Trojan.Downloader.Gen.BT
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 5,744 |
| Threat Level: | 80 % (High) |
| Infected Computers: | 32 |
| First Seen: | November 25, 2025 |
| Last Seen: | June 9, 2026 |
| OS(es) Affected: | Windows |
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Downloader.Gen.BT |
|---|---|
| Signature status: | Hash Mismatch |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
42ea18bc1cfaeffd21906b105c02c2d7
SHA1:
2e05dbfe3b9795efa78bc92c7c02d7344934039c
SHA256:
8A9206AF449DEB8172A9B5A3AC3FB7309ABF96008FB10E4A38A2DF41BAC4EB98
File Size:
571.39 KB, 571392 bytes
|
|
MD5:
24cd2eb3fc697b07958a97758f63dd46
SHA1:
71c4e3a40d6daa9d7765dfcda3e2cadfb7cd7746
SHA256:
950E98B266DC742CB75D3EABBFA3F9A4D4E3D2324A997063FD7FA071E029D171
File Size:
2.09 MB, 2088448 bytes
|
|
MD5:
7ba1ac932014398d448d659389ff34ac
SHA1:
2fb9db7a2006eab33ded19e3ffff7df997ecb71d
SHA256:
6AC5E5CDA864C7F1F047688CE454DEF266A69233489537BA50AC0E161FFA820B
File Size:
1.12 MB, 1120256 bytes
|
|
MD5:
54d4820d39a9cd5fd08201d87f9d9eec
SHA1:
d7a243e6cfd6f43d33231e5f92421ea30374e5cd
SHA256:
D4094DBA34EA2CD29B589360A7D3341E273F147A9D8D47B883BD6748DE56D6D1
File Size:
4.21 MB, 4208200 bytes
|
|
MD5:
6a6343cd115ae081d53b8700131a84ba
SHA1:
a5e0690a5471c95951bdde1c9745c39400848b3a
SHA256:
A1D1CC87E40AE0903AEBD2D8E018FBA9300C3EA332029547FFF8AA4C1FA1FDE2
File Size:
483.05 KB, 483048 bytes
|
Show More
|
MD5:
aa81b50131b8810b5fae7f8a3c116612
SHA1:
34dab93367b241c45055dca9f55e24863a13f0ea
SHA256:
7CB0044D729A6C39D230136A26C4F6243EB0BC190AA1C955B02F7753CF498384
File Size:
928.02 KB, 928016 bytes
|
|
MD5:
2d5cc5ffd4588d8b245c750c1ebec7bf
SHA1:
3c76c7260c719915c4cc6b2f579881d8d056a3f2
SHA256:
BDF8BCA0CBEA8B37750C819B086BD9E633C16AF434191FB9E738F9E5F0C708AC
File Size:
1.57 MB, 1573648 bytes
|
|
MD5:
6c48daca656ba6e43da930a8d9d7a2b2
SHA1:
63fa6104ff0dee981e0bc5c2874467b93ed24a3c
SHA256:
C4D10A5EE555A59794B29FD1E8574C841E35E394F26A697D6FC733F14F2FCF7F
File Size:
1.19 MB, 1187328 bytes
|
|
MD5:
5afaf0db18a2e117e0d2a0032c9b58ef
SHA1:
d1a27521e592e8744fa363caaec007f1e1e498db
SHA256:
E919039B5DCD0DD9A7A8A0AB2292CF721F99CC6EA9F97A285FBE455AE8E64057
File Size:
5.65 MB, 5651104 bytes
|
|
MD5:
802cc75d36fe0e81c8745bf6d7ef0eb2
SHA1:
c28e98047d0bf8fc7de2095d10adb428d5fa1407
SHA256:
A79B661A9C9F562179790CB954F3818200E004A639DBE10F7B7A9570A3D3A1AB
File Size:
4.68 MB, 4675776 bytes
|
|
MD5:
b4830179c49fb6f010f5f2082c66755e
SHA1:
43612e2dd52fd9a96d346619a1f921f62294e0f2
SHA256:
564322B86996B40D2CCAE9F68D09234A0B81271DEB7A456B6F2D9982ABED5E12
File Size:
3.65 MB, 3647008 bytes
|
|
MD5:
df00d944c138c8193329a0a98dc2d3e9
SHA1:
5dd9ecfc8d1e8a21e1d46138a041ed9eedf2f39f
SHA256:
C00640CC14FCFF47AC94631050B5A7BF9E164CAE4CFA4BCE450BE41AF665B6F7
File Size:
2.61 MB, 2613792 bytes
|
|
MD5:
4ed790a6f40d95352ae745138ee63507
SHA1:
e1ebb66cca582dd6246bdace40fbfe67de1cea36
SHA256:
6E95CC91D29FC96925D24981BDFCC525FD410B88DE5CA79C419DB02D9D9F578B
File Size:
406.91 KB, 406912 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have security information
- File has exports table
- File has TLS information
- File is 64-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
Show More
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name |
|
| Compile Date | Wednesday, August 04, 2010 4:34 PM |
| File Description |
Show More
|
| File Version |
Show More
|
| Internal Name |
Show More
|
| Legal Copyright |
|
| Legal Trademarks1 | Microsoft® is a registered trademark of Microsoft Corporation. |
| Legal Trademarks2 | Windows® is a registered trademark of Microsoft Corporation. |
| Original Filename |
Show More
|
| Product Name |
Show More
|
| Product Version |
Show More
|
| Revision | 123 |
| Special Build | 0 |
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| Python Software Foundation | DigiCert SHA2 Assured ID Code Signing CA | Hash Mismatch |
| Corel Corporation | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | Hash Mismatch |
| Tenorshare Co., Ltd. | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | Hash Mismatch |
| Wondershare Technology Group Co.,Ltd | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | Hash Mismatch |
| Corel Corporation | DigiCert Trusted Root G4 | Hash Mismatch |
Show More
| Tenorshare Co., Ltd. | DigiCert Trusted Root G4 | Hash Mismatch |
| Wondershare Technology Group Co.,Ltd | DigiCert Trusted Root G4 | Hash Mismatch |
| Zoom Communications, Inc. | DigiCert Trusted Root G4 | Hash Mismatch |
| Microsoft Corporation | Microsoft Code Signing PCA | Hash Mismatch |
| Microsoft Corporation | Microsoft Code Signing PCA 2011 | Hash Mismatch |
| Microsoft Windows Software Compatibility Publisher | Microsoft Windows Third Party Component CA 2013 | Hash Mismatch |
File Traits
- dll
- fptable
- HighEntropy
- Installer Version
- WriteProcessMemory
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 1,242 |
|---|---|
| Potentially Malicious Blocks: | 9 |
| Whitelisted Blocks: | 1,078 |
| Unknown Blocks: | 155 |
Visual Map
x
x
?
x
x
?
?
?
?
?
?
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
?
?
0
0
0
?
0
0
0
0
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
x
0
0
0
?
0
?
?
?
0
0
?
0
?
0
?
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
?
0
0
0
0
?
0
0
0
0
0
0
?
?
?
0
0
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
0
?
0
?
?
0
0
?
0
?
0
0
?
0
0
?
?
0
?
0
?
?
0
?
?
0
0
0
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
0
?
0
0
?
0
x
?
0
0
?
0
0
?
0
?
0
?
0
x
0
0
0
0
0
?
?
x
?
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Agent.HFG
- Agent.ZFX
- Injector.JV
- Lactrodectus.A
- PC Accelerator.B
Show More
- Rugmi.FL
- Rugmi.FM
- Rugmi.KO
- Rugmi.NO
- Rugmi.TB
- Stealer.OBC
- Trojan.Downloader.Gen.BT
- Trojan.Downloader.Gen.BY
- Trojan.Downloader.Gen.DE
- Trojan.Downloader.Gen.G
- Trojan.Downloader.Gen.KD
- Trojan.Downloader.Gen.LZ
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
