virus logo Virus

LNK/Agent.AG!tr.dldr

description-logoAnalysis


 LNK/Agent.AG!tr.dldr is a generic detection for a Office OLE embedding Exploit/Powershell Downloader. Since this is a generic detection, malware that are detected as LNK/Agent.AG!tr.dldr may have varying behaviour.
Below are examples of some of its characteristics/behaviours:

  • Using an MSOffice OLE embedding exploit, this malware intends to issue a powershell comamnd that will download from hxxp://cirad.{Removed}.id/mnfTRw3 which is a script afterwhich executes it and downloads from the following :
    • hxxp://toptre{Removed}.org/ndgHSKFte4
    • hxxp://celebrityonl{Removed}.cz/ndgHSKFte4
    • hxxp://aurea-{Removed}.ru/ndgHSKFte4
    • hxxp://transmerc{Removed}.com/ndgHSKFte4
    • hxxp://envi-her{Removed}.de/ndgHSKFte4
    • hxxp://dotec{Removed}.cl/ndgHSKFte4
    • hp://claridge-holdi{Removed}.com/ndgHSKFte4

  • The downloaded file, is located at %Temp%/4.lnk, is currently detected as W32/Kryptik.4405!tr.



recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2020-03-12 75.91400 Sig Updated
2020-03-10 75.86200 Sig Updated
2020-03-05 75.74300 Sig Updated
2020-03-04 75.71900 Sig Updated
2019-05-03 68.25100 Sig Updated
2019-05-03 68.24700 Sig Updated
ID 7230399
Released Nov 01, 2017
Description
Updated		 Nov 17, 2016
Aliases HEUR:Trojan.WinLNK.Agent.gen, Mal/DownLnk-D, Win32.SuspectCrc
Platform Profile used for link malware (shortcut in Microsoft Windows)
Profile Type Trojan Downloader (tr.dldr)