W32/Agent.AB!tr

description-logoAnalysis



W32/Agent.AB!tr is a generic detection for a Cerber Ransomware. Since this is a generic detection, malware that are detected as W32/Agent.AB!tr may have varying behaviour.
Below are examples of some of these behaviours:

  • This malware drops the following files:
    • undefinedTempundefined\msi9737.tmp\dev1647.tmp : This file is detected as W32/RA_based.NFM!tr.
    • undefinedTempundefined\msi9737.tmp\64e663ca.dll : This file is detected as W32/RA_based.NFM!tr.
    • undefinedAppDataundefined\microsoft\abiword\[Random].dll : This file is detected as W32/RA_based.NFM!tr.
    • undefinedAppDataundefined\microsoft\abiword\winspool.drv : This file is detected as W32/RA_based.NFM!tr.
    • undefinedTempundefined\msi9737.tmp\dev562f.tmp : This file is detected as W32/RA_based.NCM!tr.
    • undefinedAppDataundefined\microsoft\abiword\dev562f.exe : This file is detected as W32/RA_based.NCM!tr.
    • _READ_THI$_FILE_[Random]_.txt : This file is dropped everywhere within the affected hosts and serves as the Ransom notes.
    • _READ_THI$_FILE_[Random]_.hta : This file is dropped everywhere within the affected hosts and serves as the Ransom notes.

  • The malware attempts to connect to the following sites:
    • api.blockcyph{Removed}.com

  • Some of these malwares have been observed to be corrupted or none functioning.

  • Affected files will use the file naming format [Random].9f82

  • The original copy of the malware may be deleted after execution.

  • The malware may try to inject to some host system process.

  • The malware may try to encrypt files in host computer

  • This malware may check the registry as part of its anti-virtualization or anti-debugging techniques.

  • Below are illustrations of its ransom notes:

    • Figure 1: Ransom notes.




recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2024-03-20 92.02624
2024-03-18 92.02564
2024-03-04 92.02143
2024-02-28 92.01997
2024-02-26 92.01932
2024-02-14 92.01572
2024-02-12 92.01512
2024-02-01 92.01176
2024-01-31 92.01152
2024-01-30 92.01122