W32/Agent.F840!tr

description-logoAnalysis


W32/Agent.F840!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/Agent.F840!tr may have varying behaviour.
Below are examples of some of these behaviours:

  • Performs a check based on the address of the Kernel32.SetFilePointer API. This may be done to exclude an older OS from normal execution, such as Windows XP. If the arithmetic results in a value of zero, the sample will go down the "Bonopoc" path, otherwise it will go down the "Fortnite_download" path.

  • Bonopoc path:
    • A temp PE is created to launch Inno setup and install what is called "Bonopoc"
    • Installs "Bonopoc" in %program files%
    • Drops many junk files in %program files%\Bonopoc, such as "Meratar.exe", "Nehek.exe", etc. None of these files are valid files.

  • Fortnite_download path:
    • Will start the "Fortnite_download Download Manager"
    • Offered two optional downloads:
      • Yahoo Search Offer - Accepting this may cause your browser to appear and ask to enable a new extension. The URL has been rated as malicious by the Fortiguard Webfilter. This will also make Yahoo your home page for your default browser.
      • Avast Free Antivirus - A legitimate copy of the Avast antivirus software.
    • Once the download manager is finished, your browser will open up to a freeware page
    • Drops a file "_Fortnite_download.zip" in %downloads%. This archive contains:
      • Fortnite.pdf - a clean PDF file that advertises the game "Fortnite"
      • __MACOSX\._Fortnite.pdf - A possibly corrupt PDF file

  • The malware attempts to connect to the following sites: :
    • hxxp://free-download-offer.com/{removed}/completed/gaddonflow - Current Category: Freeware and Software Downloads
    • hxxp://s3.amazonaws.com/{removed}/reglp.html?v=3&ext=nahhmpbckpgdidfnmfkfgiflpjijilce,pilplloabdedfmialnfchjomjmpjcoej - Category: Malicious Websites

  • The following registry modifications may be applied:
    • HKCU\Software\Undefined
      • _Fortnite_download.zip = 1518118130697,hxxp://d1z0mfyqx7ypd{Removed}.cloudfront.net/ext/bundle/installsall/Fortnite_download.zip?iid=15225999


recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2021-03-04 84.00472