Win32/Agent.ZIL [Threat Name] go to Threat

Win32/Agent.ZIL [Threat Variant Name]

Category	trojan
Size	438272 B
Detection created	Dec 14, 2017
Detection database version	16574
Aliases	Trojan-Dropper.Win32.Scrop.kjv (Kaspersky)
	W32.Mandaph (Symantec)
	TR/Drop.Scrop.hctah (Avira)

The trojan serves as a proxy server. The trojan is usually a part of other malware.

The trojan searches for files stored in the following folders:

The trojan copies itself to the following locations:

A string with variable content is used instead of %variable1-5% .

The file name of the newly created file is derived from the original file/folder name.

In order to be executed on every system start, the trojan sets the following Registry entry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable3%" = "%anyexistingfolder%\%variable1%\v%variable2%\%variable3%.exe"

The trojan creates the following file:

The file is a shortcut to a malicious file.

The trojan schedules a task that causes the following file to be executed repeatedly:

The trojan schedules a task that causes the following file to be executed repeatedly:

This causes the trojan to be executed on every system start.

The trojan executes the following files:

The trojan creates and runs a new thread with its own code within these running processes.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (4) URLs. The HTTP protocol is used in the communication.

The trojan serves as a proxy server.

The trojan hooks the following Windows APIs: