MSIL/Packed.VWH!tr
Analysis
MSIL/Packed.VWH!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as MSIL/Packed.VWH!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- Most of the files being detected by this is a .dll file.
- This .NET malware usually appears in a packaged form with multiple layers of encryption.
- The malware has been noticed to use randomized filenames along with its multilevel decrypt as illustrated below:
- Figure 1: Random FileName used by malware .
- Figure 2: Layers of decrypt function .
- Following are some of the near/exact IOCs/file hash associated with this detection:
- Sha256: 8d73c90c2851e41f9d9464605990d701d95d0c97c5a3ab133d6752225da65887
Md5: 001866126558DED0D2088578DDC38006 - Sha256: a64440524bfe26549a563bba95e682864fee919b143945818d1669f503801908
Md5: 0A695813012FEC46126BAC88C59FDE53 - Sha256: aa4568c67f2fe8f9915df56b35cc7e43c39b0c9d605ad0b1933f419cd93b645f
Md5: 101B155D26D370D7668A317BBAC5839C - Sha256: 067dea991f57adcd2acd72bf66c068281ad2ec80e8ef6d966d0c364a1a5c3790
Md5: 10693AD02170F7455A113D7BB8924AB7 - Sha256: 5c3ec213b4a260e013f7fd7fb5f7b41f84eda5c45b610f4d097aa5519a4c09ff
Md5: 1C40A4A3CA7122D5ADE4CE1E87FD78DF - Sha256: f7ffa6651d158ed2c0be3db98a32a6cd14a9f37f65a4c200d0519fb0faa844ec
Md5: 43D55BB0D04B4E0924820BD712716CE0 - Sha256: 4d410a92fe2d3bce04c049f2bec2d8de945c4c264cd314686844eaa8397a7a93
Md5: 445B90A91771F309E214C1FD6424A369 - Sha256: 77bfa977ebe0481b0ff30aecc377e7a69c484fe45d4a6f64b496246e4945bb7d
Md5: 6EC7BFA8F861AF8FA7AF34FFE387EA16 - Sha256: e1718703c1859be867027967daf2ff62465aac3c4d0344dd7d9c60c2cc0e2fd9
Md5: 902E36A43D59C508ED2C542E5BF9C281 - Sha256: 8748a92a252db4b120929bffa258c219fcf5d791e84ed4efae1f05a1ddb311fa
Md5: A54575EC6B13978FC3EA5A7FC8A882F1 - Sha256: 1a8b11d3102529faf641ac2941b496ddae0a1e17e350a7204876c65576efa071
Md5: B704F7832691FC7F227443B21D74A336 - Sha256: fbed278a363c69eba6ee9f6c867efaf6e1cc0c76a369891af129afcf8bb95a88
Md5: BE6310ED4D0461D096670E7F634E68DE - Sha256: bb5c34b17364cc7f37e504c710c710a80d8b96d7e77562890e32935f7dd3ceda
Md5: DBBAE7C38CE150C9D2A8743F2B02B0BE - Sha256: d4615c825e6cc4e9d18e60baa586dfa32aba874a827e814a3a05c359430df693
Md5: E20EB3647722CF365BD0BCAC7BF0B85F
- Sha256: 8d73c90c2851e41f9d9464605990d701d95d0c97c5a3ab133d6752225da65887
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |