Trojan.Kryptik.CLAR
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Kryptik.CLAR |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
684e8719fbe0c1d457aae7160c37769f
SHA1:
ccfa45939f5e053eaaa5cf833007426cf0482b99
File Size:
3.75 MB, 3751933 bytes
|
|
MD5:
9a9a49ae3ad90c77143ce17ef4badef9
SHA1:
4bfd7ac4de80f5f53cb3fd85f21e6ca079199fe4
File Size:
4.11 MB, 4112230 bytes
|
|
MD5:
d3e7a7d85d470149cb2c27a171c6c7fe
SHA1:
fa29b182c2e3e36fd5a862c1353e051d8ea6be8c
File Size:
4.15 MB, 4152724 bytes
|
|
MD5:
365e78735c46452919373d6eb3b45370
SHA1:
edf0de1a2d30b58b7efb48568c22209293202767
File Size:
4.36 MB, 4358019 bytes
|
|
MD5:
f1fb671ff3b76e901203af1440b0a54c
SHA1:
dbdd59b3b0f221ecd5dbc8c3061c223b45f35893
File Size:
3.59 MB, 3587203 bytes
|
Show More
|
MD5:
cd09fab5128c9ab1ebd957d04dce6896
SHA1:
bad89fc33a22f209c027f32cd4cae73895307cea
File Size:
4.51 MB, 4505380 bytes
|
|
MD5:
e5909bc416933eb1b50e50242164ea05
SHA1:
ab577e28e062c4c0c770c1aa15bd62b3ce63c9b8
File Size:
4.34 MB, 4338905 bytes
|
|
MD5:
758378ddb9e7209890d63cd8e22d055d
SHA1:
d7b9fa8762fa36baf59b215be857608fe7aa41f6
SHA256:
5B75BC5AABBEE6CC98558EE524D5DCB22F248B4D56F8348EAEB432359FD8318E
File Size:
3.53 MB, 3529773 bytes
|
|
MD5:
6acf4c9b65565d390d851f209d265b2a
SHA1:
0d32321f6136b223706273c5dadea740079da074
SHA256:
19941E159926B7A384EABF2D12BFBAB8E156BC4A4F24D64223183E01182A2762
File Size:
4.53 MB, 4525091 bytes
|
|
MD5:
d0706f4d149b9bdb1f20384d92c553ab
SHA1:
24980d40ea3cb38539bcd87c0d83a1f9c5fd60ec
SHA256:
CB7C53C076A2833A09648812D0816F94A84E2E717E7E4D3C88206EE2FEA851CE
File Size:
4.26 MB, 4259394 bytes
|
|
MD5:
5c0efe6208c1d97d0845adea7278bf38
SHA1:
89c73d29529597f5238c90f2d54bc87842c382b7
SHA256:
40B98CA51964D9B900F6CC469322D0B920AF2193F8D5932DC14420C0FFFB4426
File Size:
4.30 MB, 4298232 bytes
|
|
MD5:
e8f30667c9cc0b605009b802dd5cc769
SHA1:
2652f8bc54591527aa51e8d681da5af7531df4cb
SHA256:
DFCA245E82ABB7B1DC0DB13131F643B2A151FD78F3433A044C886CDFBB593292
File Size:
4.18 MB, 4175426 bytes
|
|
MD5:
425c46fed886fea506427299c6ad6eaa
SHA1:
36a307a2637c45d2052b818872f4a369336e5087
SHA256:
DDB75AFFB2B29295CBCC54305F4ADEB32B2E99E252992061FD62694C2C05B783
File Size:
4.26 MB, 4263858 bytes
|
|
MD5:
90db40178ab0d0f5e5766b4f2d2abbe4
SHA1:
00a6a0ba6196d750dfe2c4d2ee6522de3a6b023a
SHA256:
74B03FF825300FE2B35589F74DE59F15BDF52CD1AE0C4FA9883AC05A5117D7ED
File Size:
3.69 MB, 3691114 bytes
|
|
MD5:
ed821211f3c7ca424b257b290ebd969e
SHA1:
7ec671a9fade24117d7d18d7d1c022f89b621091
SHA256:
3C175BE4659712C62AD2E0D35D1161C854F5367595C6B3C5DB199B3E597A642C
File Size:
3.53 MB, 3532499 bytes
|
|
MD5:
f10a5fd894f001baf9009b63d5804952
SHA1:
551f83408a157e4cc4d1eb529394f13b01541d28
SHA256:
9A54146059B783A01E1D4BD29AEB192CE9B62B2284134109418005F7B80538E2
File Size:
4.15 MB, 4153392 bytes
|
|
MD5:
105499cb5f9f387a00598d970c2d3a50
SHA1:
f49d77a5ba3f82a74bc1db0f13a235855abe67b7
SHA256:
21271B4FA69725E8AE83DB919F55793564AA9B0610249BF49228AC0BA5FE7A62
File Size:
4.23 MB, 4228357 bytes
|
|
MD5:
a68213a43bcc0835d8b2459f7ef0a3f3
SHA1:
bc0cb47037175059b7102cdc84216acc1ba29f27
SHA256:
174C953B7A557F1FA5D02A300B51E41310EA2AF0C59A8757D451C0DC21CE0768
File Size:
4.90 MB, 4904449 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has TLS information
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
Show More
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Show More
15 additional icons are not displayed above.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| File Description | Coollector Movie Database |
| File Version |
Show More
|
| Internal Name | Coollector Movie Database |
| Legal Copyright | Coollector (C) 2020 |
| Original Filename | Coollector.exe |
| Product Name | Coollector Movie Database |
| Product Version |
Show More
|
File Traits
- 2+ executable sections
- HighEntropy
- imgui
- VirtualQueryEx
- WriteProcessMemory
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 3,573 |
|---|---|
| Potentially Malicious Blocks: | 1,514 |
| Whitelisted Blocks: | 2,059 |
| Unknown Blocks: | 0 |
Visual Map
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
0
x
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
0
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
x
x
x
x
x
x
x
x
x
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
0
x
x
0
x
x
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
0
0
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
0
x
x
0
0
x
x
x
x
x
x
0
x
x
x
x
x
x
x
0
0
0
x
x
x
x
0
x
x
x
x
x
x
x
x
0
0
x
x
x
x
x
x
x
x
x
x
x
x
0
0
x
x
x
x
0
0
x
0
x
0
0
0
x
x
x
x
0
0
0
x
0
0
x
x
x
x
0
0
x
x
x
x
x
0
0
x
x
x
0
0
x
0
0
0
0
0
x
x
x
0
x
x
x
0
x
x
x
0
x
0
x
0
0
0
x
0
0
x
x
x
x
x
0
0
0
x
0
x
x
x
x
x
x
0
0
0
0
x
x
0
0
x
x
x
x
x
x
x
x
x
x
x
x
0
0
x
x
0
0
0
x
x
0
x
x
x
x
x
x
x
0
0
0
0
0
x
x
x
0
x
x
x
x
x
x
x
x
x
0
x
x
0
0
x
x
x
x
x
0
x
x
x
x
x
x
x
x
0
0
x
x
x
x
0
0
0
x
x
0
x
x
0
x
0
x
x
0
x
x
0
x
0
x
x
x
0
0
x
x
x
0
0
x
x
0
x
x
x
x
x
0
x
0
x
x
x
0
0
0
x
x
0
x
0
x
x
x
0
x
x
x
x
x
x
x
0
x
x
x
x
x
0
x
x
0
x
x
x
0
0
x
0
x
0
0
0
x
x
x
x
0
x
0
x
0
x
0
x
0
x
0
0
x
x
0
x
x
x
x
x
x
x
x
x
0
x
x
0
x
x
x
x
x
x
0
x
0
x
x
0
x
x
x
x
x
x
x
0
x
0
x
0
x
x
x
x
x
x
x
0
x
x
x
x
x
x
0
x
0
0
x
x
x
x
x
0
x
0
x
x
x
x
x
x
x
x
0
x
0
0
x
x
x
x
x
x
x
x
0
x
x
0
x
x
0
x
x
0
0
0
0
x
x
x
0
0
x
x
x
x
x
0
0
x
0
x
x
x
x
x
x
x
x
x
x
0
x
0
0
0
0
x
0
0
x
x
x
0
x
0
0
x
x
x
0
x
x
0
x
x
0
x
0
x
0
x
x
x
0
x
x
x
x
0
x
0
x
x
x
x
0
x
0
0
x
0
x
x
x
x
0
x
0
0
0
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
0
x
x
0
0
0
x
0
x
0
0
x
x
x
0
x
x
0
x
x
x
0
0
0
0
x
x
x
0
x
0
x
0
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
0
x
x
0
x
x
x
x
x
x
x
0
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Kryptik.CLAR
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Keyboard Access |
|
