virus logo Virus

VBA/Agent.86A8!tr.dldr

description-logoAnalysis


 VBA/Agent.86A8!tr.dldr is a generic detection for a type of macro downloader trojan that downloads the Locky ransomware detected as W32/Kryptik.FUJR!tr. Since this is a generic detection, files that are detected as VBA/Agent.86A8!tr.dldr may have varying behavior.
Along with W32/Kryptik.FUJR!tr below are examples of its observed behavior:

  • It downloads the Locky ransomware as the following file:

  • It adds the ".lukitus" extension to encrypted files.

  • It attempts to connect to the following URLs:
    • hxxp://zona{Removed}.top/1
    • hxxp://baby{Removed}.com/image/flags/1
    • hxxp://long{Removed}.com.vn/image/flags/1

  • Below is an example of the Ransom notes along with the infected document sample:

    • Figure 1: Ransom notes.


    • Figure 2: Infected document.


recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2021-07-06 87.00429
2019-05-03 68.25100 Sig Added
2019-05-03 68.25000 Sig Updated
ID 7494097
Released Sep 12, 2017
Description
Updated		 Sep 13, 2017
Aliases Troj/DocDl-KJN, VBA/TrojanDownloader.Agent.EEE trojan, Trojan-Downloader.VBA.Agent
Profile Type Trojan Downloader (tr.dldr)