Virus

W32/GenKryptik.AVXR!tr

Analysis



W32/GenKryptik.AVXR!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/GenKryptik.AVXR!tr may have varying behaviour.
Below are examples of some of these behaviours:

  • This malware may drop any of the following file(s):
    • %AppData%\[Random]\[Random].exe : This file is detected as W32/GenKryptik.AVXR!tr.
    • %AppData%\[Random]\[Random].lck : This is a data file.
    • %AppData%\lesrss.dat : This file is a text file.
    • %AppData%\pid.txt : This file is a text file.
    • %AppData%\pidloc.txt : This file is a text file.
    • %AppData%\remcos\remcos.exe : This file is a copy of the original malware itself.
    • %AppData%\subfolder\filename.exe : This file is detected as W32/GenKryptik.AVXR!tr.
    • %AppData%\subfolder\rfgfcwsxf.exe : This file is detected as W32/GenKryptik.AVXR!tr.
    • %StartUp%\filename.vbe : This file is a text file.
    • %StartUp%\rfgfcwsxf.vbe : This file is a text file.
    • %Temp%\install.vbs : This is a small VBS script that intends to run remcos.exe.

  • This malware may connect to any of the following remote sites(s):
    • bizlen{Removed}.usa.cc
    • lokpanel{Removed}.info

  • This malware may apply any of the following registry modification(s):
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
      • Remcos = %AppData%\remcos\remcos.exe
      This automatically executes the dropped file every time the infected user logs on.

  • Some instances of this malware may have code injection capabilities.



Recommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.