scriptbuilder.exe

FortiClient

Fortinet Inc.

The executable scriptbuilder.exe, “FortiClient Wsc Helper” has been detected as malware by 16 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘system32’.
Publisher:
Fortinet Inc.

Product:
FortiClient

Description:
FortiClient Wsc Helper

Version:
5.4.0.0780

MD5:
978c19783e9b33943a933c5252372ded

SHA-1:
f79a69130b5375e2d801154438bedeae8f359c9e

SHA-256:
4da0bea75e75e673d61630c17f4173e37981ef4ef68ddb7a687a8cd76a346013

Scanner detections:
16 / 68

Status:
Malware

Analysis date:
11/29/2024 4:30:54 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Zusy.227263
-40

Avira AntiVirus
TR/Dropper.MSIL.rcixt
8.3.3.4

Arcabit
Trojan.Zusy.D377BF
1.0.0.802

avast!
MSIL:GenMalicious-BJT [Trj]
2014.9-170316

AVG
Atros5
2018.0.2438

Baidu Antivirus
Win32.Trojan.WisdomEyes.16070401.9500
4.0.3.17316

Bitdefender
Gen:Variant.Zusy.227263
1.0.20.375

Emsisoft Anti-Malware
Gen:Variant.Zusy.227263
8.17.03.16.01

ESET NOD32
MSIL/Kryptik.IPA (variant)
11.15091

F-Secure
Gen:Variant.Zusy.227263
11.2017-16-03_5

G Data
Gen:Variant.Zusy.227263
17.3.A:25.11192B:25.9090

K7 AntiVirus
Riskware
13.10.5.22721

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.-1315

MicroWorld eScan
Gen:Variant.Zusy.227263
18.0.0.225

Qihoo 360 Security
HEUR/QVM03.0.0000.Malware.Gen
1.0.0.1120

Sophos
Mal/MSIL-SF
4.98

File size:
750.9 KB (768,935 bytes)

Product version:
5.4.0.0780

Copyright:
2015 Fortinet Inc. All rights reserved.

Original file name:
FCWsc.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\bitslergenerator\scriptbuilder.exe

File PE Metadata
Compilation timestamp:
3/12/2017 1:58:57 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

.NET CLR dependent:
Yes

Entry address:
0x3FDB6

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, F0, 03, 00, 0C, 00, 00, 00, B8, 3D, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.5827

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
247.5 KB (253,440 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
system32

Command:
"C:\users\{user}\appdata\roaming\system32\svrhost.exe"


Remove scriptbuilder.exe - Powered by Reason Core Security