Threat Database Trojans Trojan.Kryptik.TSA

Trojan.Kryptik.TSA

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 5,490
Threat Level: 80 % (High)
Infected Computers: 9,616
First Seen: July 29, 2023
Last Seen: March 2, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.Kryptik.TSA
Signature status: No Signature

Known Samples

MD5: 7434a9149e7b0c1cbe935850de67b6ad
SHA1: 909146ee5bf0dd3a79ed213acbb9ca77bedd61ba
SHA256: 9779BEE0EE373040CA74B74C15C670C15975DD64CB9E27476954C4407D7ACE12
File Size: 6.13 MB, 6128640 bytes
MD5: a6279e81006cb2ccb197a46bd4b5efed
SHA1: da1a04ec1914dd8ffd71282ec28839f566cec04f
SHA256: 61B64985AA3CB5096C81EBBABA6645DFA45957964BB740AE5DA7277697896555
File Size: 5.64 MB, 5638296 bytes
MD5: 966fc53c249806c56c2489f1ae838b2c
SHA1: 43be11ffb553e3324acd7773ea10846aac7fa849
SHA256: 86B9795B1B548F1686CB6169DA28AE2A398FE1DDBCBD68F23B9B462662E20742
File Size: 5.60 MB, 5599744 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have security information
  • File has TLS information
  • File is 64-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name Google Inc.
File Description Google Chrome
File Title chrome.exe
File Version 70,0,3538,110
Legal Copyright Copyright 2017 Google Inc. All rights reserved.
Product Name Google Chrome
Product Version 70,0,3538,110

Digital Signatures

Signer Root Status
Google LLC DigiCert Trusted Root G4 Hash Mismatch

File Traits

  • HighEntropy
  • x64

Block Information

Total Blocks: 116
Potentially Malicious Blocks: 50
Whitelisted Blocks: 60
Unknown Blocks: 6

Visual Map

0 0 0 0 0 0 0 x ? ? ? 0 ? ? 0 x x x x x x x 0 0 x x x x x x 0 x x x 0 x x x 0 0 0 0 x 0 x 0 x x x x 0 x x 0 0 x x x x x x x x x 0 x 0 x 0 0 x 0 x x x 0 x x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ?
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Kryptik.TS
  • Kryptik.TSA

Files Modified

File Attributes
\device\namedpipe\dialerchildproc64 Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\dialercontrol_redirect64 Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\pshost.134113596550945436.4752.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
c Generic Write
c:\program files Generic Write
c:\program files\google Generic Write
c:\program files\google\chrome Generic Write
c:\program files\google\chrome\updater.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users Generic Write
c:\users\user Generic Write
Show More
c:\users\user\appdata Generic Write
c:\users\user\appdata\local Generic Write
c:\users\user\appdata\local\temp Generic Write
c:\users\user\appdata\local\temp\__psscriptpolicytest_dkrz3jmf.zzp.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_im4hfrw4.yx3.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\evxvbcjmnmsr.xml Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\kpvnlaptjhlg.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 뾰Ǹ瞛ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 冷鴂鹙ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ⽞鴝鹙ǜ RegNtPreCreateKey
HKLM\software\dialerconfig\pid::svc64 RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAllocateLocallyUniqueId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtClearEvent
Show More
  • ntdll.dll!NtClose
  • ntdll.dll!NtCompareSigningLevels
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFlushProcessWriteBuffers
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtGetCachedSigningLevel
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationObject
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSetTimerEx
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTerminateProcess
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtTraceEvent
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForMultipleObjects
  • ntdll.dll!NtWaitForSingleObject

6 additional items are not displayed above.

Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Encryption Used
  • BCryptOpenAlgorithmProvider
Other Suspicious
  • AdjustTokenPrivileges
Process Shell Execute
  • CreateProcess
  • WriteConsole
Process Terminate
  • TerminateProcess

Shell Command Execution

C:\WINDOWS\System32\sc.exe sc stop UsoSvc
WriteConsole: SERVICE_NAME:
C:\WINDOWS\System32\sc.exe sc stop WaaSMedicSvc
C:\WINDOWS\System32\sc.exe sc stop wuauserv
C:\WINDOWS\System32\sc.exe sc stop bits
Show More
C:\WINDOWS\System32\sc.exe sc stop dosvc

Trending

Most Viewed

Loading...