W32/GenKryptik.BANO!tr

Analysis

W32/GenKryptik.BANO!tr is a generic detection for a Downloader trojan. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This malware may drop the following file:
  
  • %Temp%\[Random].bat: This file is dropped in %temp% folder to delete the malware from the host machine after execution. This file is detected as BAT/Small.NAN!tr.


• This malware may connect to any of the following remote sites(s):
  
  • hxxp://revistavidanatura{Removed}.com.br/arquivosold/estilo/.search/eval/en/hjoe.php
  • hxxp://revistavidanatura{Removed}.com.br/images/logo/.public/.en/gate.php
  • hxxp://9{Removed}.142.221.58/%7Ecomsgautopart/.eval/public/ssl/.en/run.php
  • hxxp://9{Removed}.142.221.58/%7Ecomsgautopart/.cache/main/.soft/edit/mode.php
  • hxxp://revistavidanatura{Removed}.com.br/partner-staging/.review/ssl/gate.php
  • hxxp://revistavidanatura{Removed}.com.br/includes/classes/.main/en/gate.php
  • 20{Removed}.91.112.55
  • 13{Removed}.0.103.55
  • 9{Removed}.142.221.58


• The original copy of the malware may also be deleted after execution.

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.