Trojan.Downloader.Agent.T
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 2,195 |
| Threat Level: | 80 % (High) |
| Infected Computers: | 440 |
| First Seen: | January 23, 2013 |
| Last Seen: | February 10, 2026 |
| OS(es) Affected: | Windows |
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Downloader.Agent.T |
|---|---|
| Packers: | UPX |
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
6ca0516146495955e4bf06e22c2f65f2
SHA1:
e8c1978b0d83b3d53bfca3f9169b59c32c96f5e1
SHA256:
37DF3E57CD33E63FAEB5A77D25EFD997893ED97638C30CA658FDBBE22C4F4F1D
File Size:
214.67 KB, 214674 bytes
|
|
MD5:
bd3ffd828c1536e015af964b2a4da7af
SHA1:
5396bdef5209b4a5cdb160d6e52dd8849ec56664
SHA256:
D2DEE87A12AFA15B9153EA7A9F60337984D1217340A692B74E9729A501B905C5
File Size:
5.27 MB, 5271521 bytes
|
|
MD5:
fd6a4a567471fb74b9ebb43e8529d63e
SHA1:
0015106c26b2524f3b3f8e4a6d861d6e424f316a
SHA256:
42864BD52A3DAB69E4D16DE27889C99765891EA01A9B523776767D465D1310EE
File Size:
361.39 KB, 361388 bytes
|
|
MD5:
331a1e2c8cc93cc3c08af60b57699f68
SHA1:
13113c3dd9be941d1bc27b487e6fc3bf44eee145
SHA256:
CA80FD43F1437B523A6DECD1234E7FF195BBFF5F5640AFE2B915B2E6E9A0106C
File Size:
490.24 KB, 490238 bytes
|
|
MD5:
e6ee1df1a355162b04640fc55159b643
SHA1:
550d38fca472b981a75d57510859ec3ba1c41698
SHA256:
C7ED9740F61C58A2C1084C093B896A6BFAF48F830E782358711FD9DE5438118E
File Size:
33.21 KB, 33212 bytes
|
Show More
|
MD5:
bb926e4dfb542bcb9cc43bae9d8a9dbe
SHA1:
1a63a7222b028e59974104b47572313202ff77f4
SHA256:
B4351BA934F0C895EBA5A2029D6EA9BE399195BD2588BFD973732C46A2F97FC8
File Size:
204.73 KB, 204727 bytes
|
|
MD5:
832c456453ee60f7e8807e94d039cc6a
SHA1:
770a69835636afd26c8121d3af82e6c415fac676
SHA256:
9D1BBBBBF7AFB2664BE9517E30E0B0C9EFD05BD05CD9257DA99D0F3A47DE35DD
File Size:
131.07 KB, 131072 bytes
|
|
MD5:
b4ae85281ba9031fd8da8159e6c644af
SHA1:
663159d8c3761ff290f9ccac5f7727e8514b48a2
SHA256:
54ED39492F0046F4ECA76A0BBDB2C0EBB91657381D7D3DF0E6F7A3586BF50313
File Size:
205.97 KB, 205975 bytes
|
|
MD5:
60c805482d8314aedb2a72744027ebad
SHA1:
c535a20293268bd9d3ee6a9672eee4f9dd089bb9
SHA256:
87129FBEC68F8BCD0751596902635551B0CA484E796EE76CC74557C7CF537FA7
File Size:
2.01 MB, 2010485 bytes
|
|
MD5:
53f668741a28381038104f47233a4e1a
SHA1:
c457417a9fdc181d4e3950bf3e846747233c890e
SHA256:
1E0ADE1DBC571A5EA44796097FC1813A968C3706B5E4A0E5F4B521CD1D07FFA7
File Size:
2.01 MB, 2012408 bytes
|
|
MD5:
6a66ac879c6aba85546c7b33042692cb
SHA1:
225291f598873acc4b59f652efa8186ecb2c1165
SHA256:
7E1E95D5DCFE7F19934AEBBCC47DAE861AD66269D08C2DE3A069E388C66ADF4A
File Size:
179.89 KB, 179891 bytes
|
|
MD5:
06335b2f36babb1106f2eb67ddfd4f84
SHA1:
47812773cae10f8a3e0867768df7b1f9793f281d
SHA256:
E764B8D9B4E5CDBE67B302F101930BF85900179BAAB9592296030DAE808BF81D
File Size:
607.08 KB, 607078 bytes
|
|
MD5:
5376cfc9ad8d0a1c35a8162007ab47fc
SHA1:
d9a9e2bf8b07589ef3270e9781a99a739ed61768
SHA256:
7ABB8545DFEE9D8F1FAE46A28A62F556F72AED80776A17CDCB7F9EE182AAB35B
File Size:
180.48 KB, 180482 bytes
|
|
MD5:
a500983daf2cc44eef605f3a6adf7b21
SHA1:
26525f8e52def3d33f1d39916a494dd1670f40d1
SHA256:
F193869F6CA7532D5795549E52703F69CA418ADB41A5390C404663018D3F656C
File Size:
2.24 MB, 2240848 bytes
|
|
MD5:
89396361c00eb92eed93fa38ce4e7c30
SHA1:
779a810dddf9334704e692aa7bd487d20ce72dc6
SHA256:
267C20E1EF44C70FD693782ECC60F629F950A205526F2F250BBF8A7F998BF528
File Size:
34.73 KB, 34725 bytes
|
|
MD5:
0ad7e349cdf976aa7c23945585e55bd0
SHA1:
e139206ce9e7ce9f2aa607c55d1a87033dc0866e
SHA256:
7329071147051303E31B3451CBBDAA0AE9DF59B190C445CA5E070039CB55B716
File Size:
93.57 KB, 93574 bytes
|
|
MD5:
59692a8fad700391592637cfbae0a9c0
SHA1:
775f3bff2753f702f4f67a515b4452847865c419
SHA256:
28CA9137276C2EBB967F8BF51A3A584D2E290B10AE38CAB65C15402FD2257909
File Size:
153.75 KB, 153746 bytes
|
|
MD5:
6033e1e698d430f4d0dd9cfb4d94b9fb
SHA1:
b6dde88f55d975fb25467b213c628665480e7d30
SHA256:
0E7313F311CF24207FFCD4956B0CC6826482596EB556D6E4183843B86C9B62ED
File Size:
15.36 KB, 15360 bytes
|
|
MD5:
2928cfc48113db40d48ecab0768502b1
SHA1:
73a60ef2781456b01a55dc3bca6c83aa96b6a174
SHA256:
93139BAE9D7FBDF489D10579992C921AD88228E25C7495A29D7B6A0C08DCFCB1
File Size:
760.38 KB, 760376 bytes
|
|
MD5:
8925f28fd29d5910f0f9b599ab1ddd0d
SHA1:
706e86757582e5c90d04595487b7edefc80cea54
SHA256:
FB2DCB3F040DE63CECA41ED82F933691826AF0CF031417D3F3F6063FFA28CF25
File Size:
1.91 MB, 1914176 bytes
|
|
MD5:
6f7f45d0b3fd1c2a4c08239aaceec193
SHA1:
71fd4f14f6a909ff36e45eb101b109fd675cbd21
SHA256:
221D6C46063B09DC4C9408154DD1E38BA276CF95AE7CD0A24215EECF191F3672
File Size:
56.00 KB, 55996 bytes
|
|
MD5:
1deb95e098174cdc5ca13186481a7912
SHA1:
8113df241fc69dc7d909fbc19ac08f05e12892ff
SHA256:
2821853144388B72E0885C6E07D0A891155D4C870C925C104FF387EFC4698156
File Size:
2.57 MB, 2567654 bytes
|
|
MD5:
d930ecf3e4c4aeb237186aa0858a38b9
SHA1:
e3e657fb2fac57cd83bc77e7782f406f559be3f0
SHA256:
C6F134B6FAC9E6165F47EB9F05973E698078CAF7EB1211FC4F6313338E385B30
File Size:
56.01 KB, 56007 bytes
|
|
MD5:
7c7f213a19f219487347f27233642d74
SHA1:
1b5fcf082f42c8641493eb7a399a1d846a4682e1
SHA256:
B23952D759F78A5EB632E6B052E255C2EB1D30B571F2ED5EEA020662720B3CB3
File Size:
334.16 KB, 334157 bytes
|
|
MD5:
40c5a3f965e8d178e24c5e820b55746d
SHA1:
9116d8b4bdb20b8ab73eecc74d072f5da5a0b854
SHA256:
ECB9F75D5158804B1342A82156C9C2114FCECE89DB230C22747EF261853FC767
File Size:
116.16 KB, 116164 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has been packed
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
Show More
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| Future Technology Devices International Ltd | Class 3 Public Primary Certification Authority | Hash Mismatch |
File Traits
- $Id: UPX
- .UPX
- 2+ executable sections
- big overlay
- HighEntropy
- No Version Info
- packed
- upx
- UPX!
- WinZip SFX
Show More
- x86
- ZIP (In Overlay)
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Downloader.Agent.T
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| \device\namedpipe\srvsvc | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\00005fb4_rar\c535a20293268bd9d3ee6a9672eee4f9dd089bb9_0002010485 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\00005fb4_rar\c535a20293268bd9d3ee6a9672eee4f9dd089bb9_0002010485 | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\00013eaa_rar\c457417a9fdc181d4e3950bf3e846747233c890e_0002012408 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\00013eaa_rar\c457417a9fdc181d4e3950bf3e846747233c890e_0002012408 | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\fe206b.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\fe30bc.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\fe3eda.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\fe4443.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\fe5d51.tmp | Generic Write,Read Attributes |
Show More
| c:\users\user\appdata\local\temp\fe6041.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\fe6182.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\fe6571.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\fe690.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\fe7148.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\fe8001.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\fe8fa0.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\fea6f9.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\fea87f.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\febc40.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\fec2a6.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\fec6cb.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\fecf64.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\fed4b7.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\fedde4.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\fede38.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\fedf70.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\fefe14.tmp | Generic Write,Read Attributes |
| c:\windows\system.ini | Generic Read,Write Data,Write Attributes,Write extended,Append data |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKCU\software\microsoft\windows\currentversion\explorer\advanced::hidden | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\security center::antivirusoverride | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\security center::antivirusdisablenotify | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\security center::firewalldisablenotify | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\security center::firewalloverride | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\security center::updatesdisablenotify | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\security center::uacdisablenotify | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\security center\svc::antivirusoverride | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\security center\svc::antivirusdisablenotify | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\security center\svc::firewalldisablenotify | RegNtPreCreateKey |
Show More
| HKLM\software\wow6432node\microsoft\security center\svc::firewalloverride | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\security center\svc::updatesdisablenotify | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\security center\svc::uacdisablenotify | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings::globaluseroffline | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows\currentversion\policies\system::enablelua | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::enablefirewall | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::donotallowexceptions | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::disablenotifications | RegNtPreCreateKey | |
| HKCU\software\apcr\1214104697::1919251317 | Û | RegNtPreCreateKey |
| HKCU\software\apcr\1214104697::-456464662 | RegNtPreCreateKey | |
| HKCU\software\apcr\1214104697::1462786655 | RegNtPreCreateKey | |
| HKCU\software\apcr\1214104697::-912929324 | # | RegNtPreCreateKey |
| HKCU\software\apcr\1214104697::1006321993 | é | RegNtPreCreateKey |
| HKCU\software\apcr\1214104697::-1369393986 | http://affiliate.free.rongrean.com/logo.gif http://demo.mosiva | RegNtPreCreateKey |
| HKCU\software\apcr\1214104697::549857331 | RegNtPreCreateKey | |
| HKCU\software\apcr::u1_0 | 鱞댶 | RegNtPreCreateKey |
| HKCU\software\apcr::u2_0 | ⏑ | RegNtPreCreateKey |
| HKCU\software\apcr::u3_0 | 権ă | RegNtPreCreateKey |
| HKCU\software\apcr::u4_0 | RegNtPreCreateKey | |
| HKCU\software\apcr\1214104697::1919251317 | Ù | RegNtPreCreateKey |
| HKCU\software\apcr\1214104697::1006321993 | ƒ | RegNtPreCreateKey |
| HKCU\software\apcr\1214104697::-1369393986 | http://erenkarahan.com/images/logo.gif http://gutekpl.za.pl/lo | RegNtPreCreateKey |
| HKCU\software\apcr\1214104697::549857331 | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Anti Debug |
|
| User Data Access |
|
| Other Suspicious |
|