JS/Agent.UNS!tr

Analysis

JS/Agent.UNS!tr is a generic detection for a Javascript trojan.
Since this is a generic detection, malware that are detected as JS/Agent.UNS!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This malware connects to a malicious URL that will randomly redirect users to unwanted web pages, including phishing websites, and may attempt to gain access to a user's credentials by utilizing social engineering tactics.


• Below are some of the sites to which some of the samples observed tried to connect to:
  
  • hxxp://www[.]wbo[Removed]ter[.]shop/11062-[Removed]514228/mi[Removed]a/tindex1[.]html
  • hxxp://www[.]ligh[]Removedamera[.]shop/10818[Removed]8182539/martin.p[Removed]ka/tindex1[.]html
  • hxxp://www[.]sin[Removed]lomian[.]shop/tr[Removed]SEM/KESGVOTPQ/10805[Removed]24/238/34[Removed]42/index[.]htm


• Following are some of the near/exact IOCs/file hash associated with this detection:
  
  • MD5: 29673d51254ee2c3a4f8a554d05d9a9e
    Sha256: 45c8c3611574c91661c31ba82c9342aac4c979cd79f1857c6967192613ef659e
  • MD5: 1ed089a4c6e0293231f2006349a48352
    Sha256: 33d17b0baf0670873f8d56b0a34e29427651e050e30e679d319fe91e195515d3
  • MD5: d0dc122a1803e0a0d9da2952bc9af170
    Sha256: f5d9e33092b133c1ba08c63656a9bd2bfd919f8bc53f024f4b3df8487917b7f9
  • MD5: 328edb56b216c06890689924883a55cd
    Sha256: f4e68406e6d682f2262faceb996fa371bfba1d82d94bc7c41657cb4b0b41e750
  • MD5: 4a680f7de7a2ea159b4f68656b9dd026
    Sha256: 8920be8f2a8e36e22d903a24ecd48de647224a653536aefab16c3150b30ee931

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.