MSIL/Packed.VWH!tr

description-logoAnalysis

MSIL/Packed.VWH!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as MSIL/Packed.VWH!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • Most of the files being detected by this is a .dll file.

  • This .NET malware usually appears in a packaged form with multiple layers of encryption.

  • The malware has been noticed to use randomized filenames along with its multilevel decrypt as illustrated below:

    • Figure 1: Random FileName used by malware .


    • Figure 2: Layers of decrypt function .


  • Following are some of the near/exact IOCs/file hash associated with this detection:
    • Sha256: 8d73c90c2851e41f9d9464605990d701d95d0c97c5a3ab133d6752225da65887
      Md5: 001866126558DED0D2088578DDC38006
    • Sha256: a64440524bfe26549a563bba95e682864fee919b143945818d1669f503801908
      Md5: 0A695813012FEC46126BAC88C59FDE53
    • Sha256: aa4568c67f2fe8f9915df56b35cc7e43c39b0c9d605ad0b1933f419cd93b645f
      Md5: 101B155D26D370D7668A317BBAC5839C
    • Sha256: 067dea991f57adcd2acd72bf66c068281ad2ec80e8ef6d966d0c364a1a5c3790
      Md5: 10693AD02170F7455A113D7BB8924AB7
    • Sha256: 5c3ec213b4a260e013f7fd7fb5f7b41f84eda5c45b610f4d097aa5519a4c09ff
      Md5: 1C40A4A3CA7122D5ADE4CE1E87FD78DF
    • Sha256: f7ffa6651d158ed2c0be3db98a32a6cd14a9f37f65a4c200d0519fb0faa844ec
      Md5: 43D55BB0D04B4E0924820BD712716CE0
    • Sha256: 4d410a92fe2d3bce04c049f2bec2d8de945c4c264cd314686844eaa8397a7a93
      Md5: 445B90A91771F309E214C1FD6424A369
    • Sha256: 77bfa977ebe0481b0ff30aecc377e7a69c484fe45d4a6f64b496246e4945bb7d
      Md5: 6EC7BFA8F861AF8FA7AF34FFE387EA16
    • Sha256: e1718703c1859be867027967daf2ff62465aac3c4d0344dd7d9c60c2cc0e2fd9
      Md5: 902E36A43D59C508ED2C542E5BF9C281
    • Sha256: 8748a92a252db4b120929bffa258c219fcf5d791e84ed4efae1f05a1ddb311fa
      Md5: A54575EC6B13978FC3EA5A7FC8A882F1
    • Sha256: 1a8b11d3102529faf641ac2941b496ddae0a1e17e350a7204876c65576efa071
      Md5: B704F7832691FC7F227443B21D74A336
    • Sha256: fbed278a363c69eba6ee9f6c867efaf6e1cc0c76a369891af129afcf8bb95a88
      Md5: BE6310ED4D0461D096670E7F634E68DE
    • Sha256: bb5c34b17364cc7f37e504c710c710a80d8b96d7e77562890e32935f7dd3ceda
      Md5: DBBAE7C38CE150C9D2A8743F2B02B0BE
    • Sha256: d4615c825e6cc4e9d18e60baa586dfa32aba874a827e814a3a05c359430df693
      Md5: E20EB3647722CF365BD0BCAC7BF0B85F


recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-04-04 91.02050
2023-01-23 90.09916
2023-01-12 90.09590
2023-01-12 90.09577
2023-01-11 90.09564