Win32/Agent.XRR [Threat Name] go to Threat

Win32/Agent.XRR [Threat Variant Name]

Category trojan
Size 64512 B
Aliases Trojan.Inject2.57861 (Dr.Web)
  Trojan:Win32/Ruandmel.A!bit (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %appdata%\­Win Defender.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Defender " = "%appdata%\­Win Defender.exe"

After the installation is complete, the trojan deletes the original executable file.

The trojan terminates its execution if it detects that it's running in a specific virtual environment.

The trojan launches the following processes:

  • explorer.exe

The trojan creates and runs a new thread with its own code within these running processes.

The trojan can create and run a new thread with its own program code within the following processes:

  • explorer.exe
  • wininit.exe
  • csrss.exe
  • lsass.exe
Information stealing

Win32/Agent.XRR is a trojan that steals sensitive information.

The trojan collects the following information:

  • CPU information
  • operating system version
  • information about the operating system and system settings
  • user name
  • computer name
  • the path to specific folders
  • BIOS version
  • current screen resolution
  • amount of operating memory
  • installed antivirus software
  • Microsoft .NET framework version
  • screenshots

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (2) URLs. The HTTP protocol is used in the communication.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • uninstall itself
  • send gathered information

The trojan hides its presence in the system.

The trojan hooks the following Windows APIs:

  • NtQueryDirectoryFile (ntdll.dll)
  • NtCreateFile (ntdll.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.