Felipe osorio 0 Posted August 3, 2023 Share Posted August 3, 2023 One of our clients was attacked by a malware that encrypted various archives from a group of share folders. The variants where identified as Win32/Kryptik.HTZJ and MSIL/Kryptik.AHUA I added a .txt with the rescue message copied on the computers If can provide us more information about this malware and if there is a way to decrypted the files. We apreciate your help. NotaRescate.txt Link to comment Share on other sites More sharing options...
Administrators Marcos 5,090 Posted August 4, 2023 Administrators Share Posted August 4, 2023 88F122036D62EF4388E356C832CE6A85BDBF1BC1 seems to be Win32/Agent.AFPR trojan, not the ransomware itself. As for the other file, we don't have it so I can't tell what it is exactly. Please check your personal messages, I've asked for additional logs and a couple of encrypted files as well. Link to comment Share on other sites More sharing options...
itman 1,668 Posted August 4, 2023 Share Posted August 4, 2023 I would submit C:\Program Files\WinRar\WinRar.exe to VirusTotal for a scan and see if any of its scanners detect anything. It spawned the malicious .exe in the %Temp% directory. Link to comment Share on other sites More sharing options...
safety 8 Posted August 8, 2023 Share Posted August 8, 2023 On 8/4/2023 at 10:18 PM, itman said: I would submit C:\Program Files\WinRar\WinRar.exe to VirusTotal for a scan and see if any of its scanners detect anything. It spawned the malicious .exe in the %Temp% directory. I assume that he opened (or launched) a malicious file from the archive using legal Winrar. A ransom note and a couple of encrypted files, if any, are needed to at least determine the type of encryption. Link to comment Share on other sites More sharing options...
Recommended Posts