LNK/Agent.AG!tr.dldr
Analysis
LNK/Agent.AG!tr.dldr is a generic detection for a Office OLE embedding Exploit/Powershell Downloader.
Since this is a generic detection, malware that are detected as LNK/Agent.AG!tr.dldr may have varying behaviour.
Below are examples of some of its characteristics/behaviours:
- Using an MSOffice OLE embedding exploit, this malware intends to issue a powershell comamnd that will download from hxxp://cirad.{Removed}.id/mnfTRw3 which is a script afterwhich executes it and downloads from the following :
- hxxp://toptre{Removed}.org/ndgHSKFte4
- hxxp://celebrityonl{Removed}.cz/ndgHSKFte4
- hxxp://aurea-{Removed}.ru/ndgHSKFte4
- hxxp://transmerc{Removed}.com/ndgHSKFte4
- hxxp://envi-her{Removed}.de/ndgHSKFte4
- hxxp://dotec{Removed}.cl/ndgHSKFte4
- hp://claridge-holdi{Removed}.com/ndgHSKFte4
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |