PowerShell/Agent.B149!tr
Analysis
PowerShell/Agent.B149!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as PowerShell/Agent.B149!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware is related to the Cuba ransomware outbreak. Cuba ransomware utilizes legitimate windows services, such as powershell, to execute a payload. Cuba ransomware is known to install Cobalt Strike beacons to exploit vulnerabilities in the host environment.
- This malware has been associated with the following third party article/advisory.
https://www.ic3.gov/Media/News/2021/211203-2.pdfThe correlation has been established due to a database near/exact match on one of the sample/IOC/file hash indicated in the mentioned resource.
- http://45.32.2[removed]mar.ps1
- http://108.62.[removed]ent.bin
- Md5: 99c7cad7032ec5add3a21582a64bb149
Sha256: 7f4bdf94a0e0457f41bdd1a8d8d9fc39fc383d3d0a331048828d391bbf727a1e - Md5: ba83831700a73661f99d38d7505b5646
Sha256: 79d6b1b6b1ecb446b0f49772bf4da63fcec6f6bfc7c2e1f4924cb7acbb3b4f53
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |