W32/VB.SOR!tr.dldr

Analysis

W32/VB.SOR!tr.dldr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as W32/VB.SOR!tr.dldr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• Upon execution, the malware will display a message box with a timer counting down from 20 seconds. The malware will delete itself once the timer reaches 0 or if a button is pressed on the message box.


• The malware will look for a file named "1.vbs" in the same directory as the executable and attempt to run the file. It will connect to different domains, which vary depending on the variant, and attempt to download the payload from the URL.


• It will execute the following command to attempt to delete a registry entry:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v xt /f


• Below are images of the malware:
  

  Figure 1: Message box with countdown.

  
  

  Figure 2: Deleting itself and attempting to execute the file "1.vbs".

  
  

  Figure 3: Connecting to URLs to download the payload.

  
  


• Below are some of the URLs the trojan attempts to connect to:
  
  • http://download.lnzb[removed]qqpcmgr_v13.3.20244.216_1100109869_0.exe
  • http://download.23[removed]n/silence/2345Explorer_209411_silence.exe
  • http://dn[removed]om/qqpcmgr_v12.11.19326.210_1100101588_1.exe
  • http://dng[removed]om/V9._1100101907_20180412110524.exe
  • http://dng[removed]om/1.vbs


• Following are some of the exact file hashes associated with this detection:
  
  • Md5: 93d4f1ac23dd2c9b44d4869a35a7c241
    Sha256: 6496a7c8b94ed88842afcfc5e8c6dfdeb94ef13c5b8db92edf5ce84eff0e05c6

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.