Malware

Win32/Kryptik.GWGY removal guide

Malware Removal

The Win32/Kryptik.GWGY is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Win32/Kryptik.GWGY virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Behavioural detection: Executable code extraction – unpacking
  • Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Possible date expiration check, exits too soon after checking local time
  • Guard pages use detected – possible anti-debugging.
  • Dynamic (imported) function loading detected
  • Enumerates running processes
  • Expresses interest in specific running processes
  • Reads data out of its own binary image
  • A process created a hidden window
  • CAPE extracted potentially suspicious content
  • Unconventionial language used in binary resources: Arabic (Libya)
  • The binary contains an unknown PE section name indicative of packing
  • Authenticode signature is invalid
  • Uses Windows utilities for basic functionality
  • Behavioural detection: Injection (Process Hollowing)
  • Executed a process and injected code into it, probably while unpacking
  • Behavioural detection: Injection (inter-process)
  • Created a process from a suspicious location
  • Installs itself for autorun at Windows startup
  • Checks the CPU name from registry, possibly for anti-virtualization
  • Detects VirtualBox through the presence of a device
  • Creates a copy of itself
  • Accessed credential storage registry keys
  • Collects information to fingerprint the system
  • Uses suspicious command line tools or Windows utilities

How to determine Win32/Kryptik.GWGY?



File Info:

name: 6715AEFE42C222A41492.mlw
path: /opt/CAPEv2/storage/binaries/e6aaa1dff5138941e13f702c880ea57990fffe5cfea0ea3c667d5d6a8879048f
crc32: F351F5EB
md5: 6715aefe42c222a414922817fda13738
sha1: e0ea3bfdb28fa4145fed5c522a36cb10004d99fa
sha256: e6aaa1dff5138941e13f702c880ea57990fffe5cfea0ea3c667d5d6a8879048f
sha512: 9ede17c9e31694ec17c77664968c5676e7476cfde59c1a1e9da86198f03f7163e79058ce4ae77791fadafacf6ab055835b626f65d49a0fc5f83bf2dd68fc7df8
ssdeep: 98304:Eqjnl40c1q4hXR23KEGPPWdbY17AgVxpGk0ScTJeUSVU6/Sj+GFP6T0bY6yUefeO:EqS0oq45SKbPed5YfGk0DcUR6/SSGLY7
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T136363313715AC6B3C936207245247AB744B6F9702F26EEEBE7440EBD02382C1AF25D76
sha3_384: 5e9e10b6d5f79f31d6bfdebfb3e3b52b2b8f72bc90bac7e6b6270302d867810171740d5508ce239568f7a26cd927555a
ep_bytes: e886050000e98efeffffff25a4d19100
timestamp: 2019-03-13 03:38:08


Version Info:

FileVersion: 1.0.58.4
InternalName: sdfzsdf.ele
ProductVersion: 51.9.21.7

Win32/Kryptik.GWGY also known as:

BkavW32.AIDetect.malware2
LionicTrojan.Win32.Agent.4!c
Elasticmalicious (high confidence)
MicroWorld-eScanTrojan.AntiSandbox.GenericKD.32443566
FireEyeGeneric.mg.6715aefe42c222a4
CAT-QuickHealRansom.Stop.MP4
ALYacTrojan.AntiSandbox.GenericKD.32443566
CylanceUnsafe
VIPRETrojan.Win32.Generic!BT
SangforTrojan.Win32.Save.a
K7AntiVirusTrojan ( 0055770e1 )
AlibabaTrojan:Win32/Kryptik.21151e5e
K7GWTrojan ( 0055770e1 )
Cybereasonmalicious.e42c22
SymantecPacked.Generic.525
ESET-NOD32a variant of Win32/Kryptik.GWGY
TrendMicro-HouseCallTrojan.Win32.SODINOK.SM.hp
Paloaltogeneric.ml
ClamAVWin.Malware.Tofsee-9884927-1
KasperskyTrojan.Win32.Agent.xabglh
BitDefenderTrojan.AntiSandbox.GenericKD.32443566
NANO-AntivirusTrojan.Win32.Stealer.fzlmzp
AvastWin32:Malware-gen
TencentWin32.Trojan.Kryptik.Wmsr
Ad-AwareTrojan.AntiSandbox.GenericKD.32443566
SophosMal/Generic-S + Mal/GandCrab-G
ComodoMalware@#2yji6r28f8lb6
DrWebTrojan.PWS.Stealer.26685
ZillyaTrojan.Agent.Win32.1135006
TrendMicroTrojan.Win32.SODINOK.SM.hp
McAfee-GW-EditionBehavesLike.Win32.Trojan.rh
SentinelOneStatic AI – Malicious PE
EmsisoftTrojan.AntiSandbox.GenericKD.32443566 (B)
APEXMalicious
GDataTrojan.AntiSandbox.GenericKD.32443566
JiangminTrojan.Agent.cesz
WebrootW32.Trojan.Gen
AviraHEUR/AGEN.1136692
ArcabitTrojan.AntiSandbox.Generic.D1EF0CAE
ViRobotTrojan.Win32.Z.Agent.5227008.A
ZoneAlarmHEUR:Trojan.Win32.Generic
MicrosoftTrojan:Win32/CryptInject
CynetMalicious (score: 100)
AhnLab-V3Win-Trojan/MalPe31.Suspicious.X2022
Acronissuspicious
McAfeeArtemis!6715AEFE42C2
VBA32BScope.Trojan.Agent
MalwarebytesTrojan.MalPack.GS
RisingTrojan.Kryptik!1.BC5E (CLOUD)
YandexTrojan.Agent!HsaUZwc9jQw
IkarusTrojan.Win32.Crypt
MaxSecureTrojan.Malware.74548533.susgen
FortinetW32/Kryptik.GWHV!tr
AVGWin32:Malware-gen
PandaTrj/GdSda.A
CrowdStrikewin/malicious_confidence_90% (W)

How to remove Win32/Kryptik.GWGY?

Win32/Kryptik.GWGY removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment