W64/Agent.I!tr
Analysis
W64/Agent.I!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as W64/Agent.I!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware has been observed to drop a copy of itself as %Windir%\Net Helper\net-helper.exe.
- The following service related registry modifications are also observed to have been applied:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\net-helper
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\net-helper
- The malware has been known to be compiled using GoLang.
- Following are the known IOCs related to this malware
- 2FF704EE0FA86C21B450E4E267159559
- B9FECF7B9EFCEC4DEB70D412BB00FEF7
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |