PUP.Kryptex
Table of Contents
Analysis Report
General information
| Family Name: | PUP.Kryptex |
|---|---|
| Signature status: | Root Not Trusted |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
1cdbe7858f2a1037332a63fc88677989
SHA1:
93df94ba36c87e7cd538308b5d1de1aea5dbe04f
File Size:
248.58 KB, 248576 bytes
|
|
MD5:
eb095841bbe5e0d57f295f74c7eb0a66
SHA1:
85cbf7278f9388dbc779edb8ff24aaebc897c8bc
SHA256:
229659D05D088F3AF6F6B4C17D94C6A71469FCC3D427C72324DC91D5BEDD82BF
File Size:
234.86 KB, 234856 bytes
|
|
MD5:
3c9ff5d531abd206394af2689cbdb0e2
SHA1:
9ce53f2d95883e5a484ffbd54ef735b37184e339
SHA256:
0DC0046A0705BBADB3ABFC1C5A10F167BD5E0CFE35D76B6F454211355BC15A3D
File Size:
309.61 KB, 309608 bytes
|
|
MD5:
4eb50b0fcf0f51f6659a70e466c57b45
SHA1:
1dd83297bccf4c38abce41f6e01f4d3eba66538c
SHA256:
BE34837209C44C8756C8F973F09F5D7F603D59191742B4D180F72AE43BABF212
File Size:
250.62 KB, 250624 bytes
|
|
MD5:
6147cecc055e32fa47777362f0eaded5
SHA1:
14ceabe6f6e2828c72a0e9e4c035afeecc818d42
SHA256:
F1574F9EBE865167D6A9178E4EA37124463CE8215A4EB3B49B8ED25F50AFDD3B
File Size:
130.28 KB, 130280 bytes
|
Show More
|
MD5:
e2c8d3a49cd53c45bcdd2eb8d3cf0a7d
SHA1:
4722c2bc2b7a1ada57bd43b25ede80e7dba205e9
SHA256:
5363A1928A9A187CE5ED694FAD32EEA6B399E85D0AA2932536B986BAE1B6518D
File Size:
262.89 KB, 262888 bytes
|
|
MD5:
2525edd81134dc17c129d70f94b086f2
SHA1:
102f15686b3f0cc784f8e0e5696d7bd30c0085b0
SHA256:
181CACA753ADB6C99C1701EB14D803CDE661FDD6402439012D6751170527E873
File Size:
325.35 KB, 325352 bytes
|
|
MD5:
70a9bd0db1fd02f4275f20620a06e14a
SHA1:
df526ccb50d207e69763e98e40738b5eb06be497
SHA256:
AFD0F202ECBD89E70867C7ED32BA75D1987288042740799737570396CABE5335
File Size:
130.41 KB, 130408 bytes
|
|
MD5:
0a37aaf0a285d0f1d74c39ee0d041d87
SHA1:
f8cf596e0231ffe0aed0a169dc4bb2e6f56368c5
SHA256:
461A3D79050944900013FE5F4E1C0D72C03BC41514CD668104F5464D896D80A2
File Size:
130.28 KB, 130280 bytes
|
|
MD5:
8ef73a748d1729adbd03994233f42606
SHA1:
c729cb85909e91c4ef7df3b153194da8c2908784
SHA256:
E52F3816AAA23E7EDAD45D9D55C624E891DE3635AC8BB1C23063BE43F54EA177
File Size:
261.86 KB, 261864 bytes
|
|
MD5:
5d0df061304df89242d37610bbba50ba
SHA1:
e36e869f76236ac7aa597992b43a7bad032491e5
SHA256:
B87022E3E5C2006AD20E590AB1F8CFC004F4DA33E1EC0D96ABB49F2210FDD790
File Size:
203.66 KB, 203656 bytes
|
|
MD5:
34cfd4acb5b24742522e195d2f7d5906
SHA1:
36f062f51d05421d808bc729e5b1dbf52b89808e
SHA256:
888DC4B24B4835E91426C43649ECD50F9425F21617C3CBA0052027FEA09953CC
File Size:
203.66 KB, 203656 bytes
|
|
MD5:
ec11a3395e1006ed711c802d84229862
SHA1:
11651b785e2d7f6dabb0622cc04e24032dc31ad1
SHA256:
B1CB150611346F6A2FD413FDBF1389C589D61D930D88B139A11633A34DBB5441
File Size:
130.28 KB, 130280 bytes
|
|
MD5:
eee5b080aace51bacc27061d40357a50
SHA1:
756fd24352c3dc661996270c93b1dd2f9c6cd3c9
SHA256:
99569DFDB8BCF11FB8BA6B91AEF7F72A91A40BA6915A8BFA9359FFEA03BB14AE
File Size:
203.66 KB, 203656 bytes
|
|
MD5:
dd7cf32170812642da1c39ec09458262
SHA1:
4f90a1c7fe225e53a9588a66409b7fab8bb3feed
SHA256:
2FEC62B5FF89A3EA7B88BDFFCB78CA663C82740B926E2F1A6C764A9A8A2648A8
File Size:
200.33 KB, 200328 bytes
|
|
MD5:
69981d5188a2328b9a9d6c6598b917bf
SHA1:
322ef96a791124fd1a0578ccb78b442ea742e627
SHA256:
8E04E43171F47CE240D8CC03E7D5DFA6ABD3722EF0262DBD8B19BD2D3F86EEFC
File Size:
203.66 KB, 203656 bytes
|
|
MD5:
84c2c4ddd938f000ba814b5078cfc218
SHA1:
fef6d87263cfbdf2e343c2e69fce58b04035a129
SHA256:
51AA6814488C8959598CBA1FD96B75D589A4201A8E5CEF69A6726B3EC48A5632
File Size:
325.86 KB, 325864 bytes
|
|
MD5:
05896a114fec86d7103a08e3b0ed3240
SHA1:
c911cb2eba9e9592c9be376d94bdb1471d0f9026
SHA256:
1C3FE5F2DCA664C3D6EFE9E2D83762D7C3200446294FCAD4066F8EBBD347D647
File Size:
203.66 KB, 203656 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File is 32-bit executable
- File is 64-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
Show More
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Comments | Tool for elevating applications on the command line |
| Company Name |
|
| File Description |
|
| File Version |
|
| Internal Name |
|
| Legal Copyright |
|
| Original Filename |
|
| Product Name |
|
| Product Version |
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| xBlock Ventures OÜ | Sectigo Public Code Signing Root R46 | Root Not Trusted |
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Agent.ERB
- Agent.GST
- Agent.IJ
- Agent.KFSN
- Agent.KPDA
Show More
- Agent.KUF
- Agent.PGR
- Agent.RTN
- BadIIS.F
- ClipBanker.FG
- ClipBanker.LG
- CobaltStrike.XAA
- Farfli.DH
- Kryptik.DEG
- Kryptik.FRJ
- Kryptik.GSF
- Kryptik.JUB
- Kryptik.KBO
- Kryptik.KLS
- Kryptik.UP
- Malex.N
- PSWDump.D
- Ramsay.B
- Rozena.XV
- Rugmi.FH
- Spy.Agent.KG
- Stealer.KV
- TcpScan.B
- Trojan.Agent.Gen.BBD
- Trojan.Agent.Gen.BL
- Trojan.Agent.Gen.FN
- Trojan.Agent.Gen.HR
- Trojan.Agent.Gen.JC
- Trojan.Agent.Gen.JJ
- Trojan.Agent.Gen.V
- Trojan.Downloader.Gen.AR
- Trojan.Kryptik.Gen.DLW
- Trojan.Kryptik.Gen.GQ
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| \device\namedpipe | Generic Read,Write Attributes |
| \device\namedpipe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsca748.tmp\nsexec.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsca748.tmp\nsprocess.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsca748.tmp\stdutils.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsca748.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsca748.tmp\uac.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsca748.tmp\winshell.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsgc5fc.tmp\nsexec.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsgc5fc.tmp\nsprocess.dll | Generic Write,Read Attributes |
Show More
| c:\users\user\appdata\local\temp\nsgc5fc.tmp\stdutils.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsgc5fc.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsgc5fc.tmp\uac.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsgc5fc.tmp\winshell.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsq94f2.tmp\nsexec.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsq94f2.tmp\nsprocess.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsq94f2.tmp\stdutils.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsq94f2.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsq94f2.tmp\uac.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsq94f2.tmp\winshell.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nst97db.tmp\nsexec.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nst97db.tmp\nsprocess.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nst97db.tmp\stdutils.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nst97db.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nst97db.tmp\uac.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nst97db.tmp\winshell.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsuba7c.tmp\nsexec.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsuba7c.tmp\nsprocess.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsuba7c.tmp\stdutils.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsuba7c.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsuba7c.tmp\uac.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsuba7c.tmp\winshell.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsv7459.tmp\nsprocess.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsv7459.tmp\stdutils.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsv7459.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsv7459.tmp\uac.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsv7459.tmp\winshell.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\~nsua.tmp\un_a.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | *1\??\C:\Windows\SystemTemp\75d5576e-45ad-4801-b70f-41fff3b83c73.tmp��*1\??\C:\sandbox_live\tmp\112915\4676\c\users\user\appdata | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old122e4��*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old12352��*1\??\C:\P | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old5af52��*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old5af62��*1\??\C:\P | RegNtPreCreateKey |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
93 additional items are not displayed above. |
| Network Wininet |
|
| Anti Debug |
|
| User Data Access |
|
| Process Shell Execute |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
"C:\Users\Qwkmrilj\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
schtasks /delete /f /tn KryptexElevationV2
|
schtasks /delete /f /tn KryptexElevationV2FromStartup
|
"C:\Users\Bolgkcob\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Tbcydmov\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
Show More
"C:\Users\Rlzzgrle\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Dtummymd\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Vwcwbhis\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
