Malware

What is “Win32/Agent.RLQ”?

Malware Removal

The Win32/Agent.RLQ is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Win32/Agent.RLQ virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Attempts to connect to a dead IP:Port (1 unique times)
  • Sample contains Overlay data
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Dynamic (imported) function loading detected
  • Unconventionial language used in binary resources: Russian
  • The binary likely contains encrypted or compressed data.
  • Authenticode signature is invalid
  • Uses Windows utilities for basic functionality
  • A process attempted to delay the analysis task by a long amount of time.
  • Collects and encrypts information about the computer likely to send to C2 server
  • Installs itself for autorun at Windows startup
  • Collects information about installed applications
  • Attempts to create or modify a Browser Helper Object
  • Attempts to modify proxy settings
  • Attempts to modify browser security settings
  • Harvests cookies for information gathering
  • Harvests information related to installed mail clients
  • Attempts to interact with an Alternate Data Stream (ADS)
  • Uses suspicious command line tools or Windows utilities

How to determine Win32/Agent.RLQ?



File Info:

name: 7D260A30438727CBB7CD.mlw
path: /opt/CAPEv2/storage/binaries/776cee20224d5a3aa38f94390ccf4efc1522d6f0a64bb8b33c57ad5eac29d619
crc32: DA75CFD9
md5: 7d260a30438727cbb7cdbc938929eb97
sha1: 090198537327e47d260e537100c6691e66bc97ba
sha256: 776cee20224d5a3aa38f94390ccf4efc1522d6f0a64bb8b33c57ad5eac29d619
sha512: fec952e149cd2873b5a390063c9e592a6e9966872cee6baaf172b306d6a51439dc3c7e18ae46c40fb70d1dc521c63e855ad7f09f4c3115e498a8369a878cb1dc
ssdeep: 3072:vxAHNZL/I+/9yajam+oz4cDh4+O1qAFLRgTJWq5Z0Z0Z0Z0Z0Z0Z0Z0Z0Z0Z0Z0L:JkPLAmDjlvEoAFLRW/
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T115D69546AAD02C89CF46F2F095A6CFA0AB77A4344AD5D97F07D007E94BA3276CD43718
sha3_384: e59ccc23bd30c9044d6acc34697da296a1432f25a0f7bc0c144e42507495f53a7daa09742dd0ec03b4f5761910d64956
ep_bytes: e8d32e0000e916feffff6a0c6888ed41
timestamp: 2010-04-05 14:48:51


Version Info:

CompanyName: Intel NGO
FileDescription: Intel Motherboard Service
FileVersion: 6, 5, 1, 1
InternalName: Intel NGO
LegalCopyright: Copyright (C) 2007
LegalTrademarks: Intel Corp.
OriginalFilename: NGO
ProductName: NGO
ProductVersion: 6, 5, 0, 0
Translation: 0x0409 0x04b0

Win32/Agent.RLQ also known as:

BkavW32.AIDetect.malware2
Elasticmalicious (high confidence)
MicroWorld-eScanGen:Heur.Mint.SP.Dropper.2
FireEyeGeneric.mg.7d260a30438727cb
CAT-QuickHealTrojan.Dynamer.26147
McAfeeGenericRXAP-DT!7D260A304387
CylanceUnsafe
VIPREGen:Heur.Mint.SP.Dropper.2
Sangfor[ARMADILLO V1.71]
K7AntiVirusTrojan ( 0012e7911 )
BitDefenderGen:Heur.Mint.SP.Dropper.2
K7GWTrojan ( 0012e7911 )
CrowdStrikewin/malicious_confidence_100% (W)
BitDefenderThetaGen:NN.ZexaF.34806.@t3@aKBgkgfc
CyrenW32/S-8813ac4f!Eldorado
SymantecSMG.Heur!gen
tehtrisGeneric.Malware
ESET-NOD32a variant of Win32/Agent.RLQ
ClamAVWin.Trojan.Zusy-9876296-0
KasperskyTrojan.Win32.Scar.okvf
NANO-AntivirusTrojan.Win32.Vilsel.enyyry
TencentTrojan.Win32.Scar.e
Ad-AwareGen:Heur.Mint.SP.Dropper.2
EmsisoftGen:Heur.Mint.SP.Dropper.2 (B)
ComodoTrojWare.Win32.PWS.Sapbexts.BA@81fcr4
DrWebTrojan.DownLoader24.19336
McAfee-GW-EditionBehavesLike.Win32.Injector.rz
Trapminemalicious.high.ml.score
SophosML/PE-A + Troj/Wonton-TU
APEXMalicious
JiangminTrojan/Vilsel.fuq
AviraTR/Spy.Gen
Antiy-AVLTrojan/Generic.ASMalwS.76
MicrosoftPWS:Win32/Zbot!ml
ZoneAlarmTrojan.Win32.Scar.okvf
GDataGen:Heur.Mint.SP.Dropper.2
CynetMalicious (score: 100)
AhnLab-V3Trojan/Win32.Vilsel.R183675
VBA32BScope.Trojan-Dropper.2573
ALYacGen:Heur.Mint.SP.Dropper.2
MAXmalware (ai score=83)
MalwarebytesTrojan.Dropper
RisingTrojan.Agent!1.A806 (CLASSIC)
SentinelOneStatic AI – Malicious PE
FortinetW32/Generic.AC.361B36!tr
AVGWin32:Malware-gen
Cybereasonmalicious.043872
AvastWin32:Malware-gen

How to remove Win32/Agent.RLQ?

Win32/Agent.RLQ removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment