Threat Database Trojans Trojan.Agent.EQ

Trojan.Agent.EQ

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 3,926
Threat Level: 80 % (High)
Infected Computers: 869
First Seen: July 4, 2023
Last Seen: April 10, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.Agent.EQ
Signature status: No Signature

Known Samples

MD5: 24396090362b2361a02d1935ed715621
SHA1: 5449c96005a211664542f0885d69cf938382aa8b
SHA256: 146D2465B1426539F3CC4F18A0EDF232C0C9C29D8B84752445A40ACD869D0B87
File Size: 1.81 MB, 1814528 bytes
MD5: d79cae8e8484608873913fc50846e86d
SHA1: 8ddcefd7f38600857ab72d147bfdbf1515c0ad84
SHA256: D671BE4E54CCCBB8B52FBE7FE066647F7825817E54E16B3EFA18FF18E7F5289B
File Size: 6.28 MB, 6277632 bytes
MD5: d3a6ad3f61ed7e013c38c8283917f0cd
SHA1: 49ff00e3e8bf5545522e486a8adeedab0a8606fa
SHA256: 5A283D6A6B186A6D8ADDA309E0E2F2154040B40CD8B668203BC8EF2298C2BCEB
File Size: 5.44 MB, 5440000 bytes
MD5: c85e6c672286ae705f41849fbc544bbf
SHA1: 0a57403120e16691f96c36ee461c73663ddc0740
SHA256: 593EC85236C41354AFAC6CF068F33E72760B3D0954AB8070E7CCF3E472DF42F6
File Size: 2.88 MB, 2881152 bytes
MD5: 22c7378fbcb00552cb2c8442b882b80c
SHA1: 60d174167262fb1e94d82c2f05acdb9629cb4d98
SHA256: C7BEEA647B8FFD210E719FCEE85A3EA7EC73CF63FC3CA46D75093A546022ED48
File Size: 5.45 MB, 5447680 bytes
Show More
MD5: 28046c771d8ebc8ae3bf8c1fea21692e
SHA1: e2235c763df1f44afdcca64a6ba64a9e607f9f26
SHA256: 9804513F4DF3A701A62158C04A7EDE20441224474F9446D27D9FCC362B292944
File Size: 93.70 KB, 93696 bytes
MD5: 4940f4835f65e9c96f1524430705980e
SHA1: 46acae04df74c8ffb1131b612863682988722374
SHA256: D0ECDC7A9F91CD7931F0C81744365E0A2DA4993CB989374259A2F9C7C36AB4FA
File Size: 2.69 MB, 2692168 bytes
MD5: b720916c10400525e683b872b61ade0f
SHA1: 8d5d16d9e8100399c339085195504f983e6c1546
SHA256: 5BBA190B29986BCC98D7A7EE199F812D68D59B40A3EC24FBE4A7D7746E4284EA
File Size: 198.31 KB, 198312 bytes
MD5: 02ff4b3716d1709fdd73a4d0efdf82bb
SHA1: c16ed2f6191b7ac8c82a99eee52c27b4c915b360
SHA256: 0BC9007707A8EC2870052B6265F40EF4F43FED0C5C4832F4703A4A9001AEE8E2
File Size: 9.85 MB, 9852716 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has been packed
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
  • File is either console or GUI application
Show More
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Comments
  • SkinSharp GUI Toolkit
  • This installation was built with Inno Setup.
Company Name
  • 1XG第一效果-PDF工具网
  • SkinSharp Inc.
  • TCL Communication Technology Holdings Limited
File Description
  • BD2.1设备调试工具
  • Mobile Upgrade S Setup
  • One Touch Upgrade S MFC Application
  • PDF压缩器 Setup
  • SkinSharp GUI Toolkit
File Version
  • 3.3
  • 1.5.3.153
  • 1.4.8.148
  • 1.3.6
  • 1.3.4.134
  • 1, 0, 6, 6
  • 1, 0, 5, 5
Internal Name
  • BD_THREE_TOOLS.exe
  • One Touch Upgrade S
  • SkinSharp For VB6
  • SkinSharp For VC++
Legal Copyright
  • 1XG第一效果-PDF工具网
  • Copyright (C) 2006-2009 SkinSharp Inc.
  • Copyright (C) 2010
Legal Trademarks SkinSharp
Original Filename
  • BD_THREE_TOOLS.exe
  • One Touch Upgrade S.EXE
  • SkinH.dll
  • SkinH_VB6.dll
Product Name
  • BD设备调试工具
  • Mobile Upgrade S
  • One Touch Upgrade S Application
  • PDF压缩器
  • SkinSharp GUI Toolkit
Product Version
  • 2017.1.4 V1.3.6
  • 3.3
  • 1.5.3.153
  • 1.4.8.148
  • 1.3.4.134
  • 1, 0, 6, 6
  • 1, 0, 5, 5

Digital Signatures

Signer Root Status
Wuhan Aiwen Technology Company Limtied GlobalSign CodeSigning CA - G2 Self Signed
Hengyida Information Technology CO.,LTD. Hengyida Information Technology CO.,LTD. Root Not Trusted
Di Wu thawte Primary Root CA Root Not Trusted

File Traits

  • 2+ executable sections
  • big overlay
  • dll
  • HighEntropy
  • packed
  • upx
  • x86

Block Information

Similar Families

  • Agent.EQ
  • Agent.GV
  • Ahead.B
  • Johnnie.E
  • Kryptik.CBT
Show More
  • Marte.Z
  • PC Accelerator.H
  • Sheloader.A

Files Modified

File Attributes
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ci0-temp\airy pc cleaner.set Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\ci0-temp\airy pc cleaner.set Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ci0-temp\apc.bmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\ci0-temp\apc.bmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ci0-temp\install.bmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\ci0-temp\install.bmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\gert0.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0 Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\__tmp_rar_sfx_access_check_2926468 Generic Read,Write Data,Write Attributes,Write extended,Append data
Show More
c:\users\user\appdata\local\temp\rarsfx0\apcsetupen.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\apcsetupen.exe Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\multimedia\drawdib:: 1024x768x32(bgr 0) 31,31,31,31 RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\multimedia\drawdib:: 1920x1200x32(bgr 0) 31,31,31,31 RegNtPreCreateKey

Windows API Usage

Category API
Other Suspicious
  • SetWindowsHookEx
Keyboard Access
  • GetKeyState
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Process Shell Execute
  • CreateProcess
  • ShellExecuteEx
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetUserObjectInformation
Syscall Use
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtQueryAttributesFile
Show More
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWriteFile

Shell Command Execution

(NULL) C:\Users\Nkcvwose\AppData\Local\Temp\RarSFX0\APCsetupen.exe
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\e2235c763df1f44afdcca64a6ba64a9e607f9f26_0000093696.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\8d5d16d9e8100399c339085195504f983e6c1546_0000198312.,LiQMAxHB

Related Posts

Trending

Most Viewed

Loading...