Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Agent.KB

Trojan.Agent.KB

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 3,508
Threat Level: 80 % (High)
Infected Computers: 22,829
First Seen: October 12, 2012
Last Seen: April 15, 2026
OS(es) Affected: Windows

Aliases

15 security vendors flagged this file as malicious.

Antivirus Vendor Detection
AVG Suspicion: unknown virus
Fortinet W32/Autorun.ZF!worm
ClamAV PUA.Script.Packed-3
Avast VBS:Malware-gen
NOD32 Win32/Packed.Autoit.E.Gen
McAfee Artemis!925344021104
Panda Trj/CI.A
AVG Generic29.BROV
Fortinet W32/ZAccess.VARC!tr
Ikarus Win32.SuspectCrc
AhnLab-V3 Backdoor/Win32.ZAccess
McAfee-GW-Edition Artemis!8F4882EC8769
AntiVir TR/Kazy.96011
BitDefender Gen:Variant.Kazy.96011
Kaspersky Backdoor.Win32.ZAccess.yod

SpyHunter Detects & Remove Trojan.Agent.KB

File System Details

Trojan.Agent.KB may create the following file(s):
Expand All | Collapse All
# File Name MD5 Detections
1. mcagent.exe c34d24fee552438229b10702e1d3891f 49
2. fabio1257270791l.exe 925344021104cf537b2a808e78bf297a 37
3. n. 8f4882ec8769622ba61b31222146a9f3 17

Analysis Report

General information

Family Name: Trojan.Agent.RB
Signature status: No Signature

Known Samples

MD5: 2d7c799d376ff326555484da7bc07aa8
SHA1: 7c8affb130ace89e56d8a1000f047633575d6188
SHA256: B5BEBA4C6CFB5CA870964F55EE4B35272AFF5776CD2ACC7C851D252B95461468
File Size: 349.44 KB, 349440 bytes
MD5: e61fd7c6a4a36b371dd9422674df377e
SHA1: a72bae0bb61922312d6b8eb330779f122e57b32a
SHA256: D61F8ADA3213D64A170FAC1C9BE34BA79104B89E267BCBA5CFC4652B63784B73
File Size: 739.77 KB, 739768 bytes
MD5: 1de967f52520fbe1fc675bee28a9071f
SHA1: 7dd00107adc250b2b1e023e48708a2d3b4070a8d
SHA256: 1D4A9308764109F2F96D1F7FB21A40783930EDECC10D481A7D4D2F545C752721
File Size: 2.03 MB, 2027008 bytes
MD5: cc5776cda9e04105ead8a9e5a8cf2896
SHA1: 628713c5db227a655879746d72493de70e44bbbf
SHA256: 02390D41570C776B40FA42F1EB00D91F6260E4A0227500C9A688A3183211AF6B
File Size: 1.11 MB, 1111040 bytes
MD5: 079a97434efb2a68d14c5d64607ed564
SHA1: 8802b28846754daee988f24880ec41e39e43c84c
SHA256: C8D7E566592E5AEA50C4B746844B47055027F7B7F31597324E7081D982DB3C0B
File Size: 470.02 KB, 470016 bytes
Show More
MD5: e1ec3026335b87529b722a51402a87f6
SHA1: c5684f3bf59a9753ee18ab870973bc01ae42578f
SHA256: 9EE1D8D78FD36FD0C4075FC577476FA501A905A18CEEED900728DB129AEC892B
File Size: 487.94 KB, 487936 bytes
MD5: 31ae21dc4f0defadf3cfbd6e973fe3f0
SHA1: 494c9cf90b35b4fa5cf282c4c6ba33ee4c2b45f9
SHA256: 276BF098BF7226CD4E70B5623179502412245D7E46CED74277BAA907C7A49449
File Size: 396.29 KB, 396288 bytes
MD5: 1e566419cd8ea405af60134246607958
SHA1: 180a10ba5310e4693110c7b0ded9c811d0a5bd75
SHA256: 1F9136437C408020F1D8E1E5A7D8B582B798A144C88503FB473FFA7C75505251
File Size: 360.96 KB, 360960 bytes
MD5: b4520b6b573e3e4d9b99df7c2fef7388
SHA1: 0b0873ad3ea9368f3acbe5a164663d585faf44e4
SHA256: FD3712A3544B405D13423C583FE7E3515CE4A6EAFE4BF3E9103BD693E4A65134
File Size: 2.01 MB, 2014720 bytes
MD5: 5bf136329e944406a03ac4d7b79f25b1
SHA1: 4add428d2751ed34d8caf74130ed0d2ac66e774a
SHA256: EF849D9F342308501A7EF01C61DBB5930103E7411397216C94F5CC928881EB8E
File Size: 335.87 KB, 335872 bytes
MD5: b3d8b6f4a5866eaf5d5502905af6c111
SHA1: e7a0b655d4f60d8e6d96738a380d6bae6ab23ba9
SHA256: A54F0A80E08C958C916C3A26BBA32D1AAD8F665053A2AC941E6CDF0B5DDCFC36
File Size: 585.22 KB, 585216 bytes
MD5: a681dc72d6fec1986191f96cbc4f8eb5
SHA1: dcf550ca418fb5867a06c1e912fab2d99c4ab0f3
SHA256: 37E8372F5759262D1F5395AB2D4E7001E8EBEFECCC9EDAE48F116867EE574431
File Size: 1.66 MB, 1659904 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File is 32-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version
  • 2.0.0.0
  • 1.0.0.0
Comments
  • MADARA
  • this app update L2Warland Launcher on last Version
Company Name
  • Cracking the code 4 fun!
  • Dylog Italia S.p.A.
  • Warland GameGuard
File Description
  • ActualizacionRemota
  • AhmedXSensi
  • Download_SplitPath
  • Game Launcher Updater
  • Project X
  • Roblox Lag Switch v5.5.2
  • 人人股神
File Version
  • 2.0.0.0
  • 1.0.0.0
Internal Name
  • ActualizacionRemota.exe
  • AhmedXSensi.exe
  • Download_SplitPath.exe
  • Dylog.Adelmo.exe
  • MADARA.exe
  • Roblox Lag Switch v5.5.2.exe
  • StartZeus.exe
  • 超短得力助手.exe
Legal Copyright
  • Copyright 2022
  • Copyright © 2015
  • Copyright © 2018
  • Copyright © 2025
  • Dylog Italia S.p.A.
  • 方小侠 Q: 3358387
Legal Trademarks
  • Dylog is a registered trademark
  • Warland GameGuard
Original Filename
  • ActualizacionRemota.exe
  • AhmedXSensi.exe
  • Download_SplitPath.exe
  • Dylog.Adelmo.exe
  • MADARA.exe
  • Roblox Lag Switch v5.5.2.exe
  • StartZeus.exe
  • 超短得力助手.exe
Product Name
  • ActualizacionRemota
  • AhmedXSensi
  • Download_SplitPath
  • Dylog .NET
  • Game Launcher Updater
  • Project X
  • Roblox Lag Switch v5.5.2
  • 人人股神
Product Version
  • 2.0.0.0
  • 1.0.0.0

Digital Signatures

Signer Root Status
Dylog Italia SpA DigiCert Trusted Root G4 Root Not Trusted
MADARA MADARA Self Signed

File Traits

  • HighEntropy
  • No Version Info
  • x86

Block Information

Total Blocks: 382
Potentially Malicious Blocks: 0
Whitelisted Blocks: 382
Unknown Blocks: 0

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 1 0 1 0 0 2 0 0 1 1 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 1 0 0 0 0 2 0 0 0 0 0 0 0 0 0 2 0 0 1 0 0 0 1 1 0 0 0 2 0 1 0 0 0 0 1 1 0 0 1 1 0 0 0 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 2 3 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 2 2 1 0 1 0 0 0 0 1 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
\device\namedpipe\pshost.134137549411048593.6924.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
c:\users\user\appdata\local\temp\__psscriptpolicytest_xtcoshtg.ktr.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_zp5dmlhr.tsx.psm1 Generic Write,Read Attributes
c:\windows\assembly Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 샒赣ǜ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enablefiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableautofiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::maxfilesize  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filedirectory %windir%\tracing RegNtPreCreateKey
Show More
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enablefiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableautofiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::maxfilesize  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filedirectory %windir%\tracing RegNtPreCreateKey

Windows API Usage

Category API
User Data Access
  • GetComputerName
  • GetUserDefaultLocaleName
  • GetUserName
  • GetUserNameEx
  • GetUserObjectInformation
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
Encryption Used
  • BCryptOpenAlgorithmProvider
  • CryptAcquireContext
Other Suspicious
  • AdjustTokenPrivileges
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
Syscall Use
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDuplicateObject
Show More
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Network Winsock2
  • WSAConnect
  • WSASocket
  • WSAStartup
  • WSAttemptAutodialName
Network Winsock
  • closesocket
  • freeaddrinfo
  • getaddrinfo
  • recv
  • send
  • setsockopt
Network Winhttp
  • WinHttpOpen
Network Info Queried
  • GetAdaptersAddresses
  • GetNetworkParams
Keyboard Access
  • GetKeyState

Shell Command Execution

"powershell.exe" -c "if (Get-Command Get-MpPreference -ErrorAction SilentlyContinue) { Get-MpPreference | Select-Object ExclusionPath } else { Write-Host 'DefenderNotInstalled' }"

Trending

Most Viewed

Loading...