PowerShell/Agent.B149!tr

Analysis

PowerShell/Agent.B149!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as PowerShell/Agent.B149!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This malware is related to the Cuba ransomware outbreak. Cuba ransomware utilizes legitimate windows services, such as powershell, to execute a payload. Cuba ransomware is known to install Cobalt Strike beacons to exploit vulnerabilities in the host environment.


• This malware has been associated with the following third party article/advisory.

https://www.ic3.gov/Media/News/2021/211203-2.pdf

The correlation has been established due to a database near/exact match on one of the sample/IOC/file hash indicated in the mentioned resource.


• This malware downloads a malicious base64 encoded powershell script to %Temp%. It will then attempt to run the powershell script in a hidden window, bypassing the execution policy. The downloaded script contains another payload within the script.


• Below are some of the sites associated with the trojan:
  
  • http://45.32.2[removed]mar.ps1
  • http://108.62.[removed]ent.bin


• Following are some of the exact IOCs/file hash associated with this detection:
  
  • Md5: 99c7cad7032ec5add3a21582a64bb149
    Sha256: 7f4bdf94a0e0457f41bdd1a8d8d9fc39fc383d3d0a331048828d391bbf727a1e
  • Md5: ba83831700a73661f99d38d7505b5646
    Sha256: 79d6b1b6b1ecb446b0f49772bf4da63fcec6f6bfc7c2e1f4924cb7acbb3b4f53

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.