VirusBAT/Agent.352B!tr
Analysis
BAT/Agent.352B!tr is a detection for a trojan component dropped by W32/GenKryptik.AQBK!tr. This batch script's possible purpose is to clear out the malware's trace of events from the current affected hosts. It performs this by doing the following:
- It deletes the registry:
- HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default
- It resets the registry:
- HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers
- It deletes the file:
- undefinedUserProfileundefined\Documents\Default.rdp
- After this, the malware attempts to clear out the current user's event logs using wevtutil.exe.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extreme | |
| FortiClient | |
| Extended | |
| FortiMail | |
| Extended | |
| FortiSandbox | |
| Extended | |
| FortiWeb | |
| Extended | |
| Web Application Firewall | |
| Extended | |
| FortiIsolator | |
| Extended | |
| FortiDeceptor | |
| Extended | |
| FortiEDR |
Version Updates
| Date | Version | Detail |
|---|---|---|
| 2020-08-04 | 79.38400 | Sig Updated |