Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Kryptik.LFSA

Trojan.Kryptik.LFSA

By CagedTech in Trojans

Analysis Report

General information

Family Name: Trojan.Kryptik.LFSA
Signature status: No Signature

Known Samples

MD5: 62650b36d1b8d649d68d5d984e5861b9
SHA1: 5dae21f5d87596d87662bc6e299c7625cf79f960
SHA256: 2372FF30032F8400A149149AB71BC5767A2E8EBC491902716EB4B7EC9B504A42
File Size: 1.12 MB, 1120768 bytes
MD5: e8c12ad0544136057ca01a943c2cbe1b
SHA1: 9025b28f326d68b0de626cbeab51b34564cc8234
SHA256: 0F426F87C81CCCB95BF5F3BBD933EDFCF62C090081779231FC70BE979F0068BF
File Size: 6.99 MB, 6990912 bytes
MD5: 99d81a95e24c14c01c33fbe31912ee62
SHA1: 0a21b59270e8e44096c208f8034cc3c402c1ef2e
SHA256: F9AD282234810EC2E71CC9754D15CE56F3D774FDA9D002B5314EB25FF4A6D254
File Size: 9.34 MB, 9341400 bytes
MD5: a806441c5a61ab8d4b24370adaf5f324
SHA1: a76ab741392b1ebf7b441afeb100bbde317b553c
SHA256: D5F70C844C776438AB3B9BA82960742167BF99A6D94F57696E7B43F6F161D0A3
File Size: 1.09 MB, 1090048 bytes
MD5: 6ff892c267faa5486b3a781ed7d8ae8a
SHA1: 4998812d6e08f873cfc55c9e3829a43470173279
SHA256: 4C80F58FDEAEADFE47E9D6F6D7A8C4524DF2238B0AE3F8B12A9DE7F2FD8A63DD
File Size: 6.39 MB, 6385216 bytes
Show More
MD5: fddc3161580b6f0536b9d2642b060875
SHA1: 2a789dd6f2cb7b5dc9524fdcd40cef8257511dec
SHA256: 86467EE0DBD81ED3851EC546085E08214DA801F5EA7117DE6C31C6D201572E8F
File Size: 1.20 MB, 1195520 bytes
MD5: 86a17dcd14fa12228b4820d33dda949c
SHA1: 25940dbd1dda21f693bbad90368fc16800cf8fd9
SHA256: 4C379CAE6EF654BBA280A32F6BACB72B5B9A16D0542792B96789BF6B3AD79068
File Size: 6.96 MB, 6957568 bytes
MD5: 6c2ef0f55a7c8f729526ed2415e8343b
SHA1: 31e33d8259beb5493f1887936f9a1b36ee874785
SHA256: 959EDC80EB7D7C3F41843D6B67F14E220555872505EF0E14F716B291F0C652F4
File Size: 6.81 MB, 6812672 bytes
MD5: 2d8315c9cf507309f4b02212de88b388
SHA1: 48f830f33785f79c6caadd2c6c64d9fdda30a6d5
SHA256: 19759BBA56EAE696CF092160B213FF980674C51DB2C53B08A04C65BA548B9474
File Size: 1.05 MB, 1047040 bytes
MD5: 9b425cade63eb7f2486c33e350e21d07
SHA1: f8c835b8810cc0b5ba9245dac51b0452e13510fe
SHA256: 98CC35B3D14AEB126F4628C234C8B5500D889B296A5FA5466722FEDA4328EC04
File Size: 4.22 MB, 4217000 bytes
MD5: 233d90e10db5e4afbd6d0fd2ccf6f24c
SHA1: 4dc471296284cf26260b150a5667c32dca16684c
SHA256: B7172EF11BD1D9EA8A64FCAD4D3C26CB8F16E2C157D0CF2068BCB1D8F38108FF
File Size: 6.91 MB, 6909400 bytes
MD5: 773cd078beb91fdacbed09ac1465421e
SHA1: 9d746563b333360045ad045804c599526b0222c9
SHA256: FC308684763D9DCA2B908B2DBE8020E50B2EA5E30AB5B6DCAE7DC3677611D9BE
File Size: 4.21 MB, 4205656 bytes
MD5: dc4a5a8f62125d18394d5d7158f0121f
SHA1: 0fb86e748f7840ef8cc3abbcca4ca0fffeb7d1f3
SHA256: 914C403F540CAA8BFB0EA4F336FC22F0A7C7623EF2B9CAFC94AFD13D307512AA
File Size: 6.96 MB, 6957056 bytes
MD5: 0d2a0e75118df43fb8edb403ac30ac0e
SHA1: c276e2722bcd0e6d247424013a10793fc3e8041d
SHA256: D3426B7F47E10CE140F3ECD86EA05025906BE4F762C02BB461047F776A8D5199
File Size: 6.88 MB, 6875136 bytes
MD5: 0b09e698d1d6f401b17aeaddd345c27f
SHA1: 3326e2a2009e8aeb70a1186fad5d768705f5b507
SHA256: DE7516B24B2050C658050BBA33152FC981AFA57D42F3C6E3E618621EABDB90BF
File Size: 1.70 MB, 1704512 bytes
MD5: c52faa41d2a8e1a4ddb2a3455999111c
SHA1: 2ca6dd1907a0dc91bcd9ec99eddc617262b535f4
SHA256: DE97E3C6AEAB51E927A35C60775D0543018BD61914644D0078FE34B78E1EFC92
File Size: 6.80 MB, 6804480 bytes
MD5: bd89adb8cbab8d916d8201220f37684f
SHA1: dbc282942f672cf040840578c3bcc6b3530e8abc
SHA256: 7CCEBD66523D27D5D97DFC165B8B128C0E09161D855C3503D9B2EE849E44DDFB
File Size: 7.19 MB, 7191000 bytes
MD5: 5891730074948d8b82f5d6573e231f51
SHA1: 73c7fddb35c67a55140ff78b72c6ebdba63b0d58
SHA256: 8E77A5E1E550666CD044F132A07DC900ACBC43451D2C0BB9DFF7BE9786D8B1E2
File Size: 1.61 MB, 1614848 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name
  • Cloud Future Omega Technologies
  • Cloud Macro Systems
  • Data Alpha Root Ltd
  • Elite Base Corp
  • Innovation Delta Beta Group
  • Innovation Pro Root Inc
  • Learning Center
  • Macro Cyber Systems
  • Max Base Next Inc
  • Max Micro Technologies
Show More
  • Modern Neural Elite Inc
  • Nano Solutions Delta Inc
  • Net Tech Ltd
  • Neural Innovation Group
  • Neural Max Group
  • Next Cloud Technologies
  • Prime & Solid Space
  • Systems Next Soft Inc
File Description
  • Compressor Virtual Formatter
  • Designer Easy
  • Easy Accelerator
  • Elite Max Detector Builder
  • Hash Business Instant Builder
  • Interpreter Composer
  • Interpreter Generator
  • Maker Inspector Accelerator
  • Next Productive
  • Optimized Accuracy Verified
Show More
  • Parser Database
  • Pipeline Real Light Stopper Framework
  • Precision Performance
  • Quick Builder Explorer Rapid
  • Secure Quality
  • Simple Full
  • Streamlined Instant
  • Unified Column Configuration Queuer
File Version
  • 16.8.84.9099
  • 16.5.52.3908
  • 14.2.3.491
  • 13.9.14.2050
  • 13.0.9.8365
  • 12.5.98.3076
  • 12.1.4.2673
  • 11.1.75.5187
  • 10.6.46.4993
  • 8.7.66.7505
Show More
  • 8.6.49.8852
  • 8.5.13.8074
  • 8.4.24.409
  • 8.2.20.3720
  • 6.1.36.2127
  • 4.2.81.1661
  • 3.8.74.9832
  • 3.7.2.43
Internal Name
  • ai_data_standard
  • concurrent_future_instant
  • digital_basic_quality
  • door_governance
  • engine_superior_buffer
  • enhanced_next_sdk
  • enterprise_web_stream
  • fetch_copyright_twee
  • hash_advanced_adaptive
  • hyper_async_edge
Show More
  • instant_real_professional
  • intelligent_database_efficient
  • mega_secure_optimized
  • ml_pro_runtime
  • outstanding_web_adaptive
  • superior_iot_plus
  • super_powerful_network
  • web_sdk_buffer
Legal Copyright
  • Copyright (C) 2013-2020 Learning Center
  • Copyright (C) 2020 Elite Base Corp
  • Copyright (C) 2021 Cloud Macro Systems
  • Copyright (C) 2022 Cloud Future Omega Technologies
  • Copyright (C) 2022 Innovation Pro Root Inc
  • Copyright (C) 2022 Macro Cyber Systems
  • Copyright (C) 2022 Max Base Next Inc
  • Copyright (C) 2023 Net Tech Ltd
  • Copyright (C) 2023 Neural Max Group
  • Copyright (C) 2023 Next Cloud Technologies
Show More
  • Copyright (C) 2024 Innovation Delta Beta Group
  • Copyright (C) 2024 Max Micro Technologies
  • Copyright (C) 2025 Data Alpha Root Ltd
  • Copyright (C) 2025 Modern Neural Elite Inc
  • Copyright (C) 2025 Nano Solutions Delta Inc
  • Copyright (C) 2025 Neural Innovation Group
  • Copyright (C) 2025 Systems Next Soft Inc
  • Copyright 2018, 2023 Prime & Solid Space
Original Filename
  • ai_data_standard.exe
  • concurrent_future_instant.exe
  • digital_basic_quality.exe
  • door_governance.dat
  • engine_superior_buffer.exe
  • enhanced_next_sdk.exe
  • enterprise_web_stream.exe
  • fetch_copyright_twee.dat
  • hash_advanced_adaptive.exe
  • hyper_async_edge.exe
Show More
  • instant_real_professional.exe
  • intelligent_database_efficient.exe
  • mega_secure_optimized.exe
  • ml_pro_runtime.exe
  • outstanding_web_adaptive.exe
  • superior_iot_plus.exe
  • super_powerful_network.exe
  • web_sdk_buffer.exe
Product Name
  • AI Data Standard Interpreter
  • Concurrent Future Instant Debugger
  • Digital Basic Quality Creator
  • Engine Superior Buffer Reliable Navigator
  • Enhanced Next SDK Compiler
  • Enterprise Web Stream Express Designer
  • Hash Advanced Adaptive Interpreter Editor
  • Hyper Async Edge Efficient Finder
  • Instant Real Professional Tracker
  • Intelligent Database Efficient Debugger
Show More
  • Mega Secure Optimized Comprehensive Browser
  • ML Pro Runtime Scanner
  • Outstanding Web Adaptive Explorer
  • Reverb Slim Resolver
  • Superior IoT Plus Designer
  • Super Powerful Network Complete Explorer
  • Vital Phenomenal Monitor Decompressor 614
  • Web SDK Buffer Enhancer
Product Version
  • 16.8.84.9099
  • 16.5.52.3908
  • 14.2.3.491
  • 13.9.14.2050
  • 13.0.9.8365
  • 12.5.98.3076
  • 12.1.4.2673
  • 11.1.75.5187
  • 10.6.46.4993
  • 8.7.66.7505
Show More
  • 8.6.49.8852
  • 8.5.13.8074
  • 8.2.20.3720
  • 6.1.36.2127
  • 4.2.81.1661
  • 3.8.74.9832
  • 3.7.2.43
  • 3.6.0.54

Digital Signatures

Signer Root Status
Adobe Inc. DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 Hash Mismatch
Microsoft Corporation Microsoft Code Signing PCA 2011 Hash Mismatch

File Traits

  • big overlay
  • dll
  • HighEntropy
  • x64

Block Information

Total Blocks: 236
Potentially Malicious Blocks: 100
Whitelisted Blocks: 126
Unknown Blocks: 10

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x 0 ? x x x x x x x x x x x 0 x 0 x x x x 0 x x x x x x x x 0 x x x x x x 0 x x x 0 x x 0 0 x x x x x x x x x x x x x x x x x x x x x x 0 x x x x x x x x x x x x x x x ? x x x x x x 0 x x 0 0 x x x 0 0 ? ? ? 0 0 0 x 0 x 0 x 0 x 0 x 0 ? 0 x 0 x 0 ? 0 ? 0 ? 0 x x ? x 0 0 0 0 x 0 0 0 0 0 0 x 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Bulz.PPF
  • Kryptik.LFSA
  • Kryptik.ODSA

Files Modified

File Attributes
\device\namedpipe Generic Write,Read Attributes
\device\namedpipe\pshost.134137752648301131.6740.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134138472582864828.1004.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134163936297467998.4752.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
c:\users\user\appdata\local\temp\__psscriptpolicytest_2x5rhtz5.ixg.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_4iply15m.evz.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_azqijmxl.0yv.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_bi3tu2c4.1d5.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_dcbeuwfx.oky.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_dmruuwt0.yi4.ps1 Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 桊 ⬉ʾ䈛x䠱O噀ñ傄ë횎ǜɼ鶝’꾢ʊ閾ʴ淃⟋ʪߙĤ鈄ĞꩠŖÉ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 츜䦔趓ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ៳踺ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 棋繝趸ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ӛ꒰ꕣǜ RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAllocateLocallyUniqueId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtClearEvent
Show More
  • ntdll.dll!NtClose
  • ntdll.dll!NtCompareSigningLevels
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateNamedPipeFile
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFlushProcessWriteBuffers
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtGetCachedSigningLevel
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationObject
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSetTimerEx
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtTraceEvent
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForMultipleObjects

58 additional items are not displayed above.

Encryption Used
  • BCryptOpenAlgorithmProvider
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
Other Suspicious
  • AdjustTokenPrivileges

Shell Command Execution

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Get-Process | Select-Object Name"

Trending

Most Viewed

Loading...