W32/FareitVB.M!tr
Analysis
W32/FareitVB.M!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/FareitVB.M!tr may have varying behaviour.
Below are examples of some of these behaviours:
- This malware may drop any of the following file(s):
- undefinedAppDataundefined\[OriginalMalware].exe : This file is detected as W32/FareitVB.M!tr.
- undefinedAppDataundefined\install\rilc.exe : This file is a copy of the original malware itself.
- undefinedAppDataundefined\subfolder\filename.exe This file is detected as W32/FareitVB.M!tr.
- undefinedAppDataundefined\dfvxfv\gcg.exe : This file is detected as W32/FareitVB.M!tr.
- undefinedAppDataundefined\mixcver\vsdme.exe : This file is detected as W32/FareitVB.DSJG!tr.
- undefinedStartUpundefined\filename.vbe : This VBS script serves as an autostart for filename.exe.
- undefinedStartUpundefined\gcg.vbe : This VBS script serves as an autostart for gcg.exe.
- undefinedStartUpundefined\vsdme.vbe : This VBS script serves as an autostart for vsdme.exe.
- undefinedTempundefined\-.exe : This file is detected as W32/Injector.DSJQ!tr.
- undefinedTempundefined\96656.bat : This file is detected as BAT/Small.NAN!tr.
- undefinedTempundefined\ali1st-cr.exe : This file is detected as W32/FareitVB.DSJA!tr.
- undefinedUserundefined\ScreenShot\screen.jpg : This file is a screenshot of the hosts desktop.
- This malware may connect to any of the following remote sites(s):
- shaboca{Removed}.com.md-90.webhostbox.net
- infocolornid{Removed}.publicvm.com
- alsharfigrou{Removed}.com
- Some instances of this this malware may apply the following registry modification(s):
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
- Qilp = undefinedAppDataundefined\install\rilc.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
- Some instances of this malware has information theft capability, sending hosts machine name and time and even current screenshot to alsharfigrou{Removed}.com.
- The original copy of the malware may be deleted after execution.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |