VBS/Agent.PEC!tr.dldr
Analysis
VBS/Agent.PEC!tr.dldr is a generic detection for a type of Visual Basic script downloader trojan that downloads and runs the Locky ransomware onto the compromised computer. Since this is a generic detection, files that are detected as VBS/Agent.PEC!tr.dldr may have varying behavior.
Below are examples of some of these behavior:
- It downloads the Locky ransomware as the following file:
- undefinedTempundefined\[Random].exe : This file is detected as W32/Locky.KAD!tr .
- It adds the ".lukitus" extension to encrypted files.
- It attempts to connect to the following URLs:
- hxxp://gbas{Removed}.ch/tJHGskdioj
- hxxp://vinn{Removed}.net/af/tJHGskdioj
- hxxp://graf{Removed}.com/tJHGskdioj
- Below is the malware's Ransom notes:
- Figure 1: Ransom notes.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |