Trojan.Kryptik.VGSA
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 4,986 |
| Threat Level: | 80 % (High) |
| Infected Computers: | 63 |
| First Seen: | February 9, 2026 |
| Last Seen: | May 30, 2026 |
| OS(es) Affected: | Windows |
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Kryptik.VGSA |
|---|---|
| Packers: | UPX! |
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
3fe8b7cb92d6715e44263a4c2360ff83
SHA1:
0d735c4f0403d97d94eb55b12358ebfa63216cb6
SHA256:
9615BA52930A5CA605D4AC46C064D69E4A6579E33226365631F7A6D20FB6820B
File Size:
7.92 MB, 7920684 bytes
|
|
MD5:
f2a6af1869eae97c27bbb32b4de91dcf
SHA1:
ba98579467ef345e71cac0f48f5cd286adaf6f80
SHA256:
372D2FB87062294BEF89362BC8E0F6CDAD13377750EE96FFB9FEC4F1CF3EC9A6
File Size:
9.81 MB, 9810024 bytes
|
|
MD5:
d5f6e2675bf463a3b7fb7ce8b581f6b8
SHA1:
319403d89aafe8a4d18631868c0f258a5c7e0970
SHA256:
2657DFA0909CBF6CE9A63A16B6E79465E8CD4ACB1ACF83F6119D46B842A6BC49
File Size:
9.81 MB, 9811595 bytes
|
|
MD5:
afdb24b7cec61b0e0ca6d5b9fe191127
SHA1:
0d528488939f1c3c2c586dcf189d5a4a7cc56290
SHA256:
8C4C92A36CA374C2403E606A4EB88D798F24ED5418EA6D3780DEE96988E5A6D9
File Size:
9.81 MB, 9808316 bytes
|
|
MD5:
5c294857d6cc4ecce77c749992d47329
SHA1:
d03da10782ab49bb3ef9655928c7afa8f48351c5
SHA256:
F96EB4712F172963BF13FC81D7617AD9A7B22DCA04048F3C03301BBC9BF29664
File Size:
8.66 MB, 8663040 bytes
|
Show More
|
MD5:
495bb631fd702ed0e41f224ef7926f1e
SHA1:
b12eba3f47a71b25ca22feaf3e11828412bee605
SHA256:
C024EA8B3A6B3FB4009971FFFE3839930406E1F5AF4569E4FC748B94C95C340B
File Size:
7.94 MB, 7938967 bytes
|
|
MD5:
34a9ffc06002648599c4b99383d8710f
SHA1:
61cac89fd69cbdc65788602fb5cdd02b46a4d43d
SHA256:
237474F6831CBDC363B5104EF8BFE45CFC4873299CF539DED748287C573F4E56
File Size:
5.47 MB, 5467136 bytes
|
|
MD5:
0e8a9c2ddeb893f13e71b562b6a9ebc5
SHA1:
54747d2b15081ec4d98feb3489a0509a8d17941d
SHA256:
660BA64A22CAD661DAC62BAF9454426626F7DE7DC36348501183EA3068125250
File Size:
7.19 MB, 7190528 bytes
|
|
MD5:
811a2ced7c3eb4e1a256afe1f7ba5e1a
SHA1:
88cba63f20fc8a1278c4b963f6af41983f87bbc2
SHA256:
B4051319C625C4C5C6FAA6DA7A0D4A990AA2AB06373C3582BE9932718ADA6A5B
File Size:
8.22 MB, 8224167 bytes
|
|
MD5:
2cd7df5d92352c3e5a7e178ec9325170
SHA1:
423d619b992ff11193a2063e6bf7c8813fde6cc1
SHA256:
0E7C20608403C9819B4B47EA03779E634C1DF60EC792B0A8505BF5E111FA53A3
File Size:
5.34 MB, 5343232 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have security information
- File has been packed
- File has exports table
- File has TLS information
- File is 64-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
- File is Native application (NOT .NET application)
Show More
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name |
|
| File Description |
|
| File Version |
|
| Internal Name |
|
| Legal Copyright |
|
| Original Filename |
|
| Product Name |
|
| Product Version |
|
File Traits
- 2+ executable sections
- big overlay
- dll
- HighEntropy
- ntdll
- packed
- vlizer
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 7,963 |
|---|---|
| Potentially Malicious Blocks: | 168 |
| Whitelisted Blocks: | 6,699 |
| Unknown Blocks: | 1,096 |
Visual Map
0
0
0
0
0
0
0
0
0
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
x
0
x
0
0
0
0
x
0
0
0
0
0
?
x
x
x
?
?
0
x
x
0
?
0
0
0
0
?
x
x
x
?
0
x
0
x
0
?
?
?
0
?
0
0
?
0
0
?
x
?
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
0
0
x
0
0
x
0
x
0
0
0
?
?
x
?
x
0
0
0
0
0
0
0
0
0
0
x
x
x
x
0
x
x
0
0
0
0
0
0
0
0
0
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- ClipBanker.XC
- Kryptik.VGR
- Kryptik.VGSA
- Kryptik.VGT
- ShellcodeRunner.LLB
Show More
- ShellcodeRunner.THA
- Spy.Agent.LLA
- Trojan.Agent.Gen.BTQ
- Trojan.Filecoder.Gen.DB
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
