Threat Database Trojans Trojan.Agent.IFFB

Trojan.Agent.IFFB

By CagedTech in Trojans

Analysis Report

General information

Family Name: Trojan.Agent.IFFB
Signature status: No Signature

Known Samples

MD5: ce3f7e4235c89e9cb09fbd74f44575b9
SHA1: 6bcefbafdc4346c943546400f8b0df62b787f4ad
SHA256: 24EA2A5E84F6DA537A831B83630E34540E1B5806A1AC72AA8027FC6543317C28
File Size: 9.64 MB, 9642496 bytes
MD5: 38773cb9441e7e751cedb1fec5bd2388
SHA1: d7732891f0ae01759953bbf30cb195428ee9c2f5
SHA256: 770F87BE59BD619203B0A171F44D848463A421368BFF75A878A7610D88E992D2
File Size: 7.39 MB, 7394304 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File doesn't have resources
  • File doesn't have security information
  • File has TLS information
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
Show More
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name Web Analytics Network
File Description Web Analytics Data Collection Client
File Version 0.1.0
Internal Name analytics-client.exe
Legal Copyright Copyright (C) 2025 Web Analytics Network
Original Filename analytics-client.exe
Product Name Web Analytics Client
Product Version 0.1.0

File Traits

  • No Version Info
  • ntdll
  • VirtualQueryEx
  • x64

Block Information

Total Blocks: 15,730
Potentially Malicious Blocks: 2,703
Whitelisted Blocks: 12,504
Unknown Blocks: 523

Visual Map

0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 ? 0 0 0 0 0 0 ? ? 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 ? 0 x 0 x 0 0 0 0 x 0 x 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x 0 0 0 x x 0 x 0 ? 0 0 0 0 0 x x 0 ? ? ? x 0 0 0 0 0 0 0 0 0 0 x 0 0 ? ? x 0 ? 0 0 0 x 0 x 0 0 x x 0 0 ? 0 0 ? ? 0 0 0 0 0 x 0 0 0 x 0 ? 0 0 0 x x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 ? 0 0 0 ? 0 0 0 ? 0 ? x ? 0 x 0 0 0 x x ? ? 0 x ? 0 ? 0 0 0 ? ? ? 0 0 0 x 0 0 ? ? 0 0 x 0 0 0 x 0 x 0 ? ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 x 0 0 0 0 ? x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 0 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 ? x ? 0 0 ? 0 x x 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 0 ? 0 0 0 0 0 ? ? 0 ? ? x x 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 0 ? 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 x 0 0 0 0 0 0 0 x x x x x 0 0 0 x 0 0 0 0 0 0 x x 0 0 x 0 0 0 0 0 x x x 0 x 0 0 0 0 0 x 0 0 x x ? x 0 x 0 x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 x x 0 0 0 x 0 0 x x x x x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 ? x 0 0 x 0 0 0 x 1 0 0 x 0 0 x x 0 x x x x x ? x x 0 0 0 x 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 x 0 0 x x 0 0 0 0 0 x 0 0 0 0 x 0 0 x x x x 0 x 0 0 x 0 x x 0 x x x x x x x x x x x ? x x x x x x x x 0 x x 0 0 x 0 x x x x 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 x 0 x x x 0 0 0 0 0 0 0 0 0 0 0 x x x 0 0 0 0 x 0 0 0 x x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 x 0 x 0 x x 0 x 0 0 0 0 0 0 0 0 0 0 x x 0 x 0 0 x 0 ? 0 0 0 0 0 0 x x x x x x x x x ? x x 0 x 0 x x x x 0 x x x x x x 0 x x x x 0 0 0 0 0 0 x ? 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 x x x 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x 0 x x x 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 ? 0 0 0 0 x 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 x 0 0 0 x 0 0 0 0 0 0 0 x 0 x 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 x 0 0 ? 0 0 0 0 0 0 0 0 0 0 x 0 0 ? 0 0 0 x 0 0 0 ? 0 0 0 0 0 x 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 x x x 0 x 0 0 x 0 x x 0 x x x 0 x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 x 0 0 x x x 0 x 0 0 ? ? x 0 ? 0 0 0 0 0 ? 0 ? ? ? 0 ? ? 0 0 ? 0 0 0 0 ? 0 0 0 ? 0 0 ? 0 ? x 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 ? 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.IFFB

Files Modified

File Attributes
\device\namedpipe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\arti-cache\client-0\dir.lock Generic Write,Read Attributes
c:\users\user\appdata\local\temp\arti-cache\client-0\dir.sqlite3 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\arti-cache\client-0\dir.sqlite3-journal Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\arti-cache\client-0\state\circuit_timeouts.json Synchronize,Write Data
c:\users\user\appdata\local\temp\arti-cache\client-0\state\circuit_timeouts.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\arti-cache\client-0\state\guards.json Synchronize,Write Data
c:\users\user\appdata\local\temp\arti-cache\client-0\state\guards.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\arti-cache\client-0\state\state.lock Generic Write,Read Attributes
c:\users\user\appdata\roaming\tor-client\client.id Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\run::torc2client c:\users\user\downloads\6bcefbafdc4346c943546400f8b0df62b787f4ad_0009642496 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 鄊庙屭ǜ RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheckByType
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcAcceptConnectPort
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePort
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcDisconnectPort
  • ntdll.dll!NtAlpcQueryInformation
Show More
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCompareSigningLevels
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateNamedPipeFile
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFlushBuffersFile
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtGetCachedSigningLevel
  • ntdll.dll!NtImpersonateAnonymousToken
  • ntdll.dll!NtLockFile
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenPrivateNamespace
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtPowerInformation
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRemoveIoCompletion
  • ntdll.dll!NtRemoveIoCompletionEx
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationObject
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetIoCompletion
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSetTimerEx
  • ntdll.dll!NtSetValueKey
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTerminateProcess
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnlockFile
  • ntdll.dll!NtUnmapViewOfSection

9 additional items are not displayed above.

User Data Access
  • GetComputerNameEx
  • GetUserObjectInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Process Shell Execute
  • CreateProcess
Anti Debug
  • IsDebuggerPresent
Process Terminate
  • TerminateProcess
Network Winsock2
  • WSASocket
  • WSAStartup
Network Winsock
  • bind
  • closesocket
  • connect
  • send
  • socket

Shell Command Execution

C:\WINDOWS\System32\Wbem\wmic.exe "wmic" csproduct get uuid /format:csv
C:\WINDOWS\system32\getmac.exe "getmac" /fo csv /nh

Trending

Most Viewed

Loading...