VBA/Agent.AGX!tr.dldr

description-logoAnalysis


VBA/Agent.AGX!tr.dldr is a generic detection for a type of macro downloader trojan that downloads other malware onto the compromised computer. Since this is a generic detection, files that are detected as VBA/Agent.AGX!tr.dldr may have varying behavior.
Below are examples of some of these behavior:

  • It downloads the following files:
    • %Desktop%/[Random].exe : This file is detected as W32/GenKryptik.BQUN!tr.
    • %Desktop%/[Random].exe : This file is detected as W32/GenKryptik.BRNO!tr.

  • This malware issues a powershell command line that downloads from a remote site listed below, then drops it on the hosts, usually located in %Desktop%, afterwhich it then executes it.
    • hxxps://bitcl{Removed}.gq/sdk
    • hxxps://freefly{Removed}.tk/rens

  • Below is an illustration of an infected document:

    • Figure 1: Infected Document.


    • Figure 2: Infected Document.


recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2019-05-28 68.84900 Sig Updated