MSWord/Agent.26CB!tr
Analysis
MSWord/Agent.26CB!tr is a specific detection for a Dropper Trojan.
Below are examples of its behaviours:
- This malware drops/downloads the following files from the remote site workgrac{Removed}.com/MoneyGramc.exe:
- %Documents%\MoneyGramc.exe
- %Temp%\HDAudio\HDAudio.exe
- The following registry modifications are applied:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HDAudio = "%Temp%\HDAudio\HDAudio.exe"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- This malware was delivered as a password protected document as illustrated below:
- Figure 1: Spam Mail.
- Figure 2: Infected document.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2019-04-09 | 67.67400 | Sig Updated |