virus logo Virus

MSIL/Agent.8A34!tr.ransom

description-logoAnalysis

MSIL/Agent.8A34!tr.ransom is a generic detection for a Ransomware BLACKROUTER trojan. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • Most instances observed under this malware are highly packed MSIL compiled samples.

  • Affected files of this Ransomware will use the filenaming format {OriginalFileName.Ext}.BlackRouter .

  • This Ransomware has been observed to connect to:
    • icanhazi{Removed}.com
    • api.telegra{Removed}.org

  • Below is an illustration of the malware's Ransom notes:

    • Figure 1: Ransom Notes.



recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
Extreme
FortiAPS
FortiAPU
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2019-04-16 67.84200 Sig Updated
2019-02-12 66.33300 Sig Updated
2019-01-21 65.81100 Sig Updated
ID 7980872
Released Jan 21, 2019
Description
Updated		 Jan 21, 2019
Aliases BLACKROUTER ransomware,MSIL/Agent.8A34!tr,W32/Encoder.RE!tr.ransom,Ransom_Encoder.R011C0GA819,Gen:Variant.Ransom.BlackHeart.4,MSIL/Filecoder.BlackRouter.A trojan,Ransom_Encoder.R011C0WA719,W32/Encoder!tr.ransom,Ransom.MSIL.BLACKROUTER.THOAOGAI
Platform Profile Microsoft Intermediate Language (used for MSIL compiled binaries)