Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Agent.TRG

Trojan.Agent.TRG

By CagedTech in Trojans

Analysis Report

General information

Family Name: Trojan.Agent.TRG
Packers: UPX!
Signature status: No Signature

Known Samples

MD5: 8012c365b540c68f42b43ed4dc08f3ac
SHA1: db1ac691bb78a9cb8a5dfc1d74c0188d0bcebf36
SHA256: 98A10C773ACEEF4EA22526F176EAC7A1593B8F84ADC4972F65D56ECA1F014200
File Size: 4.85 MB, 4851712 bytes
MD5: 393a961e5735706f3a1171dd1b70400b
SHA1: 29f03b924f4a747328311b52c27712e76fba25df
SHA256: B4793D8C33AF862862ADB516FC42D59E91C44F3C4289BCC39C7AD94B5B78787A
File Size: 3.52 MB, 3520000 bytes
MD5: 3a8d602efd8b5e67eaa4f7cabcb2a384
SHA1: e268a2fea6b5f0f334b17ef96687ca3e229224b5
SHA256: 540B8704A6B6AF446D0969FEF5F8959881E0EC2EA57C8BF34F754A9B11A603C4
File Size: 3.50 MB, 3503616 bytes
MD5: b5d9a61c4b44abe10e4bffe04b59dfaf
SHA1: 656842b9183eaed7f1d10f7fcd5fa093ed6ac15c
SHA256: 7764299681D941B444A48FAC1BA7BD737E25B2DD2A297EEBDD86FBA7B7B2ACBB
File Size: 3.69 MB, 3694080 bytes
MD5: 38bbaba639172971d249560ba87fbbe8
SHA1: 6c9dab3664b479f877852717c4362e913b55c9ad
SHA256: 71701AA5FD70A084F0E37565BD368E8856884AE9725B857C4D4A105A8A684D06
File Size: 2.35 MB, 2351104 bytes
Show More
MD5: 7e5fc5f9d8cd28a905a721d167025dc3
SHA1: f00e0dff55397e80fa812267419314198f2739fe
SHA256: 80B3CA7A20ABF7A6E30F933B73683CE95F92FDF3BA065D2663200AC299005A73
File Size: 458.75 KB, 458752 bytes
MD5: 0baa751d51f399699dedeaf5b4054ee9
SHA1: 1467dc10721b032bd1c61212cd0af17f14a16d6e
SHA256: E7A51618AD0AD0B7BF1B8F9F1D11CD04B793CB200BFB4065F3AD6B9F9ACFEB47
File Size: 5.75 MB, 5748224 bytes
MD5: 2f95da6d255ea171fe98231cfe30c420
SHA1: 5e83f0c21b44d64bd9d6459d660fa930b5374681
SHA256: 76331101E0DCB433F8C9552110C1E3337FDBF89221EC9030DD90FC72B5F1753F
File Size: 4.13 MB, 4129792 bytes
MD5: 3a7546642d1859fcb7d09ab511d6d40f
SHA1: 02084e3762f0186ec989cd386c69083a070609dd
SHA256: AF5B28525A741F998FDA8DCA3977AC2A0C30CA3CC602E23DAB95A9038A2796A9
File Size: 2.90 MB, 2896384 bytes
MD5: 1efa3d0b4f3a9c3e38de2161fee96b44
SHA1: f297a718c1c316e0f1177c8d6f5a6aa81257906f
SHA256: BB64BA65820B0F74847DF423708491C55B5D06C0480346E3534801B4248C7083
File Size: 397.82 KB, 397824 bytes
MD5: bbbae739b14591c1d8ac7c979c35d857
SHA1: 69f4cbbe06291024327a066d780548c9a4623548
SHA256: C2C37DDED595B74D439E492DC094FDEE246FB84813A43A7AEFE278BDEF89404B
File Size: 3.27 MB, 3265024 bytes
MD5: 0d2f9b2f1908087772825b8c45f9ccfe
SHA1: 2ecc222f265f60cab072363e889038861c90a78c
SHA256: 898E8245C803EAB2CB7CC3AE91E2E8F95E402E111CF3668758631CDFEC159FFD
File Size: 1.45 MB, 1447424 bytes
MD5: 67a8d19272969dbb549f2795a79779e7
SHA1: 31ead11e19834298ce199be77ea6b96c44097882
SHA256: EE10395E31417D47201DB9B388C5C18E5D25D9F317ED24290CEA97F81E253458
File Size: 1.44 MB, 1435648 bytes
MD5: b667531b1be99c69720a911bc9028c37
SHA1: 7a8be01120197755b69e5735901cab5772566ee7
SHA256: 0CE01710FD952FA491F4184E0D6DA3086F26CE96C16CE543EB106CBC77A8A891
File Size: 1.44 MB, 1435136 bytes
MD5: 1bc8b8ab11070a4c521ccc2153c3d6a5
SHA1: 9fa87326926030c6a231f555e956fc96eb81536c
SHA256: B775892B4F9F070C82D7970B999A04958FBB84BF502D829D6FC825E88C2AF2AF
File Size: 3.30 MB, 3301376 bytes
MD5: 6d0037c69cea8d28104e7efcd0344f2d
SHA1: 70fb7d19a4411411d24a288b85851689533a4f68
SHA256: 24CF7B3FE87C25DD132BAFA15EF20B3CD4DA7B85EE6B7818CAF05454CB0D8792
File Size: 721.92 KB, 721920 bytes
MD5: 7c7f9c8053a51fe611c76b61cf7056e9
SHA1: 084066aad6b791c5391d93f7f4a8f36ca5819f8b
SHA256: 2FFD25D8CCCA327212B3DF628FA758FEFC40E9D2DCF1E7BFC9A49FC83EBCB5BC
File Size: 2.87 MB, 2865152 bytes
MD5: 7414ef122559cb61558f2dda347945e7
SHA1: 974d6709295886f9ed98010803427d72b0dc7e2b
SHA256: F775006DF33C06E9DFD5CAC1FE1353EBC909385A266E0BE49747F365960CF014
File Size: 1.02 MB, 1022976 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have security information
  • File has been packed
  • File has TLS information
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Traits

  • 2+ executable sections
  • dll
  • fptable
  • GetConsoleWindow
  • HighEntropy
  • imgui
  • No Version Info
  • ntdll
  • packed
  • VirtualQueryEx
Show More
  • WriteProcessMemory
  • x64

Block Information

Total Blocks: 2,703
Potentially Malicious Blocks: 307
Whitelisted Blocks: 2,396
Unknown Blocks: 0

Visual Map

x x 0 0 0 0 x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 x x 0 x x 0 x x 0 0 0 x x 0 0 x 0 0 0 0 x x 0 x 0 0 0 0 x 0 0 0 x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 0 0 x 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 x x x x 0 x x 0 0 1 x 0 x 0 x 0 0 0 0 x 0 1 x 0 0 0 x x x 0 0 0 0 x x 0 0 0 0 x 0 x 0 x 0 0 0 x 0 0 0 0 0 0 x x 1 0 0 0 0 x x x 0 x x 0 0 x 0 x x 0 0 0 0 0 0 x 0 x x 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 x x 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 x x x 0 0 0 x 0 x 0 0 x x x 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 x x 0 x 0 0 x 0 0 0 1 x 0 0 1 0 0 x x 0 0 0 x 0 x 0 0 0 0 0 0 x x x 0 0 0 0 0 0 x 0 0 0 0 0 x x x x 0 0 0 x 0 x 0 0 x x x 0 0 0 x x 0 x 0 0 x 0 0 0 0 x x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 0 0 x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 x 0 x 1 x x x 0 0 x 0 0 0 0 0 0 0 x 0 0 0 0 0 0 x 0 x 0 0 x x x 0 0 1 x 0 0 0 0 x 0 0 0 0 0 0 1 0 0 x 0 x 0 x 0 0 0 x x 0 1 0 0 0 1 0 0 0 0 x 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 x 0 0 x 0 0 0 0 0 0 0 0 x 0 0 0 x 0 0 0 0 0 x 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 x 0 0 1 0 0 1 x 0 0 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 x x 0 x 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 x 0 x x x 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 x 0 x 0 0 0 x x 0 x x x x x 0 x x x x 0 0 0 x 0 0 0 0 0 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 x 0 x x 0 0 0 x x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 x 0 0 0 0 0 0 x 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x 0 0 0 0 0 x 0 x x 0 0 x x x 0 x 0 0 0 0 0 0 0 x x x 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 x x 0 0 0 0 x 0 x x x x x 0 x x x 0 0 0 0 0 0 x 0 0 0 x x x x 0 0 x x x 0 0 0 0 0 x 0 0 0 x x 0 0 0 x x x 0 x x x 0 0 0 0 x 0 0 0 0 0 x x 0 0 0 0 0 0 0 x x x x x 0 x 0 x 0 x x x x 0 x 0 x 0 x x x x 0 x 0 x 0 x x x x 0 x 0 x 0 0 x x 0 x 0 0 0 x 0 0 x x 0 x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 x 0 x x 0 0 x x x 0 0 x x x x x x x 0 x x x x x x x x 0 x x x x x x x 0 x x x x x x 0 0 x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.TRG
  • ClipBanker.TI
  • Coinminer.GU
  • Gamehack.GAIG
  • Gamehack.GDDG
Show More
  • Gamehack.GDDH
  • Gamehack.GSH
  • Gamehack.GYF
  • Gamehack.JAC
  • Injector.KFSC
  • Kryptik.EFJ
  • SpyLoader.D
  • TelegramHack.A
  • TelegramHack.B
  • TelegramHack.C

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
c:\windows\system32\reboot.log Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ₎ꃮ赑ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 둰幜闩ǜ RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAllocateLocallyUniqueId
  • ntdll.dll!NtAllocateReserveObject
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePort
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
Show More
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateNamedPipeFile
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFindAtom
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtQueryWnfStateNameInformation
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRemoveIoCompletionEx
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetIoCompletionEx
  • ntdll.dll!NtSetSecurityObject
  • ntdll.dll!NtSetSystemInformation
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTerminateProcess
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtTraceEvent
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtUpdateWnfStateData
  • ntdll.dll!NtWaitForAlertByThreadId

8 additional items are not displayed above.

Keyboard Access
  • GetAsyncKeyState
Anti Debug
  • CheckRemoteDebuggerPresent
  • IsDebuggerPresent
Process Terminate
  • TerminateProcess
User Data Access
  • GetUserObjectInformation

Trending

Most Viewed

Loading...