Trojan

Trojan.Agent.DOCS removal guide

Malware Removal

The Trojan.Agent.DOCS is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Trojan.Agent.DOCS virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Attempts to connect to a dead IP:Port (1 unique times)
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Possible date expiration check, exits too soon after checking local time
  • Dynamic (imported) function loading detected
  • Starts servers listening on 127.0.0.1:0
  • Reads data out of its own binary image
  • Access the NetLogon registry key, potentially used for discovery or tampering
  • CAPE extracted potentially suspicious content
  • Authenticode signature is invalid
  • Behavioural detection: Injection (Process Hollowing)
  • Executed a process and injected code into it, probably while unpacking
  • Behavioural detection: Injection (inter-process)
  • Created a process from a suspicious location
  • CAPE detected the IcedID malware family

How to determine Trojan.Agent.DOCS?



File Info:

name: FBAFA4E5B16ADF5BB6A8.mlw
path: /opt/CAPEv2/storage/binaries/01b6837f29887c4e3232762655325b768998cc91798bf304793efd7c26cd64b7
crc32: 9D1056CF
md5: fbafa4e5b16adf5bb6a816117a9267f0
sha1: b821c74ff043cfb8b1c7f3d4a8253b248798a533
sha256: 01b6837f29887c4e3232762655325b768998cc91798bf304793efd7c26cd64b7
sha512: 5837f175af8de3662739ac19aeb7a6194f6ac7fd6afc15bb35015221f5aba1dc9a3a169bee37c3a6a1276be50120864faf9ffdfbdb997b9a0c6c823c65da7181
ssdeep: 6144:8Y+DH+ouOJsdmuVjdzAPfXIz9r+wVobcyMBo2DJwbS:B+DH+ouOJsdmuVjZQJcvJDsS
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T1B7A4E71BD564FD0AD99284F02C3C54BD1E2DAC338094AD8B36C4BD2925739A3E5B672F
sha3_384: afd2a105e42b7015951c19f284f00e695811aaf09ab13aaac70920b774fe1d36b26eaf8a5a7052cf800f8b83890d5d30
ep_bytes: 6818474000e8f0ffffff000000000000
timestamp: 2019-01-21 13:46:03


Version Info:

Translation: 0x0409 0x04b0
CompanyName: 
FileDescription: Consultis Technology
LegalCopyright: Consultis Technology
LegalTrademarks: Consultis Technology
ProductName: Consultis Technology
FileVersion: 1.00
ProductVersion: 1.00
InternalName: Contactor
OriginalFilename: Contactor.exe

Trojan.Agent.DOCS also known as:

Elasticmalicious (high confidence)
MicroWorld-eScanTrojan.Agent.DOCS
FireEyeGeneric.mg.fbafa4e5b16adf5b
McAfeeTrojan-FQOR!FBAFA4E5B16A
CylanceUnsafe
CrowdStrikewin/malicious_confidence_100% (W)
AlibabaTrojanBanker:Win32/IcedID.6e1b0756
K7GWTrojan ( 005462c91 )
K7AntiVirusTrojan ( 005462c91 )
VirITTrojan.Win32.Banker.BGH
CyrenW32/S-152931f3!Eldorado
SymantecPacked.Generic.558
ESET-NOD32a variant of Win32/Injector.EDDA
APEXMalicious
Paloaltogeneric.ml
ClamAVWin.Malware.Docs-6842028-0
KasperskyTrojan-Banker.Win32.IcedID.tohd
BitDefenderTrojan.Agent.DOCS
NANO-AntivirusTrojan.Win32.Inject3.fmhcon
SUPERAntiSpywareTrojan.Agent/Gen-IcedID
AvastWin32:Malware-gen
TencentMalware.Win32.Gencirc.10b257c3
Ad-AwareTrojan.Agent.DOCS
EmsisoftTrojan.Agent.DOCS (B)
ComodoTrojWare.Win32.IcedID.EDDA@81f8zw
DrWebTrojan.Inject3.12298
ZillyaTrojan.IcedId.Win32.439
McAfee-GW-EditionBehavesLike.Win32.Shadebot.gh
SophosMal/Generic-S
JiangminTrojan.Banker.IcedID.fj
AviraHEUR/AGEN.1239523
MAXmalware (ai score=82)
MicrosoftPWS:Win32/Zbot!ml
GDataTrojan.Agent.DOCS
CynetMalicious (score: 100)
AhnLab-V3Trojan/Win32.IcedID.R253002
BitDefenderThetaGen:NN.ZevbaF.34638.Dm0@aS0Qzew
ALYacTrojan.Agent.DOCS
TACHYONBanker/W32.VB-IcedID.479232
VBA32BScope.Trojan.Inject
MalwarebytesTrojan.IcedID
RisingTrojan.Injector!8.C4 (CLOUD)
YandexTrojan.GenAsa!4GGO05TS0GY
IkarusTrojan.Win32.Krypt
MaxSecureBanker.IcedID.tohd
FortinetW32/GenKryptik.CXGL!tr
AVGWin32:Malware-gen
Cybereasonmalicious.5b16ad
PandaTrj/Genetic.gen

How to remove Trojan.Agent.DOCS?

Trojan.Agent.DOCS removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment