VirusVBS/Agent.PEC!tr.dldr
Analysis
VBS/Agent.PEC!tr.dldr is a generic detection for a type of Visual Basic script downloader trojan that downloads and runs the Locky ransomware onto the compromised computer. Since this is a generic detection, files that are detected as VBS/Agent.PEC!tr.dldr may have varying behavior.
Below are examples of some of these behavior:
- It downloads the Locky ransomware as the following file:
- undefinedTempundefined\[Random].exe : This file is detected as W32/Locky.KAD!tr .
- It adds the ".lukitus" extension to encrypted files.
- It attempts to connect to the following URLs:
- hxxp://gbas{Removed}.ch/tJHGskdioj
- hxxp://vinn{Removed}.net/af/tJHGskdioj
- hxxp://graf{Removed}.com/tJHGskdioj
- Below is the malware's Ransom notes:
- Figure 1: Ransom notes.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| FortiClient | |
| FortiAPS | |
| FortiAPU | |
| FortiMail | |
| FortiSandbox | |
| FortiWeb | |
| Web Application Firewall | |
| FortiIsolator | |
| FortiDeceptor | |
| FortiEDR |