Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Agent-DF

Trojan.Agent-DF

In Trojans

Trojan.Agent-DF is a nasty Trojan shaped to embed inside your system and capture your personal data. Trojan.Agent-DF has a keylogger that is capable to monitor and log your keystroke as you type them on a keyboard. In addition, Trojan.Agent-DF may also create a backdoor security hole through which a remote attacker may control your machine. Trojan.Agent-DF is a very serious violation of your security and privacy and may affect your personal and financial details.

SpyHunter Detects & Remove Trojan.Agent-DF

File System Details

Trojan.Agent-DF may create the following file(s):
Expand All | Collapse All
# File Name MD5 Detections
1. ttqo.dll 46f25f6194d88a5b8d1bd59a7d0d2ae5 0
2. 90fd6c14.exe 461854ea6ea5083da8a5bc0a6a649993 0
More files

Analysis Report

General information

Family Name: Trojan.Agent.DF
Signature status: No Signature

Known Samples

MD5: c201deab002ff9fa860c5feb04ac26cb
SHA1: 662bac3d42794902ece8d1aa9d1382b1dc61e76a
SHA256: 47DBE62492F4DD4BC74D54D595B26A634642C63A5C591133878F25A73525F866
File Size: 2.29 MB, 2288915 bytes
MD5: bd7cd44383170526fbe688a708bd0f54
SHA1: 024117fd016159d3bfeb5ad03cbff4a288c116ef
SHA256: 8E6F2BEFAAB562059FF8B9EB50DAD9D6F178B6B95F9F386501E59146D5EC3D5E
File Size: 1.51 MB, 1509444 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name Kaseya
File Description Kaseya Agent Installer
File Version
  • 6, 1, 0, 1
  • 5.1.0.0
Internal Name VarAgentSetup
Legal Copyright
  • Copyright © 2001-2008 by Kaseya, All Rights Reserved
  • Copyright © 2001-2011 Kaseya International Limited. All Rights Reserved.
Legal Trademarks Kaseya Virtual System Administrator (tm)
Original Filename VarAgentSetup.exe
Product Name Kaseya Agent Installer
Product Version
  • 6, 1, 0, 0
  • 5.1.0.0

File Traits

  • big overlay
  • Installer Manifest
  • Installer Version
  • x86

Block Information

Total Blocks: 438
Potentially Malicious Blocks: 110
Whitelisted Blocks: 321
Unknown Blocks: 7

Visual Map

x x x x 0 0 0 x x x x x x x 0 0 0 0 0 0 0 x x x x x 0 x x x 0 0 ? ? 0 x x x 0 0 0 0 0 x 0 x x 0 0 x x x x x x x x x x x x x x x x x x x x x x 0 0 x x x x x x x x x x x ? ? ? x 0 0 0 0 0 0 x x x 0 x x x 0 x x x x x x x 0 x x x x 0 0 0 x x x x x x ? 0 ? x 0 x x x 0 x x x x x 0 x x 0 x x x x 0 0 0 0 x x 0 x 0 x x x x 0 x x x 0 x 0 x x 0 0 0 1 0 0 1 0 0 0 0 0 0 0 1 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 1 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.DF

Files Modified

File Attributes
c:\program files (x86)\common files\installshield\engine\6\intel 32\ikernel.exe Synchronize,Write Attributes
c:\program files (x86)\common files\installshield\engine\6\intel 32\ikernel.exe Synchronize,Write Data
c:\program files (x86)\common files\installshield\engine\6\intel 32\temp.000 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files (x86)\kaseya\mxtch954793610328347\agentmon.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\kaseya\mxtch954793610328347\drivers\kapfa.sys Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\kaseya\mxtch954793610328347\drivers\kapfa64.sys Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\kaseya\mxtch954793610328347\drivers\kaseyad.vxd Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\kaseya\mxtch954793610328347\drivers\kaseyasp.dll Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\kaseya\mxtch954793610328347\kagentext.dll Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\kaseya\mxtch954793610328347\kasagent.log Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
Show More
c:\program files (x86)\kaseya\mxtch954793610328347\kaserror.log Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\kaseya\mxtch954793610328347\kasetup.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\kaseya\mxtch954793610328347\kaseyad.ini Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\kaseya\mxtch954793610328347\kaseyafw.ini Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\kaseya\mxtch954793610328347\kasfirewall.log Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\kaseya\mxtch954793610328347\kasstats.log Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\kaseya\mxtch954793610328347\kausrtsk.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\kaseya\mxtch954793610328347\keventlog.dll Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\kaseya\mxtch954793610328347\kgetelmg64.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\kaseya\mxtch954793610328347\kprtpng.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\kaseya\mxtch954793610328347\logparser.dll Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\kaseya\mxtch954793610328347\package.xml Generic Write,Read Attributes
c:\program files (x86)\kaseya\mxtch954793610328347\sporder.dll Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\temp\ext14d3.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\ext249f.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\iec274d.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\temp\kagentsilent.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\kasetup.log Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\kaseyad.ini Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\kaseyad.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\pft14d4.tmp\agentmon.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft14d4.tmp\agentmon.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft14d4.tmp\kagentext.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft14d4.tmp\kagentext.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft14d4.tmp\kapfa.sys Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft14d4.tmp\kapfa.sys Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft14d4.tmp\kapfa64.sys Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft14d4.tmp\kapfa64.sys Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft14d4.tmp\kasagent.log Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft14d4.tmp\kasagent.log Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft14d4.tmp\kaserror.log Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft14d4.tmp\kaserror.log Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft14d4.tmp\kasetup.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft14d4.tmp\kasetup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft14d4.tmp\kaseyad.ini Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft14d4.tmp\kaseyad.ini Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft14d4.tmp\kaseyad.vxd Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft14d4.tmp\kaseyad.vxd Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft14d4.tmp\kaseyafw.ini Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft14d4.tmp\kaseyafw.ini Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft14d4.tmp\kaseyasp.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft14d4.tmp\kaseyasp.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft14d4.tmp\kasfirewall.log Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft14d4.tmp\kasfirewall.log Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft14d4.tmp\kasstats.log Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft14d4.tmp\kasstats.log Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft14d4.tmp\kausrtsk.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft14d4.tmp\kausrtsk.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft14d4.tmp\keventlog.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft14d4.tmp\keventlog.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft14d4.tmp\kgetelmg64.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft14d4.tmp\kgetelmg64.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft14d4.tmp\kprtpng.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft14d4.tmp\kprtpng.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft14d4.tmp\logparser.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft14d4.tmp\logparser.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft14d4.tmp\pftw1.pkg Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft14d4.tmp\psapi.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft14d4.tmp\psapi.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft14d4.tmp\sporder.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft14d4.tmp\sporder.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft24af.tmp\data1.cab Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft24af.tmp\data1.cab Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft24af.tmp\data1.hdr Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft24af.tmp\data1.hdr Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft24af.tmp\data2.cab Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft24af.tmp\data2.cab Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft24af.tmp\ikernel.ex_ Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft24af.tmp\ikernel.ex_ Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft24af.tmp\layout.bin Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft24af.tmp\layout.bin Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft24af.tmp\pftw1.pkg Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft24af.tmp\setup.bmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft24af.tmp\setup.bmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft24af.tmp\setup.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft24af.tmp\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft24af.tmp\setup.ini Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft24af.tmp\setup.ini Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft24af.tmp\setup.inx Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft24af.tmp\setup.inx Synchronize,Write Attributes
c:\users\user\appdata\local\temp\pft24af.tmp\setup.iss Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\pft24af.tmp\setup.iss Synchronize,Write Attributes
c:\users\user\appdata\local\temp\plf14c3.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\plf249e.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\windows\system32\drivers\kapfa.sys Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\windows\syswow64\kaseyasp.dll Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144

Registry Modifications

Key::Value Data API Name
HKLM\software\wow6432node\kaseya\agent\mxtch954793610328347::title Kaseya Agent RegNtPreCreateKey
HKLM\software\wow6432node\kaseya\agent\mxtch954793610328347::path C:\Program Files (x86)\Kaseya\MXTCH954793610328347 RegNtPreCreateKey
HKLM\software\wow6432node\kaseya\agent\mxtch954793610328347::provider Kaseya RegNtPreCreateKey
HKLM\software\wow6432node\kaseya\agent\mxtch954793610328347::configchangelogfile C:\Program Files (x86)\Kaseya\MXTCH954793610328347\KasAgent.log RegNtPreCreateKey
HKLM\software\wow6432node\kaseya\agent\mxtch954793610328347::configurationfile C:\Program Files (x86)\Kaseya\MXTCH954793610328347\KaseyaD.ini RegNtPreCreateKey
HKLM\software\wow6432node\kaseya\agent\mxtch954793610328347::errorlogfile C:\Program Files (x86)\Kaseya\MXTCH954793610328347\KasError.log RegNtPreCreateKey
HKLM\software\wow6432node\kaseya\agent\mxtch954793610328347::firewalllogfile C:\Program Files (x86)\Kaseya\MXTCH954793610328347\KasFirewall.log RegNtPreCreateKey
HKLM\software\wow6432node\kaseya\agent\mxtch954793610328347::firewallsettingsfile C:\Program Files (x86)\Kaseya\MXTCH954793610328347\KaseyaFW.ini RegNtPreCreateKey
HKLM\software\wow6432node\kaseya\agent\mxtch954793610328347::netstatslogfile C:\Program Files (x86)\Kaseya\MXTCH954793610328347\KasStats.log RegNtPreCreateKey
HKLM\software\wow6432node\kaseya\agent\mxtch954793610328347::partitionid 1 RegNtPreCreateKey
Show More
HKLM\software\wow6432node\kaseya\agent\mxtch954793610328347::newagent  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::kashmxtch954793610328347 "C:\Program Files (x86)\Kaseya\MXTCH954793610328347\KaUsrTsk.exe" RegNtPreCreateKey
HKLM\software\wow6432node\kaseya\agent::drivercontrol MXTCH954793610328347 RegNtPreCreateKey
HKLM\software\wow6432node\kaseya\agent\mxtch954793610328347::winsock2lspdll C:\WINDOWS\system32\KaseyaSP.dll RegNtPreCreateKey
HKLM\system\controlset001\control\safeboot\minimal\kamxtch954793610328347:: Service RegNtPreCreateKey
HKLM\system\controlset001\control\safeboot\network\kamxtch954793610328347:: Service RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\kamxtch954793610328347::uninstallstring C:\Program Files (x86)\Kaseya\MXTCH954793610328347\KASetup.exe /r /g MXTCH954793610328347 /l "%TEMP%\kasetup.log" RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\kamxtch954793610328347::displayname Kaseya Agent RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\kamxtch954793610328347::nomodify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\kamxtch954793610328347::norepair  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\kamxtch954793610328347::installlocation C:\Program Files (x86)\Kaseya\MXTCH954793610328347 RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\kamxtch954793610328347::displayversion 6.1.0.6 RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\kamxtch954793610328347::versionmajor  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\kamxtch954793610328347::versionminor  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\kamxtch954793610328347::installdate % RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\kamxtch954793610328347::displayicon C:\Program Files (x86)\Kaseya\MXTCH954793610328347\KASetup.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\kamxtch954793610328347::publisher Kaseya RegNtPreCreateKey

Windows API Usage

Category API
User Data Access
  • GetComputerName
  • GetUserObjectInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
Anti Debug
  • IsDebuggerPresent
Service Control
  • OpenSCManager
  • OpenService

Shell Command Execution

C:\Users\Qyeejsas\AppData\Local\Temp\KAgentSilent.exe KAgentSilent.exe /s /a /PATH C:\Users\Qyeejsas\AppData\Local\Temp\KASetup.log /INSTALLDIR="C:\Program Files\ACMS\Agent"
"C:\Users\Qyeejsas\AppData\Local\Temp\pft24AF.tmp\Setup.exe" /PATH C:\Users\Qyeejsas\AppData\Local\Temp\KASetup.log /INSTALLDIR="C:\Program Files\ACMS\Agent" /SMS /s
"C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe" -RegServer
C:\Users\Vksgqcix\AppData\Local\Temp\KAgentSilent.exe KAgentSilent.exe /s /a /k /g MXTCH954793610328347 /l "C:\Users\Vksgqcix\AppData\Local\Temp\KASetup.log" /v "1"
"C:\Users\Vksgqcix\AppData\Local\Temp\pft14D4.tmp\KASetup.exe" /k /g MXTCH954793610328347 /l "C:\Users\Vksgqcix\AppData\Local\Temp\KASetup.log" /v "1" /s

Trending

Most Viewed

Loading...