Threat Database Backdoors Backdoor.MSIL.AgentTesla.LQ

Backdoor.MSIL.AgentTesla.LQ

By CagedTech in Backdoors

Analysis Report

General information

Family Name: Backdoor.MSIL.AgentTesla.LQ
Signature status: No Signature

Known Samples

MD5: 364db06cfa5fe896d0bb9f382f0c53cb
SHA1: e4a6c9b1f3756b88a3c983fb0863d83cf5749d76
File Size: 2.62 MB, 2617856 bytes
MD5: a2817ee1fbedc611673ea7940a0a7430
SHA1: a6890a179d35b1e62532d4258298f0d127effcbf
File Size: 838.14 KB, 838144 bytes
MD5: bf484490066b15c8364b4920167ae305
SHA1: f947c8448fd22157e0e9f0525458e42b9f6d4a6b
SHA256: 4A90FA64CBA5B0302A77896713598314D920D46019B6FE0634257EE6E6F101C3
File Size: 372.74 KB, 372736 bytes
MD5: 1d9efbf5c60af815035913543a425d52
SHA1: 29b2196314b13f6b846fc98b58f90a40c1191991
SHA256: 56EE593F5A874A019500E4102D7F958FC8244A07365B86C4871C007E322155FD
File Size: 554.82 KB, 554816 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File doesn't have security information
  • File is .NET application
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

Windows PE Version Information

Name Value
Assembly Version 1.0.0.0
File Description
  • Handler
  • Meaning
File Version 1.0.0.0
Internal Name
  • Handler.exe
  • Meaning.exe
Legal Copyright Copyright © 2025
Original Filename
  • Handler.exe
  • Meaning.exe
Product Name
  • Handler
  • Meaning
Product Version 1.0.0.0

Digital Signatures

Signer Root Status
Microsoft Corporation Microsoft Code Signing PCA 2010 Hash Mismatch
Microsoft Corporation Microsoft Code Signing PCA 2011 Hash Mismatch

File Traits

  • .NET
  • GenKrypt
  • HighEntropy
  • No Version Info
  • Reactor
  • RijndaelManaged
  • x86

Block Information

Total Blocks: 501
Potentially Malicious Blocks: 9
Whitelisted Blocks: 268
Unknown Blocks: 224

Visual Map

? ? 0 0 ? ? ? 0 ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 ? x 0 0 ? ? ? 0 ? 0 0 ? ? ? ? ? ? x 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 ? ? ? ? ? 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? x 0 ? ? ? ? 0 ? 0 ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? 0 ? ? ? ? 0 ? 0 ? 0 0 0 0 0 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? 0 0 0 ? ? ? ? ? ? ? ? ? ? 0 0 0 ? ? ? ? ? 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 0 0 0 0 0 ? 0 0 0 0 ? ? ? ? 0 0 0 0 ? ? ? ? ? 0 0 ? ? ? 0 ? ? 0 0 ? 0 x 0 ? ? 0 0 ? 0 ? ? 0 x 0 0 0 ? 0 0 ? ? ? ? 0 ? ? ? ? ? 0 ? ? 0 0 ? 0 ? ? ? ? ? ? ? ? ? ? ? ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? 0 ? 0 ? ? 0 ? ? x x ? 0 0 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • MSIL.AgentTesla.LQ
  • MSIL.Bulz.KA
  • MSIL.Downloader.PFA
  • MSIL.Krypt.EDCRA
  • MSIL.Krypt.EDCRC
Show More
  • MSIL.Krypt.MJK
  • MSIL.Mardom.AJ
  • MSIL.Mardom.JA
  • MSIL.Mardom.JG
  • MSIL.Stealer.LK

Files Modified

File Attributes
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\fee33ce020c970ea56929081c2d05808 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\fee33ce020c970ea56929081c2d05808 Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\systemcertificates\ca\certificates\be68d0adaa2345b48e507320b695d386080e5b25::blob RegNtPreCreateKey

Windows API Usage

Category API
User Data Access
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Anti Debug
  • NtQuerySystemInformation
Process Terminate
  • TerminateProcess
Network Winsock
  • socket
Encryption Used
  • BCryptOpenAlgorithmProvider

Trending

Most Viewed

Loading...