W32/Fareit.A!tr.pws

description-logoAnalysis


W32/Fareit.A!tr.pws is a generic detection for a type of trojan that drops other malware onto the compromised computer. Since this is a generic detection, files that are detected as W32/Fareit.A!tr.pws may have varying behavior.
Below are examples of some of these behavior:

  • It can be configured to use a URL to directly download malware to drop and execute on the victim's system or to inject into a certain process, such as the AppLaunch.exe  or vbc.exe  process in the .NET Runtime directory, or even its own running process, depending on how it is configured.

  • It injects malware detected as W32/Agent.NTM!tr into one of the processes mentioned above. The injected malware then steals passwords from software such as CuteFTP and FileZilla.

  • Users that are infected by this malware will perform DNS queries certain hardcoded domain names. These domain names may vary between variants. An observed domain includes the following:
    • soulf{Removed}om.mx

  • The malware automatically deletes itself after execution.

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2024-03-23 92.02717
2024-02-06 92.01334
2024-01-01 92.00252
2023-09-19 91.07104
2023-09-12 91.06894
2023-08-02 91.05672
2023-07-28 91.05521
2023-06-14 91.04194
2023-05-31 91.03776
2023-05-23 91.03526