Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Kryptik.FTM

Trojan.Kryptik.FTM

By CagedTech in Trojans

Analysis Report

General information

Family Name: Trojan.Kryptik.FTM
Signature status: No Signature

Known Samples

MD5: 5d5ae6836d0c19718409a548f464d381
SHA1: 8aeb29a0b3547ee132893b5d0b42a236059ad023
SHA256: 575F5DE937FB9A84C2C1F67EA4204E180A8E89C8BF01343AFC42C6491D2CAE7A
File Size: 225.28 KB, 225280 bytes
MD5: ee92f953d8374985295346ce296af56e
SHA1: 9e74dde821118428179bf2846aa2f2a5a196630e
SHA256: 7C9555177E006E52C56B74786084CDF85D11C72EFE5B3980F31434857D688B36
File Size: 225.28 KB, 225280 bytes
MD5: af1dae651b02d27394165fb4715c1a73
SHA1: 2afd31843010b7daf2fb0d194ccae3a0ebeeffc0
SHA256: E8BA0637A9A932A8511686160885874D1FE39C77CCBDD06617563D49975F4BF7
File Size: 225.52 KB, 225521 bytes
MD5: e9c95808d1ba835f5f8ee21da19fba11
SHA1: a2d08e3b00e7e77eee5b387a0e03728e9a06070b
SHA256: 8C6D0728E65864923A9DD9CF1CB512AB65C3D80B69505818A52563A1EFE4B59F
File Size: 245.76 KB, 245760 bytes
MD5: 913ce3de89d300e9ab70faaf01fd7fb7
SHA1: c43bccac6244f9e551a0f33f5e8df47e15889c95
SHA256: 30A0F1743A7F99D9F6F75AE390BDF4046623DECA40420743D9AD9FDE7D5A3F1E
File Size: 225.80 KB, 225803 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

Windows PE Version Information

Name Value
Company Name Microsoft Corporation
File Description Host Process for Windows Service
File Version 4.0.0.0
Internal Name sqhost.exe
Legal Copyright Copyright (C) 2016
Original Filename sqhost.exe
Product Name sqhost.exe
Product Version 4.0.0.0

File Traits

  • 2+ executable sections
  • HighEntropy
  • x86

Block Information

Total Blocks: 13
Potentially Malicious Blocks: 13
Whitelisted Blocks: 0
Unknown Blocks: 0

Visual Map

x x x x x x x x x x x x x
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Kryptik.FTM

Files Modified

File Attributes
c:\windows\temp\setup_gitlog.txt Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\windows\temp\setup_gitlog.txt Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 쾅♝ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 㯯嵏徳ǜ RegNtPreCreateKey
HKCU\local settings\muicache\17\52c64b7e::@c:\windows\system32\mlang.dll,-4386 English (United States) RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 춄䪝心ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 윲醭ǜ RegNtPreCreateKey
HKCU\local settings\muicache\1b\52c64b7e::@c:\windows\system32\mlang.dll,-4386 English (United States) RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ݒ됛针ǜ RegNtPreCreateKey

Windows API Usage

Category API
Process Shell Execute
  • CreateProcess
  • WriteConsole
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
Show More
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForMultipleObjects
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • UNKNOWN
  • win32u.dll!NtGdiAnyLinkedFonts
  • win32u.dll!NtGdiBitBlt
  • win32u.dll!NtGdiCreateBitmap
  • win32u.dll!NtGdiCreateCompatibleBitmap
  • win32u.dll!NtGdiCreateCompatibleDC
  • win32u.dll!NtGdiCreateDIBitmapInternal
  • win32u.dll!NtGdiCreateRectRgn
  • win32u.dll!NtGdiCreateSolidBrush
  • win32u.dll!NtGdiDeleteObjectApp
  • win32u.dll!NtGdiDoPalette
  • win32u.dll!NtGdiDrawStream
  • win32u.dll!NtGdiExcludeClipRect
  • win32u.dll!NtGdiExtGetObjectW
  • win32u.dll!NtGdiExtSelectClipRgn
  • win32u.dll!NtGdiExtTextOutW
  • win32u.dll!NtGdiFlush
  • win32u.dll!NtGdiFontIsLinked
  • win32u.dll!NtGdiGetCharABCWidthsW
  • win32u.dll!NtGdiGetDCDword
  • win32u.dll!NtGdiGetDCforBitmap
  • win32u.dll!NtGdiGetDCObject
  • win32u.dll!NtGdiGetDeviceCaps
  • win32u.dll!NtGdiGetDIBitsInternal
  • win32u.dll!NtGdiGetEntry

102 additional items are not displayed above.

Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetUserObjectInformation
Network Winsock2
  • WSAStartup
Network Winsock
  • freeaddrinfo
  • getaddrinfo
Network Icmp
  • IcmpCreateFile
  • IcmpSendEcho2Ex
Process Terminate
  • TerminateProcess
Process Manipulation Evasion
  • NtUnmapViewOfSection

Shell Command Execution

cmd.exe /c systeminfo>>C:\Windows\temp\setup_gitlog.txt&ping 8.8.8.8>>C:\Windows\temp\setup_gitlog.txt
C:\WINDOWS\system32\systeminfo.exe systeminfo
WriteConsole: ERROR:
WriteConsole: CoInitialize has
C:\WINDOWS\system32\PING.EXE ping 8.8.8.8
Show More
WriteConsole:
WriteConsole: Loading Operatin
WriteConsole: Loading Computer
WriteConsole: Loading Processo
WriteConsole: Loading BIOS Inf
WriteConsole: Loading Input Lo
WriteConsole: Loading TimeZone
WriteConsole: Loading Profile
WriteConsole: Loading Pagefile
WriteConsole: Loading Hotfix I
WriteConsole: Loading Network
WriteConsole: Loading Hyper-V

Trending

Most Viewed

Loading...