virus logo Virus

W32/Injector.DXGP!tr

description-logoAnalysis


 W32/Injector.DXGP!tr is a generic detection for a downloder trojan that may download Loki password stealer. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware may drop any of the following file(s):
    • %Startup%\[Random].vbs: This file will serve as an Autostart for the copy of the original malware.
    • %Temp%\[Random].bat: This file is dropped in %Temp% folder to delete the malware from the host machine after execution. This file is detected as BAT/Small.NAN!tr.
    • %ProgramFiles%\[Random]\[Random].exe: This file is a copy of the original malware itself.
    • %AppData%\xxxxxx\xxxxxx.lck: where x is any hexadecimal digit, this file is a shortcut to a copy of the original malware itself.
    • %AppData%\xxxxxx\xxxxxx.exe: where x is any hexadecimal digit, this file is a copy of the original malware itself.
    • %AppData%\[Random]\[Random].exe: This file is a copy of the original malware itself.
    • %Programfiles%\[Random]\[Random].exe: This file is a copy of the original malware itself.

  • This malware may connect to any of the following remote sites(s):
    • ksjdhfjsdfij322{Removed}.win
    • hxxp://joanrea{Removed}.ru/igere2/fred.php
    • hxxp://mten{Removed}.nut.cc/ml/timb4/lok/panel/fre.php
    • hxxp://www.chukaadmi{Removed}.in/uc/fiv/fre.php
    • logove{Removed}.info
    • hxxp://andrewte{Removed}.ru/WebPanel/api.php
    • hxxp://uluulupetcaf{Removed}.sg/nweje/panelnew/gate.php
    • hxxp://www.blogserver{Removed}.frank74148tmweb.ru/emmy/fre.php
    • hxxp://batm{Removed}.nut.cc/ml/p8/lok/panel/fre.php
    • hxxp://www.tim{Removed}.space/ml/vrs/ntb2/lok/panel/fre.php

  • The malware may create the following registry entry to automatically run the dropped copy of itself during the startup:
    • HKCU\Software\Microsoft\Windows\Currentversion\Run
      • [Random] = "[Copy Of the Malware itself]"

  • This malware may delete itself after execution.




recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2019-04-22 67.98900 Sig Updated
2018-12-04 64.65300 Sig Updated
2018-09-26 62.48200 Sig Updated
ID 3685150
Released Apr 18, 2018
Description
Updated		 Mar 30, 2012
Aliases HEUR:Trojan-PSW.Win32.Generic, TSPY_HPLOKI.SMALY1, Win32/Injector.DXJV trojan, Trojan.GenericKDZ.43560
Platform Profile Win32 file format / PE 32 bit