Trojan.Downloader.Agent.BTH
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 5,326 |
| Threat Level: | 80 % (High) |
| Infected Computers: | 209 |
| First Seen: | August 21, 2023 |
| Last Seen: | February 27, 2026 |
| OS(es) Affected: | Windows |
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Downloader.Agent.BTH |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
c2e0206541ca56bd2b86305c8224629d
SHA1:
fe9e9b0373a8586935374921194e250cab98bc43
SHA256:
620D50DDDB7B078C15D5588E0449869DFB691FC1AF46D9E982E7DCA7E1716A72
File Size:
2.86 MB, 2859520 bytes
|
|
MD5:
e6466d291ef09087f128439614f3e08e
SHA1:
2abef5209e7b578f1b52a8603b27a932a0bc6ebf
SHA256:
6CA1E089DA738254C18579E262CC8593BBFD4EE2F1F7848E45A992D9807A8052
File Size:
2.18 MB, 2179584 bytes
|
|
MD5:
d65f46440b0237519619fcf95e8ccbf3
SHA1:
33f49a0012b979406e8cff2ad0e198405eb615fa
SHA256:
A7E07220ABA4B119F83E06DD2105F692F5C8507D2F52582757EBC652A66647C3
File Size:
4.11 MB, 4110848 bytes
|
|
MD5:
e561409afb2b6010446ba3109e69ef43
SHA1:
a723347e8b540c5172ff8004ac0e923b855525e6
SHA256:
E8713F75CAD6024AB8C3FB81B93CDD7761F40E96C2030B53BF3D1AC3C4BA4172
File Size:
2.81 MB, 2814464 bytes
|
|
MD5:
d1687cf9929a01066d5f53ed21e888a1
SHA1:
25b669533aa4e8982c0a9467d198ca63c028dfd8
SHA256:
A67A701CCEEAC7C5998FB23BF0FD10CB589ACD93B8EE5273B36BC44FE54E0105
File Size:
2.42 MB, 2416128 bytes
|
Show More
|
MD5:
1a23d5cd23a96120d987ffd5544127da
SHA1:
b72a5184337c39af7a6d4eaf3b8d90f91b89ab3a
SHA256:
E578E10C328FC53DB69DFA3350507C8BB60030F3669D35D31986E14C750BBB30
File Size:
4.49 MB, 4494336 bytes
|
|
MD5:
7bbfd52d656b1913ee0002a5ad1a9d6f
SHA1:
aad322376f9074464dd0ad7e5b6b29081f0abc2a
SHA256:
96A2F62131B538D758A476EC15DE22C8BB695988F22D49E2EB786E2532445FE7
File Size:
8.16 MB, 8164352 bytes
|
|
MD5:
f928de0d3fa939883c9a8a3f7b2bc705
SHA1:
2bd97ee257eb374511ab183077625c81c11ad222
SHA256:
8B2C226D5B7B0A6A6F4666A802101D71D468F7FCD929270A5A50D58472D69FE2
File Size:
432.64 KB, 432640 bytes
|
|
MD5:
65b366f04905deeb9c390d0e54e4a28c
SHA1:
25f1917c2e6876e4f5ffee8f972de98d6f04fddf
SHA256:
A5644E291128539A24D15AA4003E35641A74931452D0FBFE195BBEB1A6AAE96C
File Size:
4.11 MB, 4111872 bytes
|
|
MD5:
d8dc0eef658872ffad1fa8b5780fbb71
SHA1:
2bddf6ae09475f504e4c3983261efa48faa787e7
SHA256:
E78B7A2863D595D629EBD4FD70C2F7641D9B09D2001F021AB55EF039DAAA3FD2
File Size:
4.41 MB, 4413440 bytes
|
|
MD5:
f94c64d043515f9985df82d351d0bf90
SHA1:
02ea534b18a3243b136724d4b98ab2250f90a4cb
SHA256:
8392ADC598F268EB2252B8ADC4F94F1BBD91B0611CAAC171056D88946DC37CDC
File Size:
2.09 MB, 2089472 bytes
|
|
MD5:
77883b1b089663d580f22e1532c260a1
SHA1:
3bfe9ebf97794cb73d6cfefad203ef8a9c9bd679
SHA256:
AC3E1AD12B90343579DC6B4B5FE0A2B71C18EBB4841ED432D3C1BC67039B14BB
File Size:
2.50 MB, 2503168 bytes
|
|
MD5:
fdbee6f5ecdf78bd18c58c9b822dee53
SHA1:
f169e4c209e398dadfceae16da32022eb49dc72e
SHA256:
ADE0C3D62D97EBA3B743BEAB44AB8A526DC2667969452ED86099ACBEC93149E2
File Size:
2.01 MB, 2011648 bytes
|
|
MD5:
c72baefce9431a210b0dcd1693aa18d6
SHA1:
99d51249420790a39736c26127bac82fa53f452e
SHA256:
CFA622F848704EF4AFB9BD54CE8621C2FB2A716C1E4D14CEC3A6104A164AE5CB
File Size:
2.41 MB, 2412544 bytes
|
|
MD5:
a8ef4c09e268a8479ddfe78341f61036
SHA1:
fc4b7cc9ad46b340390f8191a294c3c5a8f7ef44
SHA256:
077BD4E63B497509C1A3B9A2E7CB601CCE69174DF3D78FE28C0F6024D6CC599C
File Size:
