W32/GenKryptik.BANO!tr
Analysis
W32/GenKryptik.BANO!tr is a generic detection for a Downloader trojan.
Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware may drop the following file:
- %Temp%\[Random].bat: This file is dropped in %temp% folder to delete the malware from the host machine after execution. This file is detected as BAT/Small.NAN!tr.
- This malware may connect to any of the following remote sites(s):
- hxxp://revistavidanatura{Removed}.com.br/arquivosold/estilo/.search/eval/en/hjoe.php
- hxxp://revistavidanatura{Removed}.com.br/images/logo/.public/.en/gate.php
- hxxp://9{Removed}.142.221.58/%7Ecomsgautopart/.eval/public/ssl/.en/run.php
- hxxp://9{Removed}.142.221.58/%7Ecomsgautopart/.cache/main/.soft/edit/mode.php
- hxxp://revistavidanatura{Removed}.com.br/partner-staging/.review/ssl/gate.php
- hxxp://revistavidanatura{Removed}.com.br/includes/classes/.main/en/gate.php
- 20{Removed}.91.112.55
- 13{Removed}.0.103.55
- 9{Removed}.142.221.58
- The original copy of the malware may also be deleted after execution.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |