BAT/Agent.352B!tr
Analysis
BAT/Agent.352B!tr is a detection for a trojan component dropped by W32/GenKryptik.AQBK!tr. This batch script's possible purpose is to clear out the malware's trace of events from the current affected hosts. It performs this by doing the following:
- It deletes the registry:
- HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default
- It resets the registry:
- HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers
- It deletes the file:
- undefinedUserProfileundefined\Documents\Default.rdp
- After this, the malware attempts to clear out the current user's event logs using wevtutil.exe.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2020-08-04 | 79.38400 | Sig Updated |