsafe
Zillya	Trojan.GenKryptik.Win32.20854
K7AntiVirus	Trojan ( 0054202a1 )
K7GW	Trojan ( 0054202a1 )
Cybereason	malicious.c4420a
ESET-NOD32	a variant of Win32/Kryptik.GNXQ
APEX	Malicious
ClamAV	Win.Dropper.IcedID-7067317-0
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Trojan.Agent.DJXN
NANO-Antivirus	Trojan.Win32.IcedID.fklqsw
SUPERAntiSpyware	Trojan.Agent/Gen-Banker
Avast	Win32:BankerX-gen [Trj]
Tencent	Malware.Win32.Gencirc.10ba4968
Ad-Aware	Trojan.Agent.DJXN
Sophos	ML/PE-A
DrWeb	Trojan.IcedID.15
McAfee-GW-Edition	Ursnif-FQLY!AB5ECF9C4420
Emsisoft	Trojan.Agent.DJXN (B)
GData	Trojan.Agent.DJXN
Jiangmin	Trojan.Banker.IcedID.do
Avira	HEUR/AGEN.1129707
Antiy-AVL	Trojan/Generic.ASMalwS.298E113
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win32.Generic.C2868826
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.34062.oq0@am6qFoni
ALYac	Trojan.Agent.DJXN
MAX	malware (ai score=84)
VBA32	TrojanBanker.IcedID
Malwarebytes	Malware.AI.4251490776
Rising	Trojan.Generic@ML.100 (RDML:2htQ+N0GX7Ae/QZexY0c6g)
Yandex	Trojan.PWS.IcedID!478fpt2+y1A
Fortinet	W32/GenKryptik.CRRJ!tr
AVG	Win32:BankerX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_60% (D)