Trojan.Agent.FD
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 80 % (High) |
| Infected Computers: | 154 |
| First Seen: | June 2, 2021 |
| Last Seen: | February 16, 2024 |
| OS(es) Affected: | Windows |
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Agent.FD |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
6e4b30c97eee185f5774f65b67a46196
SHA1:
e750a8087fc0a3e54a5cc31988454c0fcb57b87e
File Size:
1.01 MB, 1005568 bytes
|
|
MD5:
7ea5b303ed079b27f0b1503c390a6e40
SHA1:
b4c39960b669edac37565196a41529954653def8
File Size:
2.18 MB, 2179072 bytes
|
|
MD5:
7883b49bf1ab0dcb135c37da2beb36a5
SHA1:
e7d569eac29a95870ced46540de92428000d7add
SHA256:
D4A694DF3F7883ACFF4FFECD515001EC81C95628AE0942D7D6234B7B98C7AB08
File Size:
4.86 MB, 4863488 bytes
|
|
MD5:
75645d8c08fc5cb21946225d52939f16
SHA1:
5e17494400a767d0f0a896e4108e36f521f04fb7
SHA256:
FDC228794AFE7BFCFF2A839ED72C2C858DB3378F6673DF2DD3AD16A52A242B7C
File Size:
4.61 MB, 4608000 bytes
|
|
MD5:
bb911cbb2b624b745d1c6933a6f69b8a
SHA1:
aacfb35549c9f6b4ede5e107386df6eb98895c69
SHA256:
3400EFB9736FEFDA0401E698909A18D7A01660CA78CA9E16062468703C25FBD9
File Size:
5.51 MB, 5510632 bytes
|
Show More
|
MD5:
d3e847785613a706c4533b19c3eeb7fe
SHA1:
5ec8afd329159b327135c649e4cb1d81e168e116
SHA256:
2F6591C093C6DC568EA11602F01F557CDB6F85E87256698E84BCB3E773BBE554
File Size:
5.64 MB, 5641616 bytes
|
|
MD5:
b698ecefdf3bfb57250579b2fda8cd1e
SHA1:
7b596225c2f1bc7315ca4892eb33f42bb858f2a1
SHA256:
081870543772D0CD1A25DA6CFF67CD6945BEB7441A4FD5172EBA8FE481FCA90C
File Size:
5.32 MB, 5318144 bytes
|
|
MD5:
a5d4998edad2b52f39caa393dc2b4110
SHA1:
c9bdd6a5ce392555c0181443273b13f6ff5ddf7e
SHA256:
C85A4CD379994BA2B8AC15DD24B2085F0D0E4CC032E5BB47346D3392664AC586
File Size:
9.24 MB, 9238016 bytes
|
|
MD5:
7ecf4cb4a6afa1ee1e72f65661bdb442
SHA1:
9bc522f2eab521d0ac65a6510920539188867004
SHA256:
50F787FA91E64B38B43BE2F8311A344FFC3AC2C246ECAEE0ED04DF80A96E3CB8
File Size:
3.16 MB, 3155456 bytes
|
|
MD5:
7f97003e76bc43b6be4c206468e18cb7
SHA1:
4a466c77f8332e5c7422c2c23ca47d809fe5e32f
SHA256:
583273CCC58C483544522456B9BDEAC2570918F5CEA214E6A084077421801449
File Size:
6.91 MB, 6909158 bytes
|
|
MD5:
525c9ab2f145fa0396164dca9b8f45d2
SHA1:
3f641f08431b47467dd5eed50dfb36c48454b676
SHA256:
DB27C37F2ED9E8F8104AAEF40EA5DB5545944E81E4F7767CB7AFE2E062618CD0
File Size:
1.25 MB, 1248814 bytes
|
|
MD5:
a3b26cd44a5e28fca822c0ceff5e3217
SHA1:
f48cf2a4fea0bb938b0edbbbefbd0cfa313e7ffb
SHA256:
D39945FE1588A8A72A5C97E08F2FE268A55CC25789F1E6ED7A575EC70CA1151A
File Size:
6.97 MB, 6972928 bytes
|
|
MD5:
827a0f85b07247d0eae6fb5d47c3baba
SHA1:
ed777911ba207c633d5d3865889928474247f42e
SHA256:
DE277A3170ED64210090343A2B597AA112BEDDD1EFCF3A66A81C10EDE9251397
File Size:
6.07 MB, 6071808 bytes
|
|
MD5:
4e7145f80c91c1354940062e2443317d
SHA1:
b9340c625a3d3588a112bb8a206cca5f81833342
SHA256:
426D25E0AAEFCBFD8128972F17C228ACABC062DFE2F49E03C567C47E8A679221
File Size:
8.00 MB, 8002048 bytes
|
|
MD5:
93d5d18ec4533e3ce8c86f648b1beae8
SHA1:
edbb17f957257dc182e0de99e2c5de5a1def1bf5
SHA256:
58DABA47B6EAD5717612CF425E27D2B75C5FDA0F0BDE59156B4FA4575D42074F
File Size:
4.92 MB, 4919072 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has exports table
- File has TLS information
- File is 32-bit executable
- File is 64-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
Show More
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Assembly Version |
|
| Comments | 64th Services |
| Company Name |
|
| Company Short Name | nwjs.io |
| File Description |
Show More
|
| File Version |
|
| Internal Name |
Show More
|
| Last Change | ac9418ba9c3bd7f6baaffa0b055dfe147e0f8364-refs/branch-heads/3538@{#468} |
| Legal Copyright |
|
| Original Filename |
Show More
|
| Product Name |
Show More
|
| Product Short Name | nwjs |
| Product Version |
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| OpenBullet Anomaly | OpenBullet Anomaly | Hash Mismatch |
| serbianforum.org | serbianforum.org | Hash Mismatch |
File Traits
- 2+ executable sections
- Enigma
- HighEntropy
- No Version Info
- ntdll
- vmp section variant
- WriteProcessMemory
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 6,567 |
|---|---|
| Potentially Malicious Blocks: | 307 |
| Whitelisted Blocks: | 4,400 |
| Unknown Blocks: | 1,860 |
Visual Map
?
?
?
?
?
0
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
x
?
?
?
?
?
?
?
?
?
?
?
?
x
?
?
0
?
?
?
?
?
?
?
?
0
?
x
0
0
?
?
?
?
0
?
0
?
x
0
?
?
?
?
?
?
?
?
?
?
?
?
x
?
?
?
?
0
?
?
?
?
0
?
?
x
?
?
?
?
?
?
0
?
?
0
?
?
0
?
?
?
?
?
x
?
0
?
?
?
?
?
?
?
?
x
?
0
?
?
0
?
?
?
?
x
?
0
?
?
?
?
?
?
0
?
x
0
?
?
0
x
?
?
?
?
?
x
?
x
?
?
?
x
0
?
?
?
0
?
?
?
?
?
?
0
?
?
0
?
?
?
?
x
0
x
?
?
0
?
0
?
?
?
?
0
x
?
?
0
?
?
0
?
?
?
?
?
?
0
?
0
x
x
0
?
?
?
?
?
?
0
?
x
x
x
?
?
?
0
0
?
?
?
?
0
?
?
?
?
0
0
?
0
?
?
?
?
?
x
?
?
x
?
?
?
?
?
?
?
?
0
?
0
?
?
?
0
?
x
0
?
?
?
?
?
?
x
?
x
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
x
x
?
0
?
0
?
?
x
0
0
?
0
0
?
x
?
?
?
0
?
?
?
?
?
?
?
x
x
?
0
?
?
0
?
0
?
?
?
?
x
?
0
?
?
?
?
0
?
0
x
?
x
?
?
?
0
?
?
?
?
0
?
?
?
?
?
?
?
?
?
0
?
?
0
0
?
?
?
0
0
?
?
0
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
0
?
?
?
0
?
?
x
x
x
0
x
0
x
0
x
?
?
?
?
0
?
?
?
?
?
?
0
?
?
x
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
0
?
?
0
?
?
?
0
0
?
?
?
0
0
?
0
?
?
?
x
?
0
0
?
?
?
?
?
0
0
?
0
?
0
?
?
?
?
?
?
?
?
?
?
?
0
0
?
x
?
?
?
x
0
?
?
?
0
?
?
?
?
?
x
?
?
?
0
?
?
?
x
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
x
?
?
?
?
?
x
0
?
?
?
0
0
?
?
0
?
?
?
0
?
?
x
?
x
x
?
x
?
?
?
?
?
x
0
?
?
?
?
?
x
?
?
?
0
0
?
0
?
0
?
?
?
?
?
?
0
?
0
x
?
?
?
0
?
?
x
?
x
x
0
?
0
?
?
?
x
?
x
?
0
?
?
?
?
?
?
?
?
?
?
?
?
0
?
x
?
x
?
?
?
?
0
?
?
x
?
?
?
?
?
?
0
?
?
0
?
?
0
0
0
?
x
0
?
0
?
?
?
0
?
x
?
0
x
?
?
?
0
?
?
x
x
0
0
?
?
?
0
?
?
?
?
?
?
?
x
?
?
?
0
?
?
?
x
0
0
?
?
?
?
x
?
?
?
x
?
?
?
?
?
?
x
?
?
0
?
0
0
0
?
?
?
?
0
?
?
x
0
?
?
?
?
0
?
0
x
?
?
0
?
?
x
x
x
?
?
0
?
0
?
x
?
?
?
?
?
0
?
0
?
x
0
?
?
?
?
?
?
0
?
0
0
?
?
?
?
?
?
?
x
?
0
0
0
?
?
?
?
?
?
0
?
?
?
?
?
x
0
?
?
?
?
?
?
?
?
x
0
0
?
?
?
?
?
?
?
?
?
x
?
x
?
?
0
0
0
?
?
?
?
?
?
x
?
0
x
?
?
?
?
?
?
?
0
x
0
?
x
?
?
?
?
0
?
?
x
0
0
0
x
?
x
?
?
?
?
?
x
?
x
?
?
?
?
?
?
?
?
?
?
?
?
?
x
0
x
?
?
?
?
0
?
0
0
?
x
0
0
?
?
0
?
?
x
?
?
x
?
?
?
x
?
?
x
?
?
0
?
?
0
?
x
0
?
?
0
?
0
?
0
0
?
?
0
0
?
?
0
?
?
?
?
0
0
?
?
?
?
?
?
?
?
?
?
?
x
?
?
?
?
0
?
?
?
x
x
0
?
?
?
?
?
x
?
?
?
?
?
0
x
?
?
0
x
?
0
0
?
x
?
0
?
?
?
?
0
?
?
0
?
?
?
0
0
0
?
?
?
?
0
?
?
?
?
?
?
x
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
x
?
0
?
?
x
?
?
?
?
?
0
?
?
?
?
?
x
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
x
?
?
?
?
?
?
?
?
?
?
?
0
?
?
0
?
0
?
?
?
?
?
?
?
?
?
?
?
x
?
x
?
?
0
?
?
?
x
?
?
?
0
?
?
0
?
?
?
?
?
0
?
?
?
?
?
0
x
?
0
0
0
x
x
?
0
?
x
?
?
0
?
?
?
?
?
?
?
?
0
x
?
0
?
x
0
?
?
?
0
?
?
?
?
?
x
?
?
?
?
0
?
?
?
?
?
0
0
?
?
?
0
?
0
?
?
?
?
?
?
?
?
?
x
?
?
?
0
?
?
?
?
?
?
?
?
?
x
?
?
?
?
?
?
x
?
x
?
?
?
?
x
?
?
?
0
?
0
0
0
?
?
?
?
?
0
?
?
?
?
?
0
0
?
?
?
0
?
?
?
?
0
?
?
?
?
?
?
?
?
0
?
x
0
?
?
?
?
?
?
?
0
?
?
?
0
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
0
?
?
?
?
?
0
?
0
?
?
?
?
?
0
?
0
0
x
?
?
?
?
?
0
?
?
?
?
?
?
?
?
0
x
?
?
?
?
?
?
?
0
?
0
?
x
?
?
?
?
?
?
?
?
0
?
0
?
?
?
?
?
0
?
?
?
0
?
?
0
?
?
x
?
?
0
?
?
0
?
?
0
?
0
?
0
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
x
x
?
?
?
?
?
?
?
0
x
x
0
?
x
x
x
?
?
x
0
?
?
?
x
0
?
x
?
x
?
?
?
?
?
?
x
0
0
?
?
?
0
?
x
?
?
x
x
x
0
?
?
?
?
?
?
?
x
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
x
?
0
0
?
?
?
?
x
?
?
?
?
?
?
?
0
0
?
?
?
?
?
?
0
?
0
?
?
?
?
?
0
0
?
?
?
?
?
?
?
?
0
?
?
?
?
?
x
?
?
?
?
?
?
?
0
0
0
x
x
0
?
?
0
?
?
0
?
0
0
?
?
?
0
0
x
0
?
0
x
?
?
?
?
0
x
0
x
?
?
0
?
?
?
?
?
x
?
?
?
?
0
0
?
?
0
?
0
?
0
x
?
0
?
?
?
0
x
?
?
?
x
?
?
?
?
x
0
?
?
?
0
?
?
?
?
?
0
?
0
?
?
?
?
x
?
?
?
?
?
x
x
?
0
?
0
?
?
?
0
0
?
x
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
x
?
?
0
0
?
?
?
0
0
?
?
?
x
?
?
0
?
?
x
?
?
?
?
?
?
?
?
?
?
0
?
?
x
?
?
?
?
?
?
0
0
0
?
0
?
?
?
0
?
x
x
0
?
0
?
x
?
?
?
?
?
?
?
?
x
?
?
0
x
0
?
?
?
0
?
?
?
?
0
?
x
?
x
?
?
?
?
0
?
0
x
?
0
?
?
x
?
?
?
?
0
?
?
?
x
?
x
?
?
?
?
0
?
x
?
x
?
?
?
?
?
?
?
?
?
?
0
?
0
?
?
?
?
?
0
?
x
?
?
?
?
?
x
?
?
?
x
?
?
0
?
?
?
?
x
?
?
?
?
?
?
?
?
?
?
x
?
x
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
x
?
?
?
?
?
?
?
?
?
x
?
?
?
?
0
0
?
x
?
x
?
?
?
0
?
?
?
?
?
?
?
?
0
0
?
?
?
?
?
0
0
0
?
?
x
?
x
0
?
?
?
0
?
?
?
?
?
?
?
?
?
0
?
?
?
0
0
?
?
0
?
?
0
?
x
0
?
?
0
?
?
0
?
x
?
?
?
?
?
0
0
0
?
?
?
?
?
x
?
?
0
x
x
?
?
0
?
0
0
?
?
?
0
x
0
?
?
?
?
?
?
0
?
?
?
?
0
?
?
x
?
?
?
0
?
x
?
0
?
?
0
?
x
?
x
x
?
?
?
?
?
?
?
?
?
?
?
0
?
?
0
?
?
?
?
?
x
?
x
x
?
x
?
0
?
?
0
?
?
?
?
x
?
?
?
?
?
?
?
x
?
0
0
0
?
?
0
x
?
?
?
?
0
?
?
?
?
x
?
0
?
?
x
x
?
?
?
?
x
?
?
?
x
?
?
?
?
0
0
?
?
?
?
x
?
?
?
x
?
?
x
?
?
?
?
x
?
?
x
0
0
?
?
0
0
?
?
?
0
?
?
0
?
?
?
?
?
?
?
?
0
?
x
0
?
0
?
?
0
?
0
?
?
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Agent.FD
- Agent.HJD
- Bitcoinminer.FDO
- ClipBanker.HBA
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
| User Data Access |
|
| Other Suspicious |
|
