Backdoor

Backdoor.Win32.Agent.ddao (file analysis)

Malware Removal

The Backdoor.Win32.Agent.ddao is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Backdoor.Win32.Agent.ddao virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Behavioural detection: Executable code extraction – unpacking
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Anomalous file deletion behavior detected (10+)
  • Guard pages use detected – possible anti-debugging.
  • Dynamic (imported) function loading detected
  • Starts servers listening on 127.0.0.2:22
  • Reads data out of its own binary image
  • A process created a hidden window
  • CAPE extracted potentially suspicious content
  • Drops a binary and executes it
  • Unconventionial language used in binary resources: Russian
  • The binary contains an unknown PE section name indicative of packing
  • Authenticode signature is invalid
  • A scripting utility was executed
  • Behavioural detection: Injection (inter-process)
  • Installs itself for autorun at Windows startup
  • A script process created a new process
  • Operates on local firewall’s policies and settings
  • Anomalous binary characteristics

How to determine Backdoor.Win32.Agent.ddao?



File Info:

name: C8260AB9D73119A02363.mlw
path: /opt/CAPEv2/storage/binaries/42373aace7ee14a602471e83159e8be3fbd518d4d949281ab0c2bd1a17763dcc
crc32: B6DA7FFF
md5: c8260ab9d73119a023634d0436d71aee
sha1: d23019dc8f21e6db319256e0dbe114e3b623343d
sha256: 42373aace7ee14a602471e83159e8be3fbd518d4d949281ab0c2bd1a17763dcc
sha512: 748df08b8e01b3c7ef85889f3891e27b6d1a4d53412d13d7591800d8540a42e9fb4fc46376dea47c3506a0b935d36f9ed2a8a771996cf640ca46c4e67195c8a3
ssdeep: 6144:4zG8nriOnW/rGgGp5AErxNN5Kt5f+yUgKrHNp3OikVBdvUikJrNoQkeHL4EM4fCC:s1DYrCT954TLUierNo5ertLb
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T19484F222B2808977C0101F789C07D6B4E936BB251F7C52C737DE6F5E4DE72861A1A2B6
sha3_384: b1baae546096201b5adf3a7471354b9b06c50f12d20d0c46282463d1f34bb0e212a4b908240a4010ae56bdcabc960aa4
ep_bytes: 558bec83c4f0b8187d4100e8f0aafeff
timestamp: 1992-06-19 22:22:17


Version Info:

Comments: 
CompanyName: USE                                                         
FileDescription: use 2.1.0.0 Installation                                    
FileVersion: 2.1.0.0             
LegalCopyright: USE                                                                                                 
Translation: 0x0409 0x04e4

Backdoor.Win32.Agent.ddao also known as:

MicroWorld-eScanTrojan.GenericKD.37585848
FireEyeTrojan.GenericKD.37585848
McAfeeArtemis!C8260AB9D731
CylanceUnsafe
SangforBackdoor.Win32.Agent.ddao
K7AntiVirusUnwanted-Program ( 004d29451 )
K7GWUnwanted-Program ( 004d29451 )
Cybereasonmalicious.c8f21e
SymantecML.Attribute.HighConfidence
ESET-NOD32multiple detections
APEXMalicious
Paloaltogeneric.ml
KasperskyBackdoor.Win32.Agent.ddao
BitDefenderTrojan.GenericKD.37585848
NANO-AntivirusRiskware.Win32.Agent.csjwxp
AvastWin32:Malware-gen
TencentTrojan.Win32.BitCoinMiner.la
Ad-AwareTrojan.GenericKD.37585848
SophosMal/Generic-S
ComodoMalware@#3tjgj8i6f480y
DrWebTrojan.DownLoader10.27472
TrendMicroTROJ_GEN.R002C0PIL21
McAfee-GW-EditionGenericRXDJ-FQ!5AA4D2AD9BF6
EmsisoftTrojan.GenericKD.37585848 (B)
GDataTrojan.GenericKD.37585848
AviraHEUR/AGEN.1102772
Antiy-AVLTrojan/Generic.ASMalwS.1BDD70C
KingsoftWin32.Hack.Agent.dd.(kcloud)
ArcabitTrojan.Generic.D23D83B8
MicrosoftTrojan:Win32/Wacatac.B!ml
CynetMalicious (score: 99)
ALYacTrojan.GenericKD.37585848
MAXmalware (ai score=99)
VBA32BScope.Trojan.Keylogger
TrendMicro-HouseCallTROJ_GEN.R002C0PIL21
YandexBackdoor.Agent!0j6SWD1Ky60
IkarusTrojan.VBS.Agent
MaxSecureTrojan.Malware.300983.susgen
WebrootW32.Malware.Gen
AVGWin32:Malware-gen
PandaTrj/CI.A

How to remove Backdoor.Win32.Agent.ddao?

Backdoor.Win32.Agent.ddao removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment