BAT/Agent.EA14!tr

Analysis

BAT/Agent.EA14!tr is a detection for a trojan.
Below are some of its observed characteristics/behaviours:

• This malware is related to the Cuba ransomware outbreak. Cuba ransomware utilizes legitimate windows services, such as powershell, to execute a payload. Cuba ransomware is known to install Cobalt Strike beacons to exploit vulnerabilities in the host environment.


• This malware has been associated with the following third party article/advisory.

https://www.ic3.gov/Media/News/2021/211203-2.pdf

The correlation has been established due to a database near/exact match on one of the sample/IOC/file hash indicated in the mentioned resource.


• This malware executes a file in %Temp% using rundll32.exe. It will delete itself after execution.


• Following are some of the exact IOCs/file hash associated with this detection:
  
  • Md5: 3fe1a3aaca999a5db936843c9bdfea14
    Sha256: e82cc49c03320a0fb6ec3512c0ca3332eb1b40070cc53a78bc80b77b4aba975c

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.