8.28 MB, 8284160 bytes
|
|
MD5:
c78e18f8520ec9fc421ec8b5a75e5baa
SHA1:
16b5390337d59e684014277e7bd91d49f7ad993f
SHA256:
403C91BE430849A38FFAA0D4ACF5313E262F030363A5DF8EE36DCEFF4EF20A82
File Size:
2.46 MB, 2458112 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have exports table
- File doesn't have security information
- File has exports table
- File has TLS information
- File is 64-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
Show More
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name | Atooi LLC |
| File Description |
|
| File Version |
|
| Internal Name |
|
| Legal Copyright |
|
| Original Filename |
|
| Product Name |
|
| Product Version |
|
File Traits
- 2+ executable sections
- big overlay
- dll
- fptable
- HighEntropy
- imgui
- No Version Info
- ntdll
- VirtualQueryEx
- WriteProcessMemory
Show More
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 1,843 |
|---|---|
| Potentially Malicious Blocks: | 30 |
| Whitelisted Blocks: | 1,392 |
| Unknown Blocks: | 421 |
Visual Map
0
0
0
0
0
?
?
?
0
x
0
0
x
?
?
?
?
?
0
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
1
?
?
?
?
?
?
x
x
0
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
1
0
?
?
?
0
0
0
0
x
0
?
?
0
0
0
0
0
?
0
0
0
0
?
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
1
?
?
?
?
0
0
0
?
?
?
?
0
1
0
?
0
?
0
?
0
?
0
?
?
0
?
?
?
?
?
?
?
?
?
?
0
?
0
0
0
?
?
0
0
?
0
0
0
0
0
0
0
?
?
0
0
?
?
?
?
?
0
?
?
?
0
?
?
?
?
?
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
?
?
?
0
?
?
?
?
?
0
?
0
?
?
?
?
?
?
x
?
0
?
?
0
0
?
?
?
?
?
?
?
?
?
?
?
?
?
x
?
?
?
0
?
?
?
?
0
0
?
?
?
?
?
?
?
0
?
0
?
?
?
?
0
0
?
?
0
0
?
?
0
0
?
?
0
?
?
0
0
0
0
?
?
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
1
0
0
0
0
0
0
0
0
0
0
0
?
0
?
0
0
0
0
?
0
?
0
0
0
0
0
0
0
0
x
0
0
0
0
?
0
0
0
0
0
?
0
?
?
0
0
0
?
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
?
0
?
0
0
0
0
0
0
0
?
?
?
0
?
0
0
0
?
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
?
?
?
?
?
?
0
?
0
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
?
?
0
x
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
x
0
0
?
?
?
?
?
?
?
0
0
0
0
0
0
0
0
?
?
x
0
0
?
?
?
?
?
?
?
?
0
0
0
0
0
0
?
?
?
?
0
0
?
0
0
0
0
0
0
0
0
?
?
0
0
0
0
0
0
?
?
?
?
?
?
0
?
0
0
0
0
0
0
0
?
0
?
0
0
0
0
0
x
x
?
0
0
0
0
x
x
x
x
x
?
?
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
?
0
?
0
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
0
?
?
?
?
0
?
?
?
?
?
0
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
0
?
?
?
?
?
0
?
?
?
0
0
?
?
0
?
0
?
0
?
?
?
?
?
?
0
?
0
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
0
?
?
?
?
?
?
0
?
?
0
?
?
?
?
0
0
?
?
?
?
0
?
?
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
?
?
0
0
1
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
x
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
1
0
1
2
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
?
?
0
0
?
0
0
0
0
0
?
0
?
0
0
?
?
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
?
?
0
?
?
0
?
?
?
0
0
?
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
?
?
0
?
?
0
0
?
?
?
?
?
0
0
?
?
?
0
?
0
x
x
0
x
?
?
?
0
0
?
?
?
0
?
?
?
?
0
?
?
x
0
0
0
0
?
?
?
?
0
?
?
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| \device\harddisk0\dr0 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
104 additional items are not displayed above. |
