virus logo Virus

VBA/Agent.BE50!tr.dldr

description-logoAnalysis


 VBA/Agent.BE50!tr.dldr is a generic detection for a type of macro downloader trojan that downloads the Locky ransomware onto the compromised computer. Since this is a generic detection, files that are detected as VBA/Agent.BE50!tr.dldr may have varying behavior.
Below are examples of some of these behavior:

  • It downloads the Locky ransomware as the following file:

  • It adds the ".lukitus" extension to encrypted files.

  • It attempts to connect to the following URLs:
    • hxxp://lost{Removed}.top/admin.php?f=1.dat
    • hxxp://tsiv{Removed}.com.vn/system/logs/.../1
    • hxxp://long{Removed}.com.vn/image/flags/.../1

  • Below is an example of its Ransom notes and infected document:

    • Figure 1: Infected document.


    • Figure 2: Ransom notes.


    • recommended-action-logoRecommended Action

    • Make sure that your FortiGate/FortiClient system is using the latest AV database.
    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Telemetry logoTelemetry

    Detection Availability

    FortiClient
    Extreme
    FortiMail
    Extreme
    FortiSandbox
    Extreme
    FortiWeb
    Extreme
    Web Application Firewall
    Extreme
    FortiIsolator
    Extreme
    FortiDeceptor
    Extreme
    FortiEDR

    Version Updates

    Date Version Detail
    2020-03-04 75.71900 Sig Updated
    ID 7495214
    Released Sep 13, 2017
    Description
    Updated    		 Sep 14, 2017
    Aliases JS/DwnLdr-UKJ, JS/TrojanDownloader.Nemucod.DRC trojan
    Profile Type Trojan Downloader (tr.dldr)