Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Agent.FDGD

Trojan.Agent.FDGD

By CagedTech in Trojans

Analysis Report

General information

Family Name: Trojan.Agent.FDGD
Signature status: No Signature

Known Samples

MD5: bb5bd5f25cc1c859b994342d2a702612
SHA1: c4f6e8655a3846f4be959be62c64972deb54a905
SHA256: 623BEF443B83FC482CFEE52EEB9B4974225AB957229D467DB69C4E2AE82BE76B
File Size: 2.60 MB, 2600960 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File doesn't have security information
  • File is 64-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name Microsoft Corporation
File Description Win32 Cabinet Self-Extractor
File Version 11.00.22000.1 (WinBuild.160101.0800)
Internal Name Wextract
Legal Copyright © Microsoft Corporation. All rights reserved.
Original Filename WEXTRACT.EXE .MUI
Product Name Internet Explorer
Product Version 11.00.22000.1

File Traits

  • CryptUnprotectData
  • Installer Version
  • x86

Files Modified

File Attributes
c:\ibinstaller_98220.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\creativecloud\acc\adobedownload\hdinstaller.log Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\adobe_1.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\adobe_1.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\adobe_1.exe_deleted_ Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\set-up.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\set-up.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\set-up.exe_deleted_ Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\tmp4351$.tmp Generic Write,Read Attributes,Delete
c:\users\user\appdata\local\temp\nsne851.tmp Synchronize,Write Attributes
Show More
c:\users\user\appdata\local\temp\nsne851.tmp\installer.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsne851.tmp\installer.exe_deleted_ Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsne851.tmp\nsisdl.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsne851.tmp\nsisdl.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsne851.tmp\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsne851.tmp\setup.exe_deleted_ Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKLM\software\microsoft\windows\currentversion\runonce::wextract_cleanup0 rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Jflawtud\AppData\Local\Temp\IXP000.TMP\" RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old122e4*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old12352*1\??\C:\P RegNtPreCreateKey
HKCU\software\microsoft\internet explorer\main\featurecontrol\feature_browser_emulation::set-up.exe RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtDeleteValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
Show More
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtPowerInformation
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtTerminateProcess
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetUserObjectInformation
Network Winsock2
  • WSAStartup
Network Winsock
  • closesocket
  • connect
  • gethostbyname
  • inet_addr
  • send
  • socket

Shell Command Execution

C:\Users\Jflawtud\AppData\Local\Temp\IXP000.TMP\Adobe_1.exe
"\IBInstaller_98220.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs98220 -token mtn1co3fo4gs5vwq -subid 1878
"C:\Users\Jflawtud\AppData\Local\Temp\nsnE851.tmp\setup.exe" 991878
"C:\Users\Jflawtud\AppData\Local\Temp\nsnE851.tmp\installer.exe" /qn CAMPAIGN="1878"
C:\Users\Jflawtud\AppData\Local\Temp\IXP000.TMP\Set-up.exe

Trending

Most Viewed

Loading...