Trojan.Krypt.KBAJ
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Krypt.KBAJ |
|---|---|
| Signature status: | Self Signed |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
d17c5d3d5672442e9502b45bd2b507b1
SHA1:
266d9fb7afbd3072d3663592b71d3f46b98a863d
SHA256:
9207C2C9C215136130F9096C1C34483BD6CF43DA94E20D82C84632F8657EF2F9
File Size:
3.69 MB, 3686912 bytes
|
|
MD5:
9d2805e236077c04e19f8a43c850cf62
SHA1:
a2dfb8ab38ecb48a702c8fa540f5ec595ed042a7
SHA256:
D446216E859C3FFF2B4E6481FD8FA05C539449B9556B6F435719ECF0BC616796
File Size:
3.69 MB, 3687104 bytes
|
|
MD5:
96b3dd0ac1913d9ec34566561c4069c1
SHA1:
3c23c80b10d091be50008b9fc9f2d9e703e41c30
SHA256:
6E6494A592EEA9CDA247D726D97774C58723AA6683910F1BDCE8DF46E47202D2
File Size:
4.77 MB, 4765376 bytes
|
|
MD5:
f61fee859c7d924862fc8a5b401be89e
SHA1:
963c26bbb212a1c4ae66576f720bfe65221e495b
SHA256:
6EB16806F9EBDAAE3A52303E5B1E7ABCAACE89802AC32849B8A3990CB985BCFF
File Size:
3.71 MB, 3708664 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have security information
- File has TLS information
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
Show More
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| Microsoft Corporation | Microsoft Corporation | Self Signed |
| Zoom Video Communications, Inc., OU=Zoom Engineering, O=Zoom Video Communications, Inc., L=San Jose, S=California, C=US | Zoom Video Communications, Inc., OU=Zoom Engineering, O=Zoom Video Communications, Inc., L=San Jose, S=California, C=US | Self Signed |
File Traits
- big overlay
- HighEntropy
- No Version Info
- ntdll
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 2,029 |
|---|---|
| Potentially Malicious Blocks: | 498 |
| Whitelisted Blocks: | 1,529 |
| Unknown Blocks: | 2 |
Visual Map
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
?
x
x
x
0
x
x
0
x
x
?
0
x
x
x
x
x
x
0
x
0
x
0
0
0
0
x
x
0
0
0
x
0
0
x
x
x
x
x
x
0
x
x
0
x
0
0
0
0
0
x
0
0
0
0
0
0
0
x
x
x
x
x
0
0
x
0
x
x
x
x
x
x
0
0
0
x
0
0
x
0
0
x
x
x
x
x
x
x
x
0
x
x
x
x
x
0
x
x
0
0
0
0
0
x
0
0
x
x
0
0
0
0
0
0
x
0
x
x
x
0
0
0
0
0
x
0
0
x
0
x
x
x
x
x
0
x
0
x
0
x
x
x
0
0
0
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
0
0
0
x
0
x
x
x
x
x
x
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
0
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
x
0
0
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
x
0
0
0
x
x
0
0
x
0
x
x
0
x
x
0
0
0
0
x
0
0
x
x
0
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
x
0
x
0
0
x
x
0
0
x
0
x
x
x
0
0
0
0
x
x
0
x
x
x
0
0
0
0
0
0
0
x
0
0
0
0
0
0
x
0
x
0
0
x
0
x
0
0
0
x
0
0
x
x
0
0
x
0
0
x
0
x
x
0
0
0
0
0
0
0
0
0
0
0
x
0
x
0
0
x
0
0
x
0
x
0
x
x
x
x
0
0
x
0
x
0
0
0
0
0
x
x
x
x
0
x
0
x
0
0
0
x
0
0
x
x
x
x
x
x
x
x
0
0
x
x
x
x
x
x
0
0
x
x
x
x
x
x
x
0
0
x
x
x
0
x
0
0
x
0
0
0
x
0
x
0
0
0
0
0
0
x
0
x
0
0
x
0
0
x
x
0
0
0
x
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
x
0
x
0
x
x
0
0
x
x
x
x
x
0
0
x
0
x
0
0
0
x
x
0
0
0
0
0
x
0
x
x
x
0
0
0
0
0
0
x
0
0
x
x
x
x
x
x
x
x
x
0
0
x
x
0
x
0
0
x
0
x
0
0
x
x
0
0
x
x
x
x
x
x
x
x
x
0
x
x
x
x
0
x
x
x
0
x
x
x
x
0
x
0
x
0
0
0
0
0
0
0
x
x
x
x
x
0
x
x
x
0
x
x
0
0
x
0
x
x
x
0
0
x
0
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
x
0
0
x
x
x
0
0
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
x
0
x
x
x
x
x
0
0
x
0
0
0
x
x
0
x
0
0
0
x
0
x
0
0
x
0
x
x
x
0
0
x
x
0
x
x
0
0
x
x
x
0
x
0
x
0
0
x
x
x
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
x
x
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
x
0
x
x
0
x
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
x
0
0
0
0
x
x
x
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
x
x
0
x
0
x
x
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
x
0
0
x
x
x
x
0
0
0
0
0
x
x
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
x
0
0
0
0
x
x
0
x
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
x
x
x
0
0
0
0
x
0
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
x
0
0
0
0
0
0
0
0
0
x
0
0
x
x
0
0
0
0
0
0
0
x
x
0
x
x
0
x
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
x
x
x
x
x
0
0
x
0
0
0
x
0
x
0
x
x
0
0
0
0
0
0
0
x
x
0
x
x
0
x
0
0
0
x
x
x
x
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
x
x
x
x
0
x
x
x
0
x
x
0
0
x
0
x
x
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
x
0
0
0
0
x
0
x
x
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
x
x
0
x
x
x
0
0
x
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
x
0
x
0
0
x
0
0
0
0
0
0
0
0
x
0
x
x
x
x
x
0
x
0
0
x
0
x
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
0
0
0
x
0
x
x
x
x
0
x
x
x
0
0
0
0
x
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Krypt.KBAH
- Krypt.KBAJ
- Krypt.KBAL
- Krypt.KBAM
- Trojan.Agent.Gen.ARG
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| c:\programdata\crypt_debug.txt | Read Attributes,Synchronize,Read Control,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\payload_debug.log | Read Attributes,Synchronize,Read Control,Write Attributes,Write extended,Append data |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Network Winsock2 |
|
| User Data Access |
|
| Network Winsock |
|
| Network Info Queried |
|
