W32/Agent.AB!tr
Analysis
W32/Agent.AB!tr is a generic detection for a Cerber Ransomware. Since this is a generic detection, malware that are detected as W32/Agent.AB!tr may have varying behaviour.
Below are examples of some of these behaviours:
- This malware drops the following files:
- undefinedTempundefined\msi9737.tmp\dev1647.tmp : This file is detected as W32/RA_based.NFM!tr.
- undefinedTempundefined\msi9737.tmp\64e663ca.dll : This file is detected as W32/RA_based.NFM!tr.
- undefinedAppDataundefined\microsoft\abiword\[Random].dll : This file is detected as W32/RA_based.NFM!tr.
- undefinedAppDataundefined\microsoft\abiword\winspool.drv : This file is detected as W32/RA_based.NFM!tr.
- undefinedTempundefined\msi9737.tmp\dev562f.tmp : This file is detected as W32/RA_based.NCM!tr.
- undefinedAppDataundefined\microsoft\abiword\dev562f.exe : This file is detected as W32/RA_based.NCM!tr.
- _READ_THI$_FILE_[Random]_.txt : This file is dropped everywhere within the affected hosts and serves as the Ransom notes.
- _READ_THI$_FILE_[Random]_.hta : This file is dropped everywhere within the affected hosts and serves as the Ransom notes.
- The malware attempts to connect to the following sites:
- api.blockcyph{Removed}.com
- Some of these malwares have been observed to be corrupted or none functioning.
- Affected files will use the file naming format [Random].9f82
- The original copy of the malware may be deleted after execution.
- The malware may try to inject to some host system process.
- The malware may try to encrypt files in host computer
- This malware may check the registry as part of its anti-virtualization or anti-debugging techniques.
- Below are illustrations of its ransom notes:
- Figure 1: Ransom notes.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |