W32/Injector.DVYX!tr
Analysis
W32/Injector.DVYX!tr is a generic detection for a Injector/Botnet trojan. Since this is a generic detection, malware that are detected as W32/Injector.DVYX!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware may drop any of the following file(s):
- %LocalAppData%\Temp\subfolder\filename.scr: This file is detected as W32/Injector.DVYX!tr.
- %LocalAppData%\Temp\subfolder\filename.vbs: This file serves as an autostart for filename.scr.
- %LocalAppData%\Temp\WinRAR-Archive.exe: This file is detected as W32/Injector.DWAB!tr.
- %LocalAppData%\Temp\WinRAR-Archiver\WinRAR-Archiver.exe: W32/Injector.DWAB!tr.
- %LocalAppData%\Temp\WinRAR-Archiver\WinRAR-Archiver.vbs: This file serves as an autostart for WinRAR-Archiver.exe.
- %AppData%\xxxxxx\xxxxxx.exe: This file is detected as W32/Injector.DVYX!tr.
- The following registry modifications are applied:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
- subfolder = "%LocalAppData%\Temp\subfolder\filename.vbs"
- WinRAR-Archiver = "%LocalAppData%\Temp\WinRAR-Archiver\WinRAR-Archiver.vbs"
- Registry Key Name = "%LocalAppData%\Temp\subfolder\filename.vbs"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
- This malware may connect to any of the following remote sites(s):
- 18{Removed}.61.137.36
- 19{Removed}.189.25.114
- 21{Removed}.208.129.219
- arthem{Removed}.com
- barakeoma{Removed}.com
- fortniteaimbo{Removed}.gdn
- hxxp://17{Removed}.43.149.22/lenny/Panel/fre.php
- hxxp://19{Removed}.189.25.114/henry3/fre.php
- hxxp://19{Removed}.189.25.17/guy2/fre.php
- hxxp://3{Removed}.220.40.22/~helohhyu/lord/panel/fre.php
- hxxp://arthem{Removed}.com/bahamasvps/coreserver/shit.exe
- hxxp://barakeoma{Removed}.com/xpres/panel/pp.exe
- hxxp://fortniteaimbo{Removed}.gdn/WinRAR-Archive.exe
- hxxp://hectord{Removed}.us
- hxxp://mepsb-co{Removed}.me/solisoft/coreserver/shit.exe
- mepsb-co{Removed}.me
- xmpphos{Removed}.ru
- Some instances of this malware may have Injector capabilities.
- Some instances of this malware was also observed to open the open a browser then point to a youtube page hxxps://www.youtub{Removed}.com/watch?v=2dDZ0d3p-fQ. During the time of our tests however the page appears to have been already offlined/removed.
- Some instances of this malware can also have the capability to steal current hosts information and send it to a remote site.
- Some instances of this malware may also steal credentials from browsers, ftp clients, and email clients along with bitcoin wallets information and attempt keylogging/screenshots.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |