Backdoor.Agent.AIAG
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 7,542 |
| Threat Level: | 60 % (Medium) |
| Infected Computers: | 85 |
| First Seen: | November 28, 2023 |
| Last Seen: | February 8, 2026 |
| OS(es) Affected: | Windows |
Table of Contents
Analysis Report
General information
| Family Name: | Backdoor.Agent.AIAG |
|---|---|
| Signature status: | Root Not Trusted |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
f18811dfc1b8b5f12c469c5cb1d8e128
SHA1:
31f1e8cae2b554e27f002ae01134599249a67f75
File Size:
1.68 MB, 1678347 bytes
|
|
MD5:
b6a3be631922e8df27bc527ecea173dc
SHA1:
aa9388e8278df8bd2e534c93a7b8b044101db877
File Size:
1.96 MB, 1956704 bytes
|
|
MD5:
d2c4982f675902991ba1164f36f42ec6
SHA1:
4479ec54fbf9439ff38163a091a8c51af4866238
SHA256:
D384614E292DAB06AFE9E1D1F38B57EB8BBE228FE707234907627C19F0326454
File Size:
1.94 MB, 1938280 bytes
|
|
MD5:
7408bb40646341c25e7f8b18d7104f96
SHA1:
749838c41c23e38ff97a015bc2bd5083fd394d81
SHA256:
286042B18F8878D070F8210402F70020363DBAEB6025ED254D5513C79B2160FF
File Size:
1.96 MB, 1956704 bytes
|
|
MD5:
c15d58cfbb906f088cb48258b4e6c802
SHA1:
9e661ed93fc2db8082b42e1bc8a9eb37c3248746
SHA256:
7DD193A0D26F066F0A76CCC995AC51026CE45600F1CFED55B6AA3F4A8BCB3274
File Size:
1.97 MB, 1966952 bytes
|
Show More
|
MD5:
1a986a341dbb06fa42f1e1096bb60667
SHA1:
e7c6649bc5f5604574fe4fe9b5dc4ed01e32ccc1
SHA256:
AF5A7F36BDBDACE6989110C3229968FF0A68EA0A565938927634A79D4F1D96EE
File Size:
1.96 MB, 1955688 bytes
|
|
MD5:
50720c2e7142de65e85c85f9d21e26bd
SHA1:
aedf297b57cdba2aaa4f53c817e409269742fb4c
SHA256:
43E46301A2E0D4D7C14E8D476DBE76FC30F97C7A62BD052F6F78C72B34CDF060
File Size:
1.98 MB, 1975136 bytes
|
|
MD5:
c74e82bb12f32934127631730c1c88aa
SHA1:
a281b16d386a94ee341cde9fc38ddc06c58bf99e
SHA256:
462D450ACDD3B6DC2B2CDD3C18D4CF38C3B550E730BF6A8B99CF77E314100F3D
File Size:
1.97 MB, 1966952 bytes
|
|
MD5:
d5244793de66108f4cb003451ead42fe
SHA1:
42b06da4ebdce31948a5c4737f0e2cc733df4746
SHA256:
B96062337CE62760C6E1722BC41909161558778A6B8CEEA1E0E10E40E89A981E
File Size:
1.96 MB, 1956704 bytes
|
|
MD5:
02cf52de18787a32a20318a24973eba0
SHA1:
bf2989abafcd0ce6f5d92e5d4beab9b4980a5a06
SHA256:
AF74C0396B8E5D7A77D0676F0049F71E4F87FC63AB9AB329072F184BEFD10A09
File Size:
1.96 MB, 1956704 bytes
|
|
MD5:
25b2a08a798028d69e5598344967b2c8
SHA1:
f60f36732a6a656927b6392455b31234ef2ea7f9
SHA256:
9F47240152694AEE0788EC111BB15B96E0C8065BA71128A831A90674F0895C7C
File Size:
1.96 MB, 1956704 bytes
|
|
MD5:
783209f725df32e68019d2fd0ef9f125
SHA1:
b471bd3723aaa0ff5324a69b53b1c1f256c4687f
SHA256:
AB3B593FB93B716050010A0675BAC9F8552492512571FD4D01AF6A92C31F7FE2
File Size:
1.98 MB, 1975136 bytes
|
|
MD5:
024d88c3d6894002559786807f77b7a2
SHA1:
2bd6ed99d91a75dcbd4ef4e57859d0d0d85b8ba2
SHA256:
EC5206154B84649F91140C078094D8B4867D68DDEEFB9D94B3836DA2F606B831
File Size:
1.96 MB, 1956704 bytes
|
|
MD5:
f55f61ffd3cdbc05bfe79c8e532c4ac2
SHA1:
68b79814e37fe97dbe4e9e857250b9dd428b7b5d
SHA256:
BD4EB1BB65951FE78ED3BDAA3D4ED19679E0F121A96C6E47E618B54BD72C3CBE
File Size:
1.98 MB, 1975136 bytes
|
|
MD5:
5f4677b0a6985b05e6ab3a6c0cc80ade
SHA1:
681525570649b8ef2ace4a02d48437aa0c24c3fa
SHA256:
77813F9AA405AE646ED4185F89EE97A9AB0D6F4DB9C8E7C46A91544B5B6C3091
File Size:
1.90 MB, 1902952 bytes
|
|
MD5:
aeb75e61def1dbc4c962f601166d4129
SHA1:
19c4220dfa7b45e1753fe27ce279ab2cd3364f13
SHA256:
45CE6BBD108A9E17F32C56E469226F5AE39607874D5466CB64A3387C235B100D
File Size:
1.96 MB, 1956704 bytes
|
|
MD5:
0392ca7a7d9f22764ed9514499ff2696
SHA1:
f2b08ec0ee5e47a87db0ffb610cd7b4677d68c26
SHA256:
D7E56D728443B666D5591D786914C4D81D3A1C6A32AA96BD38AD0261256F861B
File Size:
1.98 MB, 1975136 bytes
|
|
MD5:
9b2c305688187e3d43064e8159b28402
SHA1:
134f7fa00ff2a1c9466ad6aab84f584e66add906
SHA256:
AE40C2598E0758ABB7D4912D07080F271BEE6F35E6850A512EC73A2FA284E59E
File Size:
1.97 MB, 1966440 bytes
|
|
MD5:
3a63ffe2b2a4340ae3c090b1fc5b5dc4
SHA1:
67182ab3239a6300fe2970ba170f3645129c7add
SHA256:
3B6D84D9AB42881470236BB7A3CD15655D8746AE42E515489C0881ADED59EE99
File Size:
1.97 MB, 1966952 bytes
|
|
MD5:
9ff0131f7e002f50da1544a6123e983a
SHA1:
ebee927e9bf93d43d3b5f51b8d5fd4b2954a3ee4
SHA256:
E582594DB821204C814979B8DAFC258BBE26265501746C1145F2E2A5F769C73A
File Size:
1.97 MB, 1966952 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have exports table
- File doesn't have security information
- File has TLS information
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
Show More
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Comments |
Show More
|
| Company Name |
|
| File Description |
Show More
|
| File Version |
Show More
|
| Internal Name |
|
| Legal Copyright |
Show More
|
| Original Filename |
|
| Product Name |
Show More
|
| Product Version |
Show More
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| Fast Corporate LTD | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | Self Signed |
| PC APP STORE ONLINE LTD | Sectigo Public Code Signing Root R46 | Root Not Trusted |
File Traits
- CryptUnprotectData
- HighEntropy
- No CryptProtectData
- ntdll
- VirtualQueryEx
- WriteProcessMemory
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 4,138 |
|---|---|
| Potentially Malicious Blocks: | 873 |
| Whitelisted Blocks: | 3,231 |
| Unknown Blocks: | 34 |
Visual Map
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
x
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
x
x
0
0
0
0
0
0
x
0
0
0
0
0
0
x
x
x
x
x
0
x
x
0
x
x
x
x
x
x
x
x
0
x
x
x
0
x
x
x
x
0
x
0
0
x
x
x
x
x
0
x
x
0
x
x
0
x
x
x
x
x
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
?
?
x
x
x
x
x
x
x
0
x
x
0
x
x
x
x
x
x
x
x
x
?
x
x
x
x
0
0
0
x
0
x
x
?
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
x
0
x
0
0
x
0
0
x
0
0
x
x
x
x
0
?
x
x
0
0
0
x
0
x
0
0
0
x
x
0
0
0
0
0
?
0
0
0
0
0
x
x
x
x
x
x
x
x
x
0
0
0
0
0
x
0
0
0
0
0
0
x
0
0
0
x
0
0
x
0
x
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
x
0
0
0
0
0
x
0
0
0
0
x
x
x
0
0
0
0
0
0
0
0
x
x
0
x
0
x
0
0
0
x
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
x
0
0
0
0
0
x
x
0
x
0
x
0
?
0
0
0
0
0
0
x
0
0
0
0
x
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
x
x
0
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
?
x
x
x
x
0
x
x
x
x
0
x
x
x
x
x
0
x
0
x
0
x
0
0
0
0
0
0
0
x
0
0
x
0
0
0
x
x
x
x
x
0
0
0
0
0
x
0
0
0
0
x
0
x
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
x
x
x
0
x
0
x
x
0
0
0
0
0
x
0
0
x
0
x
0
x
0
x
x
0
0
0
x
x
x
x
x
0
0
x
x
?
0
0
0
x
x
x
x
0
0
0
x
x
0
x
x
0
x
0
0
0
0
0
0
x
0
0
0
0
x
0
x
0
x
0
x
0
x
0
0
x
0
x
0
0
0
x
x
0
?
x
0
0
0
x
x
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
0
0
0
0
x
x
x
x
x
0
0
x
0
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
0
0
x
x
x
x
x
x
x
x
x
0
x
x
0
?
?
x
x
?
?
0
x
x
x
x
x
0
0
x
x
0
0
0
0
0
0
0
0
0
0
x
x
?
0
0
0
0
x
0
0
x
0
x
0
0
0
0
0
x
0
0
x
0
0
x
x
0
0
0
x
x
x
x
0
0
0
0
0
x
0
0
x
0
0
x
0
0
0
0
?
0
0
x
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
x
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
x
x
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
x
0
0
0
0
0
0
0
x
0
x
x
x
x
?
?
0
0
?
?
x
x
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
0
0
x
x
x
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
x
0
x
x
x
x
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
0
x
0
0
0
0
0
0
x
x
x
x
x
x
0
x
x
x
x
x
x
0
x
x
x
0
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
0
0
0
0
0
x
0
x
x
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
x
0
0
x
0
x
0
x
0
x
0
x
0
0
0
0
x
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
x
x
0
x
x
0
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
x
x
0
x
0
x
x
0
0
0
0
0
0
0
x
0
x
0
0
0
x
x
0
x
0
x
x
0
0
0
0
0
0
x
x
0
0
x
x
x
x
0
0
0
0
0
x
0
0
0
x
x
x
0
0
0
x
0
0
0
0
x
x
0
x
0
0
x
0
x
x
0
x
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
x
0
0
0
0
x
x
x
0
0
0
0
0
0
x
0
0
0
x
x
0
0
0
x
x
x
0
0
0
0
0
0
0
x
x
x
0
0
0
0
0
0
x
0
0
x
x
0
x
0
0
0
0
x
x
0
x
0
x
x
0
0
0
x
0
x
x
x
x
x
0
0
x
0
x
x
x
0
x
0
0
0
?
0
x
0
x
0
0
0
x
x
0
0
x
0
0
0
0
x
x
0
0
0
x
0
x
x
x
0
x
x
x
x
0
0
x
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
x
0
0
0
0
x
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
x
0
0
x
0
x
x
x
x
0
x
x
x
x
x
0
0
0
0
x
0
x
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
x
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
x
0
0
x
0
0
x
0
0
0
x
x
x
x
0
0
0
x
0
0
0
0
0
0
0
0
0
x
0
x
x
x
0
0
0
x
0
0
0
0
0
0
0
0
x
0
0
x
0
0
x
0
0
x
0
x
x
0
0
0
0
0
0
0
0
x
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
x
0
x
x
0
0
0
0
0
0
0
x
0
0
0
0
0
0
x
0
x
x
x
0
x
0
0
0
0
x
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
0
x
0
0
0
x
x
x
x
0
0
0
0
0
x
0
0
0
0
x
x
0
0
x
0
0
0
x
0
?
?
0
0
0
0
x
0
0
x
x
x
0
0
x
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
x
0
x
0
x
0
0
0
x
0
0
0
0
0
0
0
0
0
x
0
0
0
x
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
x
0
x
0
0
x
0
x
0
0
0
x
0
0
0
x
0
x
x
x
0
0
0
0
0
0
0
x
0
0
0
0
0
0
x
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
x
0
x
0
0
0
0
0
x
x
x
0
0
0
x
x
0
0
0
0
x
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
x
x
0
0
0
x
0
0
0
0
x
x
x
x
0
0
0
x
x
x
0
0
0
0
0
0
x
x
0
0
0
x
0
0
0
0
x
0
0
0
x
x
0
0
x
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Agent.AIAB
- Agent.AIAG
- Stealer.JD
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Network Winhttp |
|
