W32/Injector.DXGP!tr
Analysis
W32/Injector.DXGP!tr is a generic detection for a downloder trojan that may download Loki password stealer.
Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware may drop any of the following file(s):
- %Startup%\[Random].vbs: This file will serve as an Autostart for the copy of the original malware.
- %Temp%\[Random].bat: This file is dropped in %Temp% folder to delete the malware from the host machine after execution. This file is detected as BAT/Small.NAN!tr.
- %ProgramFiles%\[Random]\[Random].exe: This file is a copy of the original malware itself.
- %AppData%\xxxxxx\xxxxxx.lck: where x is any hexadecimal digit, this file is a shortcut to a copy of the original malware itself.
- %AppData%\xxxxxx\xxxxxx.exe: where x is any hexadecimal digit, this file is a copy of the original malware itself.
- %AppData%\[Random]\[Random].exe: This file is a copy of the original malware itself.
- %Programfiles%\[Random]\[Random].exe: This file is a copy of the original malware itself.
- This malware may connect to any of the following remote sites(s):
- ksjdhfjsdfij322{Removed}.win
- hxxp://joanrea{Removed}.ru/igere2/fred.php
- hxxp://mten{Removed}.nut.cc/ml/timb4/lok/panel/fre.php
- hxxp://www.chukaadmi{Removed}.in/uc/fiv/fre.php
- logove{Removed}.info
- hxxp://andrewte{Removed}.ru/WebPanel/api.php
- hxxp://uluulupetcaf{Removed}.sg/nweje/panelnew/gate.php
- hxxp://www.blogserver{Removed}.frank74148tmweb.ru/emmy/fre.php
- hxxp://batm{Removed}.nut.cc/ml/p8/lok/panel/fre.php
- hxxp://www.tim{Removed}.space/ml/vrs/ntb2/lok/panel/fre.php
- The malware may create the following registry entry to automatically run the dropped copy of itself during the startup:
- HKCU\Software\Microsoft\Windows\Currentversion\Run
- [Random] = "[Copy Of the Malware itself]"
- This malware may delete itself after execution.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |