MSIL/Agent.SCI!tr.psw is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as MSIL/Agent.SCI!tr.psw may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware, identified as the "Nemesis Project" created in.NET, is related¬†to the Minodo backdoor.

  • Malware that is detected as MSIL/Agent.SCI!tr.psw has been found to be used by threat actors to steal sensitive data, eg: credentials, cookies, bookmarks, autofill data and history.

  • MSIL/Agent.SCI!tr.psw keeps an activity log, primarily in Russian. language.

  • The malware gathers all of the information and adds it to a "ZIP" archive eg:"". All of the data is sent to remote attackers via a POST request.

  • The malware displays the following user interface:

    • Figure 1: Log activity in Russian language .

    • Figure 2: Suspicious malware activity strings.

    • Figure 3: Attempts to send the POST request.

  • The malware attempts to connect to the following sites:
    • hxxp://es-me[Removed]om[.]com

  • Following are some of the near/exact IOCs/file hash associated with this detection:
    • MD5: d59df219b2d328e85deb4c6c3e3af66c
      Sha256: 33779bb7fc2aedbac7ec91b43a703c561d9534eec19452580a9ae54c4140164b
    • MD5: e1f0f55065a61c9f0b67e547230e54b5
      Sha256: d8ff2d9d3978e8b48cef801a94d1594c76eb3c034d97db861e83098e43fed4af
    • MD5: ec98aa5ee65db5bf6eecc3986d5aa529
      Sha256: c0f59a5db88326541c5db0cb42c35868b0ab03fcd5af3cf859b0f8dc13a32f2b
    • MD5: f8c60445b177f37ecc402a5bf946884c
      Sha256: 1bf4d6c21dcc33d0a62be40ce5c76ec8479201cd85243ec39affff3a34fb9df9
    • MD5: fe43fe8dffe2345e3ea1796d4c40be00
      Sha256: 849da2dabee2cf47cc1eaae56a4b1d4fb1a4d06bf8a2f87183e15a8f4e28817b

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

Web Application Firewall

Version Updates

Date Version Detail
2023-11-29 91.09265
2023-11-20 91.08976
2023-11-18 91.08927
2023-11-08 91.08616
2023-10-19 91.08006
2023-10-18 91.08003
2023-10-18 91.07987
2023-10-15 91.07887
2023-10-10 91.07737
2023-09-27 91.07351