W32/Kryptik.4BCD!tr
Analysis
W32/Kryptic.4BCD!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as W32/Kryptic.4BCD!tr may have varying behaviour.
Below are is a summary of its behaviours:
- It steals system information and attempts to steal banking and online account credentials.
- The Stolen information may include:
- System information
- List of installed applications
- List of installed drivers
- List of running processes
- List of network devices
- External IP address
- Email credentials (IMAP, POP3, SMTP)
- Cookies
- Certificates
- Screen video captures (.AVI)
- Financial information via web injects
- If the account gets compromised then the malware can fetch the host machine information as well and can perform lateral movement as well.
- This malware may connect to any of the following remote Command and Control Server(s):
- doc[.]avitoon[.]at
- app[.]kartop[.]at
- doc[.]dicin[.]at
- tri[.]umpalok[.]at
- tt[.]zicino[.]at
- doom[.]matr[.]at
- ut[.]nonpur[.]at
- app[.]avitoon[.]at
- ops[.]twidix[.]at
- xx[.]go10og[.]at
- api[.]kartop[.]at
- m1[.]fofon[.]at
- cdn[.]kartop[.]at
- api[.]tylron[.]at
- chat[.]twidix[.]at
- api[.]kaonok[.]at
- chat[.]jimden[.]at
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |