Trojan.Downloader-Agent
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 8,840 |
| Threat Level: | 90 % (High) |
| Infected Computers: | 3,552 |
| First Seen: | July 24, 2009 |
| Last Seen: | April 12, 2026 |
| OS(es) Affected: | Windows |
Table of Contents
Aliases
15 security vendors flagged this file as malicious.
| Antivirus Vendor | Detection |
|---|---|
| TrendMicro | TROJ_AGENT.UDE |
| Symantec | Packed.Generic.187 |
| Sunbelt | Trojan-Downloader.Drv32 |
| Sophos | Troj/Dloadr-BWK |
| Prevx1 | High Risk Cloaked Malware |
| Panda | Adware/VirusRemover2008 |
| NOD32 | Win32/TrojanClicker.Agent.NEB |
| Microsoft | TrojanDownloader:Win32/Obvod.B |
| McAfee-GW-Edition | Trojan.Clicker.EQ |
| McAfee | Generic Downloader.z |
| Kaspersky | Trojan-Downloader.Win32.Agent.ajtr |
| K7AntiVirus | Trojan-Downloader.Win32.Agent |
| Ikarus | Trojan-Dropper.Agent |
| Fortinet | PossibleThreat |
| F-Secure | Trojan-Downloader:W32/Agent.HUQ |
File System Details
| # | File Name | MD5 |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
|---|---|---|---|
| 1. | project675.exe | a28b6cda3ffebe14ddc143726883a63b | 8 |
| 2. | FunSpace.Update.Process.exe | 68df2dd194db756ccf7ddf4e30c61e51 | 1 |
| 3. | U3L35MEA.exe | c2b64b4de7a7a337d50e9f332b276a0c | 0 |
| 4. | ieaux.dll | d3dd4da48a70a021da92663b7d15cf66 | 0 |
| 5. | install_conga[1].exe | 4338ea1110896eed2d5355f6ec3bf977 | 0 |
| 6. | maindll.dll | 6fd7896ae616a0ae52dd84c678944619 | 0 |
| 7. | xd1_v115_241[1].exe | 866a09db37cc2beec90053d033a9169f | 0 |
| 8. | ins21.exe, insD.exe, shopper[1].exe | d8f943de4c76dac5fda7877d4ec04b94 | 0 |
| 9. | ins13.exe, ins27.exe, ins30.exe, ins37.exe, ins6.exe | 88b401bb0ba7139e30ca28ae2568d1d6 | 0 |
| 10. | PuzzleDesktop.exe | 9d9078307280a6945bef24a28d14b239 | 0 |
| 11. | tmps.exe | 9ad1bd3dfd3f2d31a2d6c388580b2af0 | 0 |
Registry Details
Analysis Report
General information
| Family Name: | Trojan.Agent |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
034aeffe6d1b99d85c2471c1301ccc10
SHA1:
689ef15be29438e2b5c952e38006691e6df182ed
File Size:
3.17 MB, 3172985 bytes
|
|
MD5:
39105f8ac510efe7f5b7d6c67c2db0a7
SHA1:
52069a6f0f66c7f9192cba27899c728883f61eb7
File Size:
315.39 KB, 315392 bytes
|
|
MD5:
a1bebca8b9618045a83ebf5f0dd25894
SHA1:
0bfd269195cbec4af7144009464410af04012bdf
File Size:
152.06 KB, 152064 bytes
|
|
MD5:
4e8bd96f56a7edc8e6e797ff1b2a8849
SHA1:
345bcf3ab1f384717a8829d07bfd45e96ba6c0c6
File Size:
712.70 KB, 712704 bytes
|
|
MD5:
79187c801cfeae8695908bda908ec6d2
SHA1:
4886e42d78068fdf0c81beffe41de0374d6cfee4
File Size:
3.17 MB, 3172985 bytes
|
Show More
|
MD5:
10eb5e49706f22a8deace0a2dbdc82c6
SHA1:
5b2f524fc0d7fe4fa7bf9d389ff2a8a6af51ac36
SHA256:
836AF134423747FED3A54E2F258D3C5165DDB010AEBE2DC88839988D1A733217
File Size:
259.07 KB, 259072 bytes
|
|
MD5:
982e02da0d1b4c14cf6514dfd6d8946c
SHA1:
79e005d1c8d12265766d41f989ad1c6b0175d3d1
SHA256:
51253A229E97D2BC8928021B690E5657937793E5A268B76CCA48E0AF7A0B4051
File Size:
4.32 MB, 4315648 bytes
|
|
MD5:
3fdd34dc0177d250c16ed3efdc807f0a
SHA1:
f03ba3bc296375d6a7bf07fbdf37437d1bfa2e22
SHA256:
A42F8140A82D6741B3A3D15A6215853AFA94E8FE8EEA27F7A134B0D00B934B5F
File Size:
5.46 MB, 5456384 bytes
|
|
MD5:
df2e6b2e6960520c0f482741c79dc24a
SHA1:
cb26843852dda20f03ab4998b6683f55ae2d3608
SHA256:
40AFEC8B1433B13EF1EF83579EAA332FAD5E1374319A68AF6DF7701E35397CBE
File Size:
5.43 MB, 5430784 bytes
|
|
MD5:
e215575c3fee36bb0121f4db50257d7a
SHA1:
4423aacfad4fc1118c12cd66bf68aa4f236aa8a8
SHA256:
65E05A9375A7B380FB7D5015B473644EC879F418CAADE97F1808CBE6070D8EC6
File Size:
7.26 MB, 7264256 bytes
|
|
MD5:
400bd063c90795b3c746f56b20811552
SHA1:
1cf446bc8a5c1e1d06faeaedb7fe60f979ef8601
SHA256:
FE45293CD5AE73720D20505E1706FF1E3A76A698CF9B5CC7F5319F27D888493A
File Size:
1.78 MB, 1782504 bytes
|
|
MD5:
91dfe7793d1ea3dea55f08435c4ea846
SHA1:
5bdb172a4954382270f8f028d02ce99e9f12c833
SHA256:
76320C125F0750F787868F351897BCE1F753FE7270D5361843CADCCD8419D71B
File Size:
84.48 KB, 84480 bytes
|
|
MD5:
80fbe78de0b2daca2c7d7713042c0647
SHA1:
0a28918f32111ab71bb3f37388d407056a54e6c7
SHA256:
DEA17A69E716E42799EC824BD42D3C3438B76799792DD7AF92B82A10CD0BA972
File Size:
316.93 KB, 316928 bytes
|
|
MD5:
5ad3e10228e5e93cd23570ec095af782
SHA1:
36b07cc3f35c7250bfe20502a5825c16f399d30f
SHA256:
10CB893D05979F366FF7B5AB24D5882DD80998E1DA41226D1E171D4063935160
File Size:
9.64 MB, 9639936 bytes
|
|
MD5:
ec3812058142c9ed90d7d86210d3a23d
SHA1:
61b90de3b1ecf016970ff127447087e7d6f10883
SHA256:
F117BB2021A0D1B09ADB5CCA0788B41E5AFD9363B6A68255290721B89A862FA0
File Size:
3.56 MB, 3555840 bytes
|
|
MD5:
122b4555cb9cf6917f1878f66be1bd1c
SHA1:
8eaa3067768715e232067198fd96678f3641f476
SHA256:
83B17F02ED2989FD12F444F530903B12453BC39AB2056EFA501F1A6A21FC5ACE
File Size:
2.66 MB, 2657792 bytes
|
|
MD5:
5292c9e907ceb342aaefc84cea79bc17
SHA1:
f37cedcb79a96452eefa5f1f4d147f1175c848de
SHA256:
DBA129AFAFB0DC6FDBB679ACDDEA6913F6C634382181D492BB935A20FE41F0C8
File Size:
7.09 MB, 7089664 bytes
|
|
MD5:
540b2fe3233595acbb78b3727c44060c
SHA1:
cd526ab1a8cac6534a246050d8dd777b01a88e44
SHA256:
C485B5579657FF04723C13B5FEC610C64B232A0BEA58CCBF762235FE92104B6D
File Size:
6.16 MB, 6159650 bytes
|
|
MD5:
aa63d45a59a56b52de7800435fdcd7c3
SHA1:
0f267739f02e29f12b1c4330cc8aebc229c8ed7c
SHA256:
2E74DD8170DA84126E8DFE0518DBF93BF885B749FCBBD4B082708C00CA6451C2
File Size:
5.81 MB, 5805056 bytes
|
|
MD5:
9feaebe9322d145f48db773922e1f13a
SHA1:
1d430da4ec12e9ca600297bcf96ae8ed83a6db63
SHA256:
530C43415B1051D4F78F42A78794D77CD1CF1396241C4483AA9F76A103E94121
File Size:
592.84 KB, 592840 bytes
|
|
MD5:
0fac71281a99eac04ff5a194e5eaa3bb
SHA1:
8bb11de30d5554f97cdb4b933eb0d9ddba01babf
SHA256:
0280C4EEBA7439BDCF880F013F7FE997CFAB2F0FC88D2C53BAE5DE097268ACF9
File Size:
3.17 MB, 3172985 bytes
|
|
MD5:
2a95bf1e1419bd4919291d32f7b4739e
SHA1:
25c7f86f6493491525428562b67480cb10ec6dbc
SHA256:
0BE31AAB41FB1740B176811377EEB2E59809C7A1D332F7F4C465BF7E9DAF406A
File Size:
9.28 MB, 9280512 bytes
|
|
MD5:
308c0dbf3bd27e1c9921c8d96811254b
SHA1:
db536bf9ce28cb79c9635bd0e6e5cf1ac893a4b7
SHA256:
B77B70F40D79362E0BE63822F3E7CFE36C645F884F0BB3A9FD4DB3BB2814D63F
File Size:
9.29 MB, 9293824 bytes
|
|
MD5:
663b423b5a1c8a4c4150a74c9676b486
SHA1:
430054e3e36424ea887a1d8af132f13d8e47c691
SHA256:
FE854FFDE15094F31E014EC3EB93927D225D20A883D7904B02EDB2F4715BFC63
File Size:
1.08 MB, 1075712 bytes
|
|
MD5:
77ee84119fef893309aef2f157d9789c
SHA1:
72223e8d13eb9454937b92c7278c4d24baf34265
SHA256:
A403109D774D94558BB54E75E17AA1597508C4AB79146959EDF772DEC6E9AAA8
File Size:
2.07 MB, 2068817 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has exports table
- File has TLS information
- File is .NET application
- File is 32-bit executable
- File is 64-bit executable
Show More
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.Show More
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Assembly Version |
|
| Comments |
|
| Company Name |
Show More
|
| File Description |
Show More
|
| File Version |
|
| Internal Name |
Show More
|
| Legal Copyright |
Show More
|
| Legal Trademarks | KetcauSoft |
| Original Filename |
Show More
|
| Private Build | 01.00.00.00 |
| Product Name |
Show More
|
| Product Version |
Show More
|
| Version | 1.11W |
| W D Version | 27.0 |
File Traits
- .NET
- 00 section
- 2+ executable sections
- Agile.net
- big overlay
- CAB (In Overlay)
- Confuser
- Fody
- GenKrypt
- HighEntropy
Show More
- Inno
- InnoSetup Installer
- Installer Manifest
- Installer Version
- NewLateBinding
- No Version Info
- ntdll
- Reactor
- Reflective
- RijndaelManaged
- VirtualQueryEx
- Wix
- WixToolset Installer
- WriteProcessMemory
- x64
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 416 |
|---|---|
| Potentially Malicious Blocks: | 0 |
| Whitelisted Blocks: | 414 |
| Unknown Blocks: | 2 |
Visual Map
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Emotet.CDD
- Injector.AK
- Lumma.GFD
- MSIL.Agent.GDE
- MSIL.Agent.OAAR
Show More
- MSIL.BadJoke.XF
- MSIL.BlackGuardStealer.A
- MSIL.Brute.BGF
- MSIL.Brute.GFA
- MSIL.DllInject.LE
- MSIL.Filecoder.GG
- MSIL.Gamehack.JS
- MSIL.Heracles.IP
- MSIL.Injector.FSA
- MSIL.Tedy.F
- MSIL.Tedy.NN
- Remcos.AI
- Rugmi.IA
- Sheloader.A
- Sheloader.C
- Stealer.KF
- Zenpak.C
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| \device\namedpipe\dav rpc service | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| \device\namedpipe\srvsvc | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| \device\namedpipe\wkssvc | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\microsoft\windows\explorer\iconcache_16.db | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\microsoft\windows\explorer\iconcache_256.db | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\microsoft\windows\explorer\iconcache_idx.db | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.1.regtrans-ms | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\972ae312b9b3458a8bb8df383a9fb2b1\webview2loader.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\a634fbb351864c07b1d9d3e2e2924438\webview2loader.dll | Generic Write,Read Attributes |
Show More
| c:\users\user\appdata\local\temp\is-gde6n.tmp\cd526ab1a8cac6534a246050d8dd777b01a88e44_0006159650.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-lroid.tmp\_isetup\_setup64.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\temp0.jar | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\temp1.jar | Generic Write,Read Attributes |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKCU\local settings\software\microsoft\windows\shell\bagmru::nodeslots | RegNtPreCreateKey | |
| HKCU\local settings\software\microsoft\windows\shell\bagmru::mrulistex | RegNtPreCreateKey | |
| HKCU\local settings\software\microsoft\windows\shell\bagmru\2::mrulistex | RegNtPreCreateKey | |
| HKCU\local settings\software\microsoft\windows\shell\bags\94\shell::sniffedfoldertype | Downloads | RegNtPreCreateKey |
| HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.200.31.10#amas::_labelfromdesktopini | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKCU\software\pc soft\windev\27.0\appli\36b07cc3f35c7250bfe20502a5825c16f399d30f_0009639936::last_framework | 270103j | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old122e4 *1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old12352 *1\??\C:\P | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old5af52 *1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old5af62 *1\??\C:\P | RegNtPreCreateKey |
| HKCU\software\microsoft\windows\currentversion\explorer::slowcontextmenuentries | RegNtPreCreateKey |
Show More
| HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix | Cookie: | RegNtPreCreateKey |
| HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix | Visited: | RegNtPreCreateKey |
| HKCU\software\microsoft\edge\blbeacon::failed_count | RegNtPreCreateKey | |
| HKCU\software\microsoft\edge\blbeacon::state | RegNtPreCreateKey | |
| HKCU\software\microsoft\edge\thirdparty::statuscodes | (NULL) | RegNtPreCreateKey |
| HKCU\software\microsoft\edge\thirdparty::statuscodes | RegNtPreCreateKey | |
| HKCU\software\microsoft\edge\elfbeacon::version | 143.0.3650.96 | RegNtPreCreateKey |
| HKCU\software\microsoft\edge\blbeacon::failed_count | RegNtPreCreateKey | |
| HKCU\software\microsoft\edge\blbeacon::state | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| User Data Access |
|
| Syscall Use |
Show More
10 additional items are not displayed above. |
| Other Suspicious |
|
| Anti Debug |
|
| Network Winsock2 |
|
| Network Winsock |
|
| Encryption Used |
|
| Process Manipulation Evasion |
|
| Process Shell Execute |
|
| Keyboard Access |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
"C:\Users\Nztewlcq\AppData\Local\Temp\is-GDE6N.tmp\cd526ab1a8cac6534a246050d8dd777b01a88e44_0006159650.tmp" /SL5="$60302,5666415,214528,c:\users\user\downloads\cd526ab1a8cac6534a246050d8dd777b01a88e44_0006159650"
|
jview.exe /cp:p "C:\Users\Hxejqwsr\AppData\Local\Temp\temp0.jar
|
open http://www.java.com
|
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://www.java.com/
|