W32/Agent.GOL!tr.dldr

description-logoAnalysis

  • Drops one of the following drivers depending on the OS version information:
    • undefinedSYSTEMundefined\drivers\netdtect.sys
    • undefinedSYSTEMundefined\drivers\ip6fw.sys
    • undefinedSYSTEMundefined\drivers\secdrv.sys
    These files are all detected by Fortinet as W32/Pushu.A!tr.rkit.
  • Drops and loads a driver undefinedSYSTEMundefined\drivers\runtime.sys, then registers it as a service named runtime  by adding the following registry entry:
    • key: HKLM\SYSTEM\CurrentControlSet\Services\runtime
    • value: ImagePath
    • data: undefinedSYSTEMundefined\drivers\runtime.sys
    It is used to hide processes whose Process ID is passed by its other component.
  • Attempts to inject malicious code into Internet Explorer, which will download the malicious file [Random Digits].exe  into the Temporary folder. It then executes the downloaded file. The Internet Explorer process is hidden by calling the runtime.sys  driver.

  • Deletes the dropped driver file undefinedSYSTEMundefined\drivers\runtime.sys.
  • recommended-action-logoRecommended Action

      FortiGate Systems
    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
      FortiClient Systems
    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Telemetry logoTelemetry

    Detection Availability

    FortiGate
    FortiClient
    FortiAPS
    FortiAPU
    FortiMail
    FortiSandbox
    FortiWeb
    Web Application Firewall
    FortiIsolator
    FortiDeceptor
    FortiEDR

    Version Updates

    Date Version Detail
    2023-01-17 90.09734
    2023-01-16 90.09713
    2023-01-10 90.09530
    2022-12-15 90.08762
    2022-12-15 90.08746
    2022-12-12 90.08666
    2022-12-05 90.08460