W32/Injector.DTAI!tr
Analysis
W32/Injector.DTAI!tr is a generic detection for a type of trojan. Since this is a generic detection, files that are detected as W32/Injector.DTAI!tr may have varying behavior.
Below are examples of some of these behavior:
- This malware drops the following files:
- %Temp%\[Random].bat: This file is detected as: BAT/Small.NAN!tr.
- %AppData%\microex\tall.exe: This file is a copy of the original malware itself
- %AppData%\java\java.exe: This file is a copy of the original malware itself
- %AppData%\batmanremote\batmanremote.exe: This file is a copy of the original malware itself
- %Temp%\batmanremote\batmanremote.exe: This file is a copy of the original malware itself
- Network activities are observed to DNS query the following sites:
- hxxp://por{Removed}.mobi/main.php?dir=//Virgin%20Babes%20First%20Sex&start=1&sort=1
- growmptry{Removed}.cf
- immonitor123.x{Removed}.me
- motup{Removed}.com
- The original copy of the malware maybe deleted after execution
- Some instances of this malware may have Botnet capabilities
- Some instances of this this malware may apply the following registry modification(s):
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
- batmanremote = %AppData%\batmanremote\batmanremote.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
- The Fareit trojan has the capability to steal sensitive information and credentials from its host.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |