Agentb

Category: trojan · Aliases: Trojan.AgentB, Win32/Agent.B, Malware.AgentB · Sample count (EMBER 2018): 449 · Enrichment: documented_reference_only · Updated: 2026-07-02T09:03:09Z

Overview

Executive Summary

AgentB (often detected as Trojan.AgentB or Win32/Agent.B) is a broad, generic classification used by antivirus engines to identify a file exhibiting highly suspicious, Trojan-like behaviors. The "Agent" classification indicates that the security software has flagged the executable based on heuristic analysis of its actions rather than a specific, known malware signature, suggesting the presence of a potentially obfuscated threat acting as a backdoor, downloader, or info-stealer.

Infection Vector and Technical Capabilities

Because this is a generic heuristic detection, the infection vector can vary wildly. It could be an obfuscated attachment in a spear-phishing email, a payload dropped by an exploit kit, or a zero-day threat that has not yet been formally analyzed and named by security researchers. Files flagged as Trojan.AgentB typically exhibit red-flag behaviors indicative of an active compromise:

Threat Assessment

A generic Trojan.AgentB detection must be treated with high severity. Because the exact nature of the payload is unknown, it could range from a relatively benign adware dropper to the initial stage of a catastrophic enterprise ransomware deployment.

Incident Response and Remediation

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1055 T1059 T1105

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_AGENTB {
    meta:
        description = "Detects Agentb (trojan)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "agentb" ascii wide nocase
        $s2 = "trojan.agentb" ascii wide nocase
        $s3 = "win32/agent.b" ascii wide nocase
        $s4 = "malware.agentb" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Agentb Activity
id: 1ae84f586f85740fb9c6539375aba570
status: experimental
description: Detects generic indicators of the agentb malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*agentb*"
            - "*trojan.agentb*"
            - "*win32/agent.b*"
            - "*malware.agentb*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

Where can I learn more about agentb?

Refer to the linked MITRE ATT&CK technique pages, which document the behaviors associated with this family.

Related Families (Category: trojan)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/agentb.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.