W32/GenKryptik.AVXR!tr

Analysis

W32/GenKryptik.AVXR!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/GenKryptik.AVXR!tr may have varying behaviour.
Below are examples of some of these behaviours:

• This malware may drop any of the following file(s):
  
  • undefinedAppDataundefined\[Random]\[Random].exe : This file is detected as W32/GenKryptik.AVXR!tr.
  • undefinedAppDataundefined\[Random]\[Random].lck : This is a data file.
  • undefinedAppDataundefined\lesrss.dat : This file is a text file.
  • undefinedAppDataundefined\pid.txt : This file is a text file.
  • undefinedAppDataundefined\pidloc.txt : This file is a text file.
  • undefinedAppDataundefined\remcos\remcos.exe : This file is a copy of the original malware itself.
  • undefinedAppDataundefined\subfolder\filename.exe : This file is detected as W32/GenKryptik.AVXR!tr.
  • undefinedAppDataundefined\subfolder\rfgfcwsxf.exe : This file is detected as W32/GenKryptik.AVXR!tr.
  • undefinedStartUpundefined\filename.vbe : This file is a text file.
  • undefinedStartUpundefined\rfgfcwsxf.vbe : This file is a text file.
  • undefinedTempundefined\install.vbs : This is a small VBS script that intends to run remcos.exe.


• This malware may connect to any of the following remote sites(s):
  
  • bizlen{Removed}.usa.cc
  • lokpanel{Removed}.info


• This malware may apply any of the following registry modification(s):
  
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
    
    • Remcos = undefinedAppDataundefined\remcos\remcos.exe
    This automatically executes the dropped file every time the infected user logs on.
    


• Some instances of this malware may have code injection capabilities.

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.