- First seen: Early 2014
- Aliases: Vipasana,CryLock
- Samples:
- 7c7a469abf068c64a865a94b4c6976a7f87db646c4714eece6a17a83fcbd8a4b | windows | ransom | pe
- 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab | windows | ransom | pe
| Property | Value |
|---|---|
| Size | 196096 bytes |
| CRC32 | 0xdc6a9980 |
| MD5 | 8a5e5437e142ea0380875081b8fe095f |
| SHA1 | 0e6fbc1d5515d6646d66d7769b6bfcd810c20901 |
| SHA256 | 7c7a469abf068c64a865a94b4c6976a7f87db646c4714eece6a17a83fcbd8a4b |
| SHA512 | efc81149043af2d3f1cd8cd179d6bae9c7b1b54985538a3fb198bec1ca135ca073765a04554bf09a724ab37007274301086ccf55ef70f6ae010b697bddb0a2a2 |
| Ssdeep | 3072:XZm/5ISZbkihcLW41zDD2P+OjLWFvXTh8bgAiF5E/6vXW93Htfot2tCauquMqqDH:pA5b2LW4tM+DzVKgXW93Htfot2AFcqqG |
| Magic | PE32 executable (GUI) Intel 80386, for MS Windows |
| Packer | PE: compiler: Borland Delphi(6-7 or 2005)[-] PE: linker: Turbo Linker(2.25*,Delphi)[EXE32] |
| TrID | 94.8% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 2.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 0.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 0.6% (.EXE) Win32 Executable (generic) (4505/5/1) 0.4% (.MZP) WinArchiver Mountable compressed Archive (3000/1) |
- Avast: Script:SNH-gen [Trj]
- Avira: TR/AD.RansomHeur.umxnk
- Bitdefender: Gen:Heur.Mint.Zard.40
+ Clamav: clean
- Comodo: Malware
- Drweb: Trojan.Encoder.30511
- Eset: Win32/Filecoder.EQ
- Fsecure: Trojan.TR/AD.RansomHeur.umxnk
- Kaspersky: UDS:DangerousObject.Multi.Generic
+ Mcafee: clean
+ Sophos: clean
- Symantec: Downloader
+ Trendmicro: clean
- Windefender: Ransom:Win32/Cryak.PA!MTB| Property | Value |
|---|---|
| Size | 379392 bytes |
| CRC32 | 0xa3f98b0b |
| MD5 | 2aea3b217e6a3d08ef684594192cafc8 |
| SHA1 | 3a0b855dd052b2cdc6453f6cbdb858c7b55762b0 |
| SHA256 | 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab |
| SHA512 | ea83fcb7465e48445f2213028713c4048ac575b9c2f7458a014c495bddb280be553a22b1056284efad7dd55c2a7837096755206581c67bb0183e4ac42160011a |
| Ssdeep | 6144:oRzMgpY8bXFHW1FbwwEHidUoagoW2C9cuqBGI4Zq6mYlG8+rNfNQFoQGt485VY:uDRbXFHW1+K2UWBGIymY/+rheFOv |
| Magic | PE32 executable (GUI) Intel 80386, for MS Windows |
| Packer | PE: compiler: Borland Delphi(6-7 or 2005)[-] PE: linker: Turbo Linker(2.25*,Delphi)[EXE32] |
| TrID | 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4) 15.1% (.EXE) Win32 Executable (generic) (4505/5/1) 10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23) 6.8% (.EXE) OS/2 Executable (generic) (2029/13) |
- Avast: Win32:Evo-gen [Trj]
- Avira: TR/AD.FileCoder.wcoin
- Bitdefender: Generic.Ransom.Cryak.CD721E02
- Clamav: Win.Ransomware.Cryakl-9816021-0
- Comodo: TrojWare.Win32.TrojanDownloader.Delf.gen
- Drweb: Trojan.Encoder.567
- Eset: Win32/Filecoder.EQ
- Fsecure: Trojan.TR/AD.FileCoder.wcoin
- Kaspersky: Trojan-Ransom.Win32.Cryakl.aiv
+ Mcafee: clean
- Sophos: Troj/Cryakl-G
- Symantec: Trojan.Gen
- Trendmicro: Ransom_CRYPICH.SMA
- Windefender: Ransom:Win32/Criakl.D- https://heimdalsecurity.com/blog/crylock-ransomware/
- https://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/
- https://bartblaze.blogspot.com/2016/02/vipasana-ransomware-new-ransom-on-block.html
- https://www.boxcryptor.com/en/blog/post/a-close-look-at-ransomware-vipasana-part-i/