MSIL/Agent.SCI!tr.pws

Analysis

MSIL/Agent.SCI!tr.psw is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as MSIL/Agent.SCI!tr.psw may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This malware, identified as the "Nemesis Project" created in.NET, is related to the Minodo backdoor.


• Malware that is detected as MSIL/Agent.SCI!tr.psw has been found to be used by threat actors to steal sensitive data, eg: credentials, cookies, bookmarks, autofill data and history.


• MSIL/Agent.SCI!tr.psw keeps an activity log, primarily in Russian. language.


• The malware gathers all of the information and adds it to a "ZIP" archive eg:"stealer_out.zip". All of the data is sent to remote attackers via a POST request.


• The malware displays the following user interface:
  

  Figure 1: Log activity in Russian language .

  
  

  Figure 2: Suspicious malware activity strings.




Figure 3: Attempts to send the POST request.



• The malware attempts to connect to the following sites:
  
  • hxxp://es-me[Removed]om[.]com


• Following are some of the near/exact IOCs/file hash associated with this detection:
  
  • MD5: d59df219b2d328e85deb4c6c3e3af66c
    Sha256: 33779bb7fc2aedbac7ec91b43a703c561d9534eec19452580a9ae54c4140164b
  • MD5: e1f0f55065a61c9f0b67e547230e54b5
    Sha256: d8ff2d9d3978e8b48cef801a94d1594c76eb3c034d97db861e83098e43fed4af
  • MD5: ec98aa5ee65db5bf6eecc3986d5aa529
    Sha256: c0f59a5db88326541c5db0cb42c35868b0ab03fcd5af3cf859b0f8dc13a32f2b
  • MD5: f8c60445b177f37ecc402a5bf946884c
    Sha256: 1bf4d6c21dcc33d0a62be40ce5c76ec8479201cd85243ec39affff3a34fb9df9
  • MD5: fe43fe8dffe2345e3ea1796d4c40be00
    Sha256: 849da2dabee2cf47cc1eaae56a4b1d4fb1a4d06bf8a2f87183e15a8f4e28817b

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.