Trojan.Downloader.Agent.BT
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 80 % (High) |
| Infected Computers: | 41 |
| First Seen: | June 22, 2021 |
| Last Seen: | December 12, 2025 |
| OS(es) Affected: | Windows |
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Downloader.Agent.BT |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
13c6a5651b6e57527595fe3fdf510ae9
SHA1:
0dc0f2e17ffb7377e28779986b1b9a382763b28c
SHA256:
525F95CE94A6E8088CFBF9FB7D046DF4A724076863CB644F2104090CBB046BBC
File Size:
1.33 MB, 1329152 bytes
|
|
MD5:
355971fe592ea16e50d85699cf1224ce
SHA1:
4a939fc4d0b2aa440e11917f8cc4836b073db0cc
SHA256:
AA6D6856132B6B1CDFDDDF2C328571A482ACC402B655062A6C3A4A0218E71ECE
File Size:
3.58 MB, 3582464 bytes
|
|
MD5:
e1c8c15bae953e5cc1e9e38d5c0768ac
SHA1:
70ce1149aac05e712faf5002b5d654a0dc5c7245
SHA256:
289A216B96676AA8D8AF449F8350867521997D2F8601C7E9ECA1F24E237917DE
File Size:
2.01 MB, 2005504 bytes
|
|
MD5:
f7ea379231b6f6c8e6e3d6f300ecbe66
SHA1:
4ce5015a1a732d5487141ddccce75c6becf9f115
SHA256:
22D8168C08143D247EC014EBE4FC54F70D62872E9CDE98DA5038909B83964F94
File Size:
3.80 MB, 3798528 bytes
|
|
MD5:
e86e45b2651d1f74f4927c8b64bdf28f
SHA1:
82a7263e47ca267c04b15cc1c9355b7334d81acf
SHA256:
C084E9D92E156C0B9461FC36300B5C191112241E63AF608F16AA02C6BAF38B6E
File Size:
3.63 MB, 3634176 bytes
|
Show More
|
MD5:
74c26073de04f2b9d841350a23502d85
SHA1:
dc8e3ec3d531633489303cbdc9d34aec2be37aea
SHA256:
779AB1BD954C8E3703EB01EC20F738A8BB9B55992DF932AFB4D8F198401981DC
File Size:
2.54 MB, 2537472 bytes
|
|
MD5:
9ccb807ef4854074772e5e9f9b0ee9dc
SHA1:
138b2e05a9980f9aa120be3eecb3f98029e61138
SHA256:
5FB02448837400C9660D19276D86DE85CCE4332556684BC0A6DBFA81B207D0D2
File Size:
3.08 MB, 3079680 bytes
|
|
MD5:
ba6c1bea085c29d1b6fee2a10900029e
SHA1:
a34cd916173435135b25bc9f09dea098b0e19fd7
SHA256:
2A6A0A297E2059F6A96958E16B3AAEE4FCA9FEC4074CFEB0E2ACC379CAB658BE
File Size:
3.31 MB, 3305472 bytes
|
|
MD5:
c2dae4d58efa8526853fbdd1716f5d41
SHA1:
7e8f28cb99062b7400d2455badc3eb670317b88f
SHA256:
96AB926B71FB7E0E31C9E2F2A5B9897A1BE2BBFC9AAC08D84898F6A9284A6D4D
File Size:
2.42 MB, 2416640 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has exports table
- File has TLS information
- File is 64-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name | Cherax |
| File Description | Cherax Loader |
| File Version | 1.0.0.1585 |
| Internal Name | Cherax.exe |
| Legal Copyright | Copyright (C) 2019 - 2023 |
| Original Filename | Cherax.exe |
| Product Name | Cherax Loader |
| Product Version | 1.0.0.1585 |
File Traits
- 2+ executable sections
- Discord
- GetConsoleWindow
- HighEntropy
- imgui
- No Version Info
- ntdll
- VirtualQueryEx
- WriteProcessMemory
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 3,523 |
|---|---|
| Potentially Malicious Blocks: | 313 |
| Whitelisted Blocks: | 3,071 |
| Unknown Blocks: | 139 |
Visual Map
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
x
x
0
x
x
0
x
x
0
0
0
x
x
0
0
x
0
0
0
0
x
x
0
x
0
0
0
0
x
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
x
0
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
x
0
0
0
x
x
x
x
0
x
x
0
0
1
x
0
x
0
x
0
0
0
0
x
0
1
x
0
0
0
x
x
x
0
0
0
0
x
x
0
0
0
0
x
0
x
0
x
0
0
0
x
0
0
0
0
0
0
x
x
1
0
0
0
0
x
x
x
0
x
x
0
0
x
0
x
x
0
0
0
0
0
0
x
0
?
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
0
0
0
0
0
0
x
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
0
x
0
x
0
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
1
x
x
0
x
0
x
0
0
0
1
x
0
0
1
0
0
0
x
x
0
0
0
x
x
0
0
0
1
0
0
x
0
0
0
0
x
0
0
x
x
x
0
0
0
0
0
0
x
0
0
0
0
0
x
x
x
x
0
0
0
x
0
x
0
0
x
x
x
0
0
0
x
x
0
0
0
0
x
0
0
0
0
x
x
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
0
x
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
x
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
x
0
x
1
x
x
0
0
x
0
0
0
0
0
0
x
0
0
0
0
0
0
x
0
?
0
0
x
x
x
0
0
1
x
0
0
0
0
x
0
0
0
0
0
0
1
0
0
x
0
x
0
x
0
0
0
0
x
0
1
0
0
0
1
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
x
0
x
x
0
0
0
0
0
0
0
0
x
0
1
0
x
0
0
0
0
0
0
x
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
1
x
0
0
1
0
0
1
0
x
0
0
0
1
0
0
1
0
0
1
0
0
1
0
0
1
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
x
x
0
x
0
0
x
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
?
?
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
x
0
x
0
0
0
x
x
0
x
?
x
0
0
0
x
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
x
0
x
x
0
0
0
x
x
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
x
0
0
x
x
?
0
0
x
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
?
x
?
?
?
x
?
0
0
?
0
x
0
x
x
0
0
0
0
0
x
0
0
0
0
x
0
0
0
0
0
x
0
x
0
0
0
x
x
0
x
x
x
0
0
0
0
0
x
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
?
?
0
0
?
?
?
0
?
?
0
?
0
x
0
x
?
x
0
0
x
0
x
0
0
x
x
0
0
x
x
0
?
?
?
0
?
?
?
0
0
0
0
x
x
0
?
0
0
?
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
x
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
?
x
x
?
0
0
?
0
0
x
x
x
x
x
x
x
0
0
?
x
?
?
0
?
0
0
x
0
0
x
0
0
x
0
x
0
1
0
x
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
?
?
?
?
?
?
?
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
?
x
x
?
?
?
?
?
x
x
?
?
x
x
x
x
?
0
?
?
?
?
?
?
?
0
0
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
x
x
0
0
?
0
?
?
x
x
?
?
?
0
?
?
0
?
?
?
?
?
0
x
?
?
?
?
0
?
?
?
?
?
?
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
1
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
0
0
0
0
0
?
?
x
x
x
x
0
0
x
x
x
x
x
x
x
x
x
0
0
0
x
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
x
x
x
x
x
x
0
0
0
0
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
0
x
x
0
0
0
0
0
0
x
x
x
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
x
x
0
0
x
0
0
0
0
x
0
x
0
0
0
0
x
x
0
0
0
0
0
x
x
x
0
0
x
x
x
0
x
x
x
0
0
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Agent.GBG
- Agent.WG
- Downloader.Agent.BTF
- Gamehack.AEEB
- Injector.KFSC
Show More
- Kryptik.FSJ
- Kryptik.KBBI
- Trojan.Agent.Gen.RD
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| \device\namedpipe\menuinjectiondata | Generic Write |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
