LNK/Agent.IA!tr.dldr

description-logoAnalysis


LNK/Agent.IA!tr.dldr is a generic detection for a Office OLE embedding Exploit/Powershell Downloader. Since this is a generic detection, malware that are detected as LNK/Agent.IA!tr.dldr may have varying behaviour.
Below are examples of some of its characteristics/behaviours:

  • Using an MSOffice OLE embedding exploit, this malware intends to issue a powershell comamnd that will download from hxxp://"ni{Removed}.be/kjh765e46 which is a script afterwhich executes and downloads from the following :
    • hxxp://internet-webs{Removed}.de/O77enbdGF5
    • hxxp://ist-pr{Removed}.ru/O77enbdGF5
    • hxxp://lvps212-67-205-60.vps.webf{Removed}.co.uk/O77enbdGF5
    • hxxp://matternomat{Removed}.com/O77enbdGF5
    • hxxp://m.monteschi{Removed}.com/O77enbdGF5
    • hxxp://minascriptand{Removed}.nl/O77enbdGF5
    • hxxp://hilaryandsa{Removed}.com/O77enbdGF5
    • hxxp://verwadirep{Removed}.info/p66/O77enbdGF5

  • The downloaded file, is located at %Temp%/envbit32.exe, is currently detected as W32/Kryptik.FYKM!tr.ransom.

  • Below is an example of an infected document:

    • Figure 1: Infected Document.



recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-01-03 90.09320
2019-05-03 68.25000 Sig Updated
2019-05-03 68.24700 Sig Updated