Virus

VBA/Agent.BE50!tr.dldr

Analysis


VBA/Agent.BE50!tr.dldr is a generic detection for a type of macro downloader trojan that downloads the Locky ransomware onto the compromised computer. Since this is a generic detection, files that are detected as VBA/Agent.BE50!tr.dldr may have varying behavior.
Below are examples of some of these behavior:

  • It downloads the Locky ransomware as the following file:
  • It adds the ".lukitus" extension to encrypted files.
  • It attempts to connect to the following URLs:
    • hxxp://lost{Removed}.top/admin.php?f=1.dat
    • hxxp://tsiv{Removed}.com.vn/system/logs/.../1
    • hxxp://long{Removed}.com.vn/image/flags/.../1
  • Below is an example of its Ransom notes and infected document:

    • Figure 1: Infected document.


    • Figure 2: Ransom notes.


  • Recommended Action

    • Make sure that your FortiGate/FortiClient system is using the latest AV database.
    • Quarantine/delete files that are detected and replace infected files with clean backup copies.