MSIL/Agent.SCI!tr.pws

description-logoAnalysis

MSIL/Agent.SCI!tr.psw is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as MSIL/Agent.SCI!tr.psw may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware, identified as the "Nemesis Project" created in.NET, is related¬†to the Minodo backdoor.

  • Malware that is detected as MSIL/Agent.SCI!tr.psw has been found to be used by threat actors to steal sensitive data, eg: credentials, cookies, bookmarks, autofill data and history.

  • MSIL/Agent.SCI!tr.psw keeps an activity log, primarily in Russian. language.

  • The malware gathers all of the information and adds it to a "ZIP" archive eg:"stealer_out.zip". All of the data is sent to remote attackers via a POST request.

  • The malware displays the following user interface:

    • Figure 1: Log activity in Russian language .


    • Figure 2: Suspicious malware activity strings.


    • Figure 3: Attempts to send the POST request.

  • The malware attempts to connect to the following sites:
    • hxxp://es-me[Removed]om[.]com

  • Following are some of the near/exact IOCs/file hash associated with this detection:
    • MD5: d59df219b2d328e85deb4c6c3e3af66c
      Sha256: 33779bb7fc2aedbac7ec91b43a703c561d9534eec19452580a9ae54c4140164b
    • MD5: e1f0f55065a61c9f0b67e547230e54b5
      Sha256: d8ff2d9d3978e8b48cef801a94d1594c76eb3c034d97db861e83098e43fed4af
    • MD5: ec98aa5ee65db5bf6eecc3986d5aa529
      Sha256: c0f59a5db88326541c5db0cb42c35868b0ab03fcd5af3cf859b0f8dc13a32f2b
    • MD5: f8c60445b177f37ecc402a5bf946884c
      Sha256: 1bf4d6c21dcc33d0a62be40ce5c76ec8479201cd85243ec39affff3a34fb9df9
    • MD5: fe43fe8dffe2345e3ea1796d4c40be00
      Sha256: 849da2dabee2cf47cc1eaae56a4b1d4fb1a4d06bf8a2f87183e15a8f4e28817b

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-11-29 91.09265
2023-11-20 91.08976
2023-11-18 91.08927
2023-11-08 91.08616
2023-10-19 91.08006
2023-10-18 91.08003
2023-10-18 91.07987
2023-10-15 91.07887
2023-10-10 91.07737
2023-09-27 91.07351