W32/Injector.DVYX!tr

Analysis

W32/Injector.DVYX!tr is a generic detection for a Injector/Botnet trojan. Since this is a generic detection, malware that are detected as W32/Injector.DVYX!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This malware may drop any of the following file(s):
  
  • %LocalAppData%\Temp\subfolder\filename.scr: This file is detected as W32/Injector.DVYX!tr.
  • %LocalAppData%\Temp\subfolder\filename.vbs: This file serves as an autostart for filename.scr.
  • %LocalAppData%\Temp\WinRAR-Archive.exe: This file is detected as W32/Injector.DWAB!tr.
  • %LocalAppData%\Temp\WinRAR-Archiver\WinRAR-Archiver.exe: W32/Injector.DWAB!tr.
  • %LocalAppData%\Temp\WinRAR-Archiver\WinRAR-Archiver.vbs: This file serves as an autostart for WinRAR-Archiver.exe.
  • %AppData%\xxxxxx\xxxxxx.exe: This file is detected as W32/Injector.DVYX!tr.


• The following registry modifications are applied:
  
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    
    • subfolder = "%LocalAppData%\Temp\subfolder\filename.vbs"
    • WinRAR-Archiver = "%LocalAppData%\Temp\WinRAR-Archiver\WinRAR-Archiver.vbs"
    • Registry Key Name = "%LocalAppData%\Temp\subfolder\filename.vbs"
    Entries made by executable programs are deleted after being processed.


• This malware may connect to any of the following remote sites(s):
  
  • 18{Removed}.61.137.36
  • 19{Removed}.189.25.114
  • 21{Removed}.208.129.219
  • arthem{Removed}.com
  • barakeoma{Removed}.com
  • fortniteaimbo{Removed}.gdn
  • hxxp://17{Removed}.43.149.22/lenny/Panel/fre.php
  • hxxp://19{Removed}.189.25.114/henry3/fre.php
  • hxxp://19{Removed}.189.25.17/guy2/fre.php
  • hxxp://3{Removed}.220.40.22/~helohhyu/lord/panel/fre.php
  • hxxp://arthem{Removed}.com/bahamasvps/coreserver/shit.exe
  • hxxp://barakeoma{Removed}.com/xpres/panel/pp.exe
  • hxxp://fortniteaimbo{Removed}.gdn/WinRAR-Archive.exe
  • hxxp://hectord{Removed}.us
  • hxxp://mepsb-co{Removed}.me/solisoft/coreserver/shit.exe
  • mepsb-co{Removed}.me
  • xmpphos{Removed}.ru


• Some instances of this malware may have Injector capabilities.


• Some instances of this malware was also observed to open the open a browser then point to a youtube page hxxps://www.youtub{Removed}.com/watch?v=2dDZ0d3p-fQ. During the time of our tests however the page appears to have been already offlined/removed.


• Some instances of this malware can also have the capability to steal current hosts information and send it to a remote site.


• Some instances of this malware may also steal credentials from browsers, ftp clients, and email clients along with bitcoin wallets information and attempt keylogging/screenshots.

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.