Threat Encyclopedia

W32/Agent.AB!tr

description-logoAnalysis



W32/Agent.AB!tr is a generic detection for a Cerber Ransomware. Since this is a generic detection, malware that are detected as W32/Agent.AB!tr may have varying behaviour.
Below are examples of some of these behaviours:

  • This malware drops the following files:
    • undefinedTempundefined\msi9737.tmp\dev1647.tmp : This file is detected as W32/RA_based.NFM!tr.
    • undefinedTempundefined\msi9737.tmp\64e663ca.dll : This file is detected as W32/RA_based.NFM!tr.
    • undefinedAppDataundefined\microsoft\abiword\[Random].dll : This file is detected as W32/RA_based.NFM!tr.
    • undefinedAppDataundefined\microsoft\abiword\winspool.drv : This file is detected as W32/RA_based.NFM!tr.
    • undefinedTempundefined\msi9737.tmp\dev562f.tmp : This file is detected as W32/RA_based.NCM!tr.
    • undefinedAppDataundefined\microsoft\abiword\dev562f.exe : This file is detected as W32/RA_based.NCM!tr.
    • _READ_THI$_FILE_[Random]_.txt : This file is dropped everywhere within the affected hosts and serves as the Ransom notes.
    • _READ_THI$_FILE_[Random]_.hta : This file is dropped everywhere within the affected hosts and serves as the Ransom notes.

  • The malware attempts to connect to the following sites:
    • api.blockcyph{Removed}.com

  • Some of these malwares have been observed to be corrupted or none functioning.

  • Affected files will use the file naming format [Random].9f82

  • The original copy of the malware may be deleted after execution.

  • The malware may try to inject to some host system process.

  • The malware may try to encrypt files in host computer

  • This malware may check the registry as part of its anti-virtualization or anti-debugging techniques.

  • Below are illustrations of its ransom notes:

    • Figure 1: Ransom notes.




recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry