FortiSandbox – Malware detection report

Hi all

I’ll show you an example of how a report looks like.

Let’s use a file detected as trojan: https://www.virustotal.com/de/file/b7dfa88e556a1309c7cd37e055e5c3017809fde6e79eba79d6cebe7c7dfb898d/analysis/

This file was initially detected by my FortiSandbox before detection of AV and VT.

Let’s see what that file does on a XPVM:

Bildschirmfoto 2015-12-27 um 18.41.30

First you can see, that it does a loot of things on the filesystem and registry. This is a little bit difficult in the beginnings.

But this one is also interesting: hxxp://vehanmace.ru/sliva/gate.php

You can use Automater from TekDefense or VT to see results of the URL:


____________________ Results found for: vehanmace.ru/sliva/gate.php ____________________
[+] Fortinet URL Category: Malicious Websites
No results found in the Un Redirect
[+] IP from URLVoid:
[+] Blacklist from URLVoid: No results found
[+] Domain Age from URLVoid: 2015-12-14 (14 days ago)
[+] Geo Coordinates from URLVoid: 52.35 / 4.9167
[+] Country from URLVoid: (NL) Netherlands
[+] pDNS data from VirusTotal: No results found
[+] pDNS malicious URLs from VirusTotal: No results found
[+] Malc0de Date: No results found
[+] Malc0de IP: No results found
[+] Malc0de Country: No results found
[+] Malc0de ASN: No results found
[+] Malc0de ASN Name: No results found
[+] Malc0de MD5: No results found
No results found in the THIP
[+] McAfee Web Risk: High
[+] McAfee Web Category: Malicious Downloads
[+] McAfee Last Seen: 2015-12-27



To close the circle….

With FortiSandbox you know now a lot of things before AV is detecting this malicious file and it’s versions.

  • you are able to block “vehanmace.ru” on your proxy or webfilter
  • you can check logs for other files with same name
  • you can check proxy logs to see if someone is still connected to this malicious website
  • you can report to VT and/or FortiGuard Team