VBA/Agent.32DC!tr.dldr

description-logoAnalysis



VBA/Agent.32DC!tr.dldr is a generic detection for a type of macro downloader trojan that downloads other malware onto the compromised computer. Since this is a generic detection, files that are detected as VBA/Agent.32DC!tr.dldr may have varying behavior.
Below are examples of some of these behavior:

  • This malware may drop any of the following file(s):
    • %AppData%\Local\Temp\{Random}.bat: This file is likely to be detected as PowerShell/Agent.C1546!tr.dldr..

  • This malware issues a powershell command line that downloads from a remote site listed below, then drops it on the hosts, usually located in %AppData%\. However, most downloading files are already removed at the time during analysis.
    • hxxp://srient{Removed}.net/lop.bin. The file is likely to be detected as W32/Mansabo.BHL!tr
    • hxxp://nl{Removed}.biz/lop.bin. The file is likely to be detected as W32/Mansabo.BHL!tr
    • hxxp://electrofluxequipment{Removed}.com/pl.bin. The file is likely to be detected as W32/Malicious_Behavior.VEX
    • hxxp://golora{Removed}.com/pl.bin. The file is likely to be detected as W32/Malicious_Behavior.VEX
    • hxxp://nrrgar{Removed}.com/saryacan.bin. The file is likely to be detected as W32/GenKryptik.CDXE!tr
    • hxxp://oasis-{Removed}.com/saryacan.bin. The file is likely to be detected as W32/GenKryptik.CDXE!tr
    • hxxp://mean{Removed}.com/bri.ri. The file is likely to be detected as W32/GenKryptik.CEHY!tr
    • hxxp://25kstart{Removed}.com/
    • hxxp://www.winandgo{Removed}.com/

  • Below are sample illustrations of infected document:

    • Figure 1: Infected Document.



recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2022-03-29 90.00912