virus logo Virus

MSIL/Kryptik.MNQ!tr

description-logoAnalysis



MSIL/Kryptik.MNQ!tr is a generic detection for a Trojan. Since this is a generic detection, this malware may have varying behaviour.
Below are some of the observed characteristics/behaviours:

  • This trojan may be a Keylogger.

  • This malware may utilize dynamic DNS services. Some of the observed domains include:
    • rsaupda{Removed}.jumpingcrab.com
    • rsau{Removed}.ntdll.net
    • rsapoin{Removed}.ssl443.org
    • c0pywi{Removed}.is-not-certified.com
    • wins10{Removed}.16-b.it
    • check{Removed}.dyndns.org
    • in{Removed}.freeddns.org

  • This malware may drop one or more of the following files:
    • %AppData%\[RandomName_1].exe - a version of itself detected as MSIL/Kryptik.MNQ!tr
    • %Temp%\[RandomName_2]\[RandomName_2].exe - a version of itself detected as MSIL/Kryptik.MNQ!tr
    • %Temp%\[RandomName_3].vsc\[RandomName_3].vsc.exe - a version of itself detected as MSIL/Kryptik.MNQ!tr
    • %UserProfile%\Pictures\operabrowser.exe - a version of itself detected as MSIL/Kryptik.MNQ!tr
    • %AppData%\Windows Defender\GoogleChrome.exe - a version of itself detected as MSIL/Kryptik.MNQ!tr
    • %AppData%\Imminient\Logs\[DD-MM-YYYY] - An encrypted data file
    • %AppData%\Imminient\Logs\Path.dat - An encrypted data file
    • %AppData%\Imminient\Monitoring\Network.dat - An encrypted data file
    • %AppData%\Imminient\Monitoring\system.dat - An encrypted data file

  • This malware may add one or more of the following registry entries:
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RandomString]
      • %AppData%\[RandomName_1].exe

    • HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application
      • %UserProfile%\Pictures\operabrowser.exe -boot

    • HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RandomName_2]
      • %Temp%\[RandomName_2]\[RandomName_2].exe

    • HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RandomName_3]
      • %Temp%\[RandomName_3].vsc\[RandomName_3].vsc.exe

    • HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender\
      • %AppData%\Windows Defender\GoogleChrome.exe



recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-02-28 91.01002
2023-01-15 90.09681
2022-09-27 90.06370
2022-07-31 90.04654
2022-05-03 90.01962
2022-02-27 90.00003
2022-02-22 89.09863
2021-12-28 89.08183
2021-12-14 89.07763
2021-12-10 89.07645
ID 7633295
Released Feb 09, 2018
Description
Updated		 Jan 25, 2018
Aliases Trojan-FPAS!EC5FB8E370D2 trojan , Mal/Generic-S, W32/MSIL_Injector.OI.gen!Eldorado , Trojan.GenericKD.3017179 , MSIL/Kryptik.MNQ trojan, Trojan.PWS.Stealer.19347, Gen:Variant.Razy.250165
Platform Profile Microsoft Intermediate Language (used for MSIL compiled binaries